Question 14
Domain 3: Infrastructure SecurityTwo Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic. Which of the following troubleshooting steps should be performed?
Correct answer: B
Explanation
Network ACLs are stateless, so traffic must be allowed in both directions; a "DENY" rule on either inbound or outbound traffic can block EC2-to-EC2 communication even when security groups allow it. Since other hosts in the subnets can communicate, the issue is likely specific to the path between these instances, making NACL rule review the right troubleshooting step.
Why each option is right or wrong
A. Check inbound and outbound security groups, looking for `DENY` rules.
Security groups are allow-based controls; they do not use explicit DENY rules.
B. Check inbound and outbound Network ACL rules, looking for `DENY` rules.
Amazon VPC Network ACLs are evaluated at the subnet boundary and are stateless, so both the inbound and outbound rules must permit the traffic flow; a single explicit `DENY` on either side will block the connection even when the security groups are already allowing it. Because the instances are in different subnets and other hosts in those subnets can communicate, the relevant check is the subnet-level NACL entries, including the rule-number order and any `DENY` entries that would override later `ALLOW` rules.
C. Review the rejected packet reason codes in the VPC Flow Logs.
Flow Logs help observe traffic outcomes, but reviewing NACL rules is the direct troubleshooting step here.
D. Use AWS X-Ray to trace the end-to-end application flow.
AWS X-Ray traces application requests, not low-level subnet connectivity between EC2 instances.