Network ACLs and Security Groups

Question 1

To how many NACLs can a subnet be associated?

Answer 1

One

Question 2

Amazon recommends NACL rule #s be created in increments of what?

Answer 2

100

Question 3

To how many VPCs can a NACL be associated

Answer 3

1

Question 4

What are the default rules for a custom NACL?

Answer 4

Inbound: Deny All
Outbound: Deny All

Question 5

What is an ephemeral port?

Answer 5

A short lives port for IP communications.

Question 6

For what purpose do we worry about ephemeral ports?

Answer 6

They are needed for outbound communication in reply to a request, so the range of ports must be allowed in the outbound rules.

Question 7

What outbound port range Allow rule gives you the greatest flexibility for expansion?

Answer 7

1024 - 65536

Question 8

How are NACL rules evaluated?

Answer 8

Numerical order, from lowest to highest. For example, two conflicting rules will be resolved based on which has a lower rule number.

Question 9

How long must you wait for a NACL rule to take effect?

Answer 9

Immediate

Question 10

What type of traffic does the VPCs default NACL allow?

Answer 10

Inbound: Allow All
Outbound: Allow All

Question 11

Does a VPC automatically come with a NACL?

Answer 11

Yes

Question 12

True or False: A NACL is limited to association with one subnet?

Answer 12

False: While one subnet may be associated to one NACL. one NACL may be associated with many subnets.

Question 13

In the following NACL ruleset, will 80 be allowed, or denied?

100: 80 Deny
200: 80 Allow

Answer 13

Denied because the rule number is lower.

Question 14

True or False: NACLs are stateful, meaning AWS will remember the source and destination requests?

Answer 14

False. NACLs are stateless, so inbound and outbound rules must exist for round-trip traffic.

Question 15

To block specific IP addresses, would you use security groups, or a NACL?

Answer 15

NACL