Free AWS SOA-C03 Actual Exam Questions - Question 4 Discussion
instances are in an Auto Scaling group and are in the same subnet that is associated with the NLB.
Other applications from an on-premises environment cannot communicate with Application A on
port 8080.
To troubleshoot the issue, a CloudOps engineer analyzes the flow logs. The flow logs include the
following records:
ACCEPT from 192.168.0.13:59003 → 172.31.16.139:8080
REJECT from 172.31.16.139:8080 → 192.168.0.13:59003
What is the reason for the rejected traffic?
A imo, the ACCEPT on the incoming traffic means the initial packets are allowed through, so the security group must at least allow inbound on 8080. The REJECT on the return port usually points to something blocking outbound ephemeral ports, which sounds like a subnet NACL issue. If the NLB’s security group was the problem, the initial connection wouldn’t be accepted at all. So D makes more sense because NACLs are stateless and often cause issues with return traffic if ephemeral ports aren’t open.
The rejects on the return traffic hint it's not the security groups blocking but the subnet NACL. NACLs are stateless, so if ephemeral ports aren’t allowed outbound, the response gets dropped—so D fits best here.
Option A could also explain this. If the EC2 security group isn’t allowing inbound traffic on port 8080 from the NLB, the initial request might get accepted by the network but never reach the instance properly, causing return traffic to be rejected. Since security groups are stateful, missing an inbound allow rule for the NLB could block proper communication even if outbound rules are open. That might be overlooked since the flow logs show accept inbound but reject outbound on response, which could stem from a misconfigured security group on the EC2 side.
Probably D. The rejected return traffic on ephemeral ports usually means the subnet NACL is blocking outbound traffic, since security groups normally allow response traffic automatically.
It’s D because security groups usually allow return traffic automatically, so the rejected response on ephemeral ports points to subnet NACL blocking outbound ephemeral traffic.
D imo, since security groups typically allow return traffic, the rejected reply on ephemeral ports hints at the subnet NACL blocking outbound ephemeral traffic.
D, because return traffic on ephemeral ports is often blocked by subnet NACLs.
Maybe D as well. The flow logs show the initial request is accepted, but the return traffic is rejected, which points to something blocking the response back. Security groups usually allow return traffic by default, so it’s probably not A or B. Also, the on-prem ACL blocking seems less likely since the request made it through in the first place, so C feels off. A network ACL blocking outbound ephemeral ports fits best with the rejected return traffic seen here.
Makes sense to me, I also think it's D. Security groups tend to allow return traffic automatically, so if the outbound traffic to those ephemeral ports is getting rejected, the network ACL is the likely culprit here. The NACL might be missing rules allowing outbound traffic on ephemeral ports, causing the reject on the return path.
Probably D, the outbound traffic to ephemeral ports is getting blocked by the subnet’s NACL.
D The rejected traffic on the return path to the ephemeral port is a classic sign of a network ACL blocking outbound ephemeral ports. Security groups usually allow return traffic automatically, so it’s unlikely to be a SG issue. Also, NLBs don’t have security groups, so B doesn’t fit. The flows show inbound ACCEPT but outbound REJECT, which aligns perfectly with a NACL denying outbound ephemeral ports.
D imo, the reject on the return traffic to the ephemeral port strongly points to the network ACL blocking outbound traffic, since SGs would usually allow established connections back through.
It’s D, NACLs commonly cause outbound ephemeral port blocks like this.
D, the reject on outbound ephemeral port hints at NACL blocking return traffic.
NLBs don’t have security groups, so B is unlikely. The rejection on the return path suggests something blocking outbound from the instance side, maybe a network ACL. Could the NACL be missing an outbound rule for ephemeral ports?
It’s A, since the instances might block inbound from NLB if SG rules are missing.
It’s D. The inbound connection gets through, but the return traffic is rejected, which usually means outbound rules are too restrictive. Since the flow logs show rejection on the ephemeral port range, it points to the subnet’s network ACL blocking those outbound ephemeral ports. Security groups wouldn’t cause this kind of asymmetric allow/reject pattern. So, the NACL blocking outbound traffic on ephemeral ports makes the most sense here.
Maybe D, since the inbound connection is accepted but the response is rejected—it points to something blocking outbound traffic, which fits subnet NACL rules for ephemeral ports being too restrictive.
A/B? Inbound traffic reaches the instance, so NLB’s security group likely isn’t blocking. The rejection on outbound ephemeral port hints more at instance security group or subnet NACL issues.
Option D makes sense because the inbound traffic to port 8080 is accepted, but the outbound response on the ephemeral port is rejected. This points to a network ACL issue on the subnet level, where outbound rules might be blocking ephemeral ports needed for responses. Since security groups are stateful and flow logs show accepted inbound, it’s less likely they’re the problem here. The NLB doesn’t have a security group that controls traffic like this either, so D fits best with the logs showing rejected outbound traffic on ephemeral ports.