Exam SOA-C03 Topic 1 Question 83 Discussion
Actual exam question for Amazon's SOA-C03 exam
Question #: 83
Topic #: 1
Question #: 83
Topic #: 1
Application A runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The EC2 instances are in an Auto Scaling group and are in the same subnet that is associated with the NLB. Other applications from an on-premises environment cannot communicate with Application A on port 8080.
To troubleshoot the issue, a CloudOps engineer analyzes the flow logs. The flow logs include the following records:
ACCEPT from 192.168.0.13:59003 → 172.31.16.139:8080
REJECT from 172.31.16.139:8080 → 192.168.0.13:59003
What is the reason for the rejected traffic?
To troubleshoot the issue, a CloudOps engineer analyzes the flow logs. The flow logs include the following records:
ACCEPT from 192.168.0.13:59003 → 172.31.16.139:8080
REJECT from 172.31.16.139:8080 → 192.168.0.13:59003
What is the reason for the rejected traffic?
Suggested Answer: D Vote an answer
Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:
VPC Flow Logs show the request arriving and being ACCEPTed on dstport 8080 and the corresponding response being REJECTed on the return path to the client's ephemeral port (59003). AWS networking guidance states that security groups are stateful (return traffic is automatically allowed) while network ACLs are stateless and require explicit inbound and outbound rules for both directions. CloudOps operational guidance for VPC networking further notes that when you allow an inbound request (for example, TCP 8080) through a subnet's network ACL, you must also allow the outbound ephemeral port range (typically 1024-65535) for the response traffic; otherwise, the return packets are dropped and appear as REJECT in flow logs. The observed pattern-request accepted to 8080, response rejected to 59003-matches a missing outbound ephemeral-range allow on the subnet's NACL. Therefore, the cause is the subnet NACL, not security groups or on-premises ACLs. The remediation is to add an outbound ALLOW rule on the NACL for the appropriate ephemeral TCP port range back to the on-premises CIDR (and the corresponding inbound rule if asymmetric).
References (AWS CloudOps documents / Study Guide):
* AWS Certified CloudOps Engineer - Associate (SOA-C03) Exam Guide - Networking and Content Delivery
* Amazon VPC - Network ACLs (stateless behavior and rule requirements)
* Amazon VPC - Security Groups (stateful return traffic)
* VPC Flow Logs - Record fields, ACCEPT/REJECT analysis
VPC Flow Logs show the request arriving and being ACCEPTed on dstport 8080 and the corresponding response being REJECTed on the return path to the client's ephemeral port (59003). AWS networking guidance states that security groups are stateful (return traffic is automatically allowed) while network ACLs are stateless and require explicit inbound and outbound rules for both directions. CloudOps operational guidance for VPC networking further notes that when you allow an inbound request (for example, TCP 8080) through a subnet's network ACL, you must also allow the outbound ephemeral port range (typically 1024-65535) for the response traffic; otherwise, the return packets are dropped and appear as REJECT in flow logs. The observed pattern-request accepted to 8080, response rejected to 59003-matches a missing outbound ephemeral-range allow on the subnet's NACL. Therefore, the cause is the subnet NACL, not security groups or on-premises ACLs. The remediation is to add an outbound ALLOW rule on the NACL for the appropriate ephemeral TCP port range back to the on-premises CIDR (and the corresponding inbound rule if asymmetric).
References (AWS CloudOps documents / Study Guide):
* AWS Certified CloudOps Engineer - Associate (SOA-C03) Exam Guide - Networking and Content Delivery
* Amazon VPC - Network ACLs (stateless behavior and rule requirements)
* Amazon VPC - Security Groups (stateful return traffic)
* VPC Flow Logs - Record fields, ACCEPT/REJECT analysis
by Hubery at Apr 23, 2026, 09:36 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).