[Solved] You have a subnet with a NACL that allows inbound traffic on port 443 but denies all outbound traffic.... What will happen when the instance tries to respond to an HTTPS request? | AWS

AWS - Security Groups and Network ACLs

You have a subnet with a NACL that allows inbound traffic on port 443 but denies all outbound traffic. A Security Group attached to an instance in this subnet allows inbound and outbound HTTPS traffic on port 443. What will happen when the instance tries to respond to an HTTPS request?

AThe response will be blocked because the NACL denies outbound traffic.

BThe response will be allowed because Security Groups are stateful.

CThe response will be allowed because NACLs override Security Groups.

DThe response will be blocked because Security Groups deny outbound traffic.

Step-by-Step Solution

Solution:

Step 1: Analyze NACL outbound rules
The NACL denies all outbound traffic, so no outbound packets can leave the subnet regardless of Security Group settings.
Step 2: Analyze Security Group statefulness
Security Groups are stateful and allow return traffic, but they cannot override the stateless NACL's explicit deny on outbound traffic.
Final Answer:
The response will be blocked because the NACL denies outbound traffic. -> Option A
Quick Check:
NACL deny outbound blocks response despite Security Group [OK]

Quick Trick: NACL deny rules always block, even if Security Group allows [OK]

Common Mistakes:

Assuming Security Groups override NACLs
Ignoring NACL outbound deny effect
Confusing stateful and stateless behavior

Master "Security Groups and Network ACLs" in AWS

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

More AWS Quizzes

What will happen when the instance tries to respond to an HTTPS request?

Step 1: Analyze NACL outbound rules

Step 2: Analyze Security Group statefulness

Final Answer:

Quick Check:

Want More Practice?