Given a subnet with a Network ACL that denies all inbound traffic except HTTP (port 80), what happens if a Security Group attached to an instance in that subnet allows SSH (port 22)?

medium📝 Predict Output Q4 of 15

AWS - Security Groups and Network ACLs

ASSH traffic is allowed because Security Group permits it

BSSH traffic is blocked by the Security Group

CSSH traffic is allowed only if the route table allows it

DSSH traffic is blocked by the Network ACL despite Security Group allowing it

Step-by-Step Solution

Solution:

Step 1: Understand Network ACL rules precedence
Network ACLs act at subnet level and deny all inbound except HTTP, so SSH is blocked at subnet boundary.
Step 2: Understand Security Group role
Security Groups allow SSH, but cannot override subnet-level Network ACL deny rules.
Final Answer:
SSH traffic is blocked by the Network ACL despite Security Group allowing it -> Option D
Quick Check:
Subnet-level deny overrides instance-level allow [OK]

Quick Trick: Subnet NACL deny beats Security Group allow [OK]

Common Mistakes:

Assuming Security Group overrides NACL
Ignoring subnet-level filtering
Confusing route tables with security filtering

Master "Security Groups and Network ACLs" in AWS

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions

More AWS Quizzes

Given a subnet with a Network ACL that denies all inbound traffic except HTTP (port 80), what happens if a Security Group attached to an instance in that subnet allows SSH (port 22)?

Step 1: Understand Network ACL rules precedence

Step 2: Understand Security Group role

Final Answer:

Quick Check:

Want More Practice?