What is the main purpose of a cloud network security group?
Think about how cloud resources are protected from unwanted network access.
Security groups act like virtual firewalls that control what network traffic can reach or leave cloud resources by applying rules.
What is the default behavior of a newly created cloud security group regarding inbound traffic?
Consider the principle of least privilege in security.
By default, security groups deny all inbound traffic to protect resources until explicit rules allow specific traffic.
If a cloud resource is associated with two security groups where one allows inbound HTTP (port 80) from any IP and the other denies all inbound traffic, what will be the effective inbound HTTP access?
Remember how security groups handle allow and deny rules.
Security groups typically use an implicit deny for traffic not allowed. However, they do not have explicit deny rules; if any associated group allows traffic, it is permitted.
Which statement correctly distinguishes cloud security groups from network ACLs (Access Control Lists)?
Think about where each applies and how they track connections.
Security groups are stateful and control traffic at the instance level, remembering allowed connections. Network ACLs are stateless, apply to subnets, and require explicit rules for both inbound and outbound traffic.
A user reports that their cloud virtual machine cannot receive SSH connections (port 22) from their office IP, even though a security group rule allows inbound SSH from that IP. Which is the most likely cause?
Consider other network controls besides security groups that affect traffic.
Even if the security group allows inbound SSH, a network ACL blocking inbound port 22 traffic at the subnet level will prevent connections. Network ACLs are stateless and require explicit allow rules.