- A
The inbound rule only allows HTTPS, but the outbound rule allows all traffic; this is correct
The NACL configuration is correct for inbound HTTPS; the issue is likely elsewhere, e.g., security group.
- B
The NACL is not associated with the correct subnet
Why wrong: The exhibit shows it is associated with subnet-11111111.
- C
The inbound rule should also allow ICMP traffic
Why wrong: ICMP is not required for HTTPS connectivity.
- D
The outbound rule should restrict traffic to only ephemeral ports
Why wrong: While a best practice, it is not required for inbound HTTPS.
Network ACL Stateless Rules and Troubleshooting
This ANS-C01 practice question tests your understanding of network security, compliance and governance. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: stateless NACL. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Refer to the exhibit. A network engineer is troubleshooting connectivity issues from an EC2 instance in subnet-11111111. The instance can send traffic outbound, but cannot receive inbound HTTPS traffic from the internet. What is the likely cause?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
The inbound rule only allows HTTPS, but the outbound rule allows all traffic; this is correct
The NACL inbound rule allows HTTPS (port 443) from 0.0.0.0/0, and the outbound rule allows all traffic. NACLs are stateless, so the outbound all-traffic rule correctly permits response traffic using ephemeral ports (1024–65535). Therefore, the NACL configuration is correct for inbound HTTPS traffic. The issue must lie elsewhere, such as the instance's security group not allowing inbound HTTPS, or a missing internet gateway route. Option C is correct because it acknowledges that the NACL is not misconfigured, which is the likely scenario given the exhibit.
Key principle: Stateless NACL
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
The inbound rule only allows HTTPS, but the outbound rule allows all traffic; this is correct
Why this is correct
The NACL configuration is correct for inbound HTTPS; the issue is likely elsewhere, e.g., security group.
Related concept
Stateless NACL
- ✗
The NACL is not associated with the correct subnet
Why it's wrong here
The exhibit shows it is associated with subnet-11111111.
- ✗
The inbound rule should also allow ICMP traffic
- ✗
The outbound rule should restrict traffic to only ephemeral ports
Why it's wrong here
While a best practice, it is not required for inbound HTTPS.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Many certification questions include familiar terms but test a specific constraint. Read the exact wording before choosing an answer that is generally true but wrong for this case.
Trap categories for this question
Command / output trap
The exhibit shows it is associated with subnet-11111111.
Detailed technical explanation
How to think about this question
Treat this as a scenario question. Identify the problem, the constraint, and the best action. Then compare each option against those facts.
KKey Concepts to Remember
- Stateless NACL
- Ephemeral Ports
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Stateless NACL
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
Visual reference
What to study next
Got this wrong? Here's your next step.
Review stateless NACL, then practise related ANS-C01 questions on the same topic to reinforce the concept.
- →
Network Security, Compliance and Governance — study guide chapter
Learn the concepts, then practise the questions
- →
Network Security, Compliance and Governance practice questions
Targeted practice on this topic area only
- →
All ANS-C01 questions
1,705 questions across all exam domains
- →
AWS Certified Advanced Networking Specialty ANS-C01 study guide
Full concept coverage aligned to exam objectives
- →
ANS-C01 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related ANS-C01 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Management and Operations practice questions
Practise ANS-C01 questions linked to Network Management and Operations.
Network Security, Compliance and Governance practice questions
Practise ANS-C01 questions linked to Network Security, Compliance and Governance.
Network Design practice questions
Practise ANS-C01 questions linked to Network Design.
Network Implementation practice questions
Practise ANS-C01 questions linked to Network Implementation.
ANS-C01 fundamentals practice questions
Practise ANS-C01 questions linked to ANS-C01 fundamentals.
ANS-C01 scenario practice questions
Practise ANS-C01 questions linked to ANS-C01 scenario.
ANS-C01 troubleshooting practice questions
Practise ANS-C01 questions linked to ANS-C01 troubleshooting.
Practice this exam
Start a free ANS-C01 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this ANS-C01 question test?
Network Security, Compliance and Governance — This question tests Network Security, Compliance and Governance — Stateless NACL.
What is the correct answer to this question?
The correct answer is: The inbound rule only allows HTTPS, but the outbound rule allows all traffic; this is correct — The NACL inbound rule allows HTTPS (port 443) from 0.0.0.0/0, and the outbound rule allows all traffic. NACLs are stateless, so the outbound all-traffic rule correctly permits response traffic using ephemeral ports (1024–65535). Therefore, the NACL configuration is correct for inbound HTTPS traffic. The issue must lie elsewhere, such as the instance's security group not allowing inbound HTTPS, or a missing internet gateway route. Option C is correct because it acknowledges that the NACL is not misconfigured, which is the likely scenario given the exhibit.
What should I do if I get this ANS-C01 question wrong?
Review stateless NACL, then practise related ANS-C01 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Stateless NACL
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
4 more ways this is tested on ANS-C01
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A security engineer is designing a network ACL for a public subnet. The subnet hosts a web server on port 443. Which inbound and outbound rules should be configured to allow HTTPS traffic from the internet? (Assume default deny all rule.)
medium- ✓ A.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 1024-65535 to 0.0.0.0/0.
- B.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 443 to 0.0.0.0/0.
- C.Inbound: allow TCP 1024-65535 from 0.0.0.0/0; Outbound: allow TCP 443 to 0.0.0.0/0.
- D.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 443 to 0.0.0.0/0 for responses.
Why A: Option A is correct because NACLs are stateless, requiring explicit inbound and outbound rules. The inbound rule allows HTTPS (TCP 443) from the internet. The outbound rule allows return traffic on ephemeral ports (1024-65535) back to the internet. Option B is wrong because the outbound rule only allows TCP 443, which is too restrictive for return traffic. Option C is wrong because the inbound rule only allows ephemeral ports, not HTTPS. Option D is wrong because it incorrectly states 'for responses' and the outbound rule is still too restrictive.
Variation 2. Refer to the exhibit. A network engineer reviews the NACL entries for a subnet. What is the effect of this NACL on inbound traffic?
hard- ✓ A.Only SSH from the internal network and HTTPS from any IP are allowed.
- B.All inbound traffic is allowed.
- C.Only HTTPS traffic is allowed from any IP.
- D.All inbound traffic is denied.
Why A: Option A is correct. Inbound rules: Rule 100 allows SSH from 10.0.0.0/16 (internal network). Rule 200 allows HTTPS from 0.0.0.0/0 (any IP). Rule 300 (implicit deny) denies all other inbound traffic. Therefore, only SSH from the internal network and HTTPS from any IP are allowed. Option B is incorrect because not all inbound traffic is allowed; SSH from external networks is denied. Option C is incorrect because HTTPS is allowed from anywhere. Option D is incorrect because the NACL does not deny all traffic; it allows specific traffic.
Variation 3. A security engineer reviews VPC Flow Logs and sees the entries shown. The last entry shows a REJECT for traffic from 203.0.113.5 to 10.0.1.5 on port 443. However, the third entry shows ACCEPT for traffic from 10.0.1.5 to 203.0.113.5 on port 443. What is the most likely reason for the REJECT?
medium- ✓ A.The network ACL associated with the subnet of 10.0.1.5 does not allow inbound traffic from 203.0.113.5.
- B.AWS WAF is blocking the inbound traffic.
- C.The security group attached to the instance 10.0.1.5 does not allow inbound traffic from 203.0.113.5.
- D.The route table for the subnet of 10.0.1.5 does not have a route to the internet.
Why A: The VPC Flow Logs show outbound traffic from 10.0.1.5 to 203.0.113.5 on port 443 was allowed (ACCEPT), but the inbound response was rejected. Security groups are stateful, so they automatically allow return traffic for established connections. Therefore, a security group (Option C) would not cause this REJECT. Network ACLs are stateless and require explicit inbound rules; if the inbound rule for traffic from 203.0.113.5 is missing, the response is dropped, resulting in a REJECT. Option A correctly identifies this. Option B (AWS WAF) operates at the application layer (Layer 7) and is not reflected in VPC Flow Logs, which capture Layer 3/4 traffic. Option D (route table) would cause a lack of connectivity, not a REJECT entry in flow logs.
Variation 4. Refer to the exhibit. A network engineer examines the network ACL for a subnet. Which statement best describes the effect of this network ACL?
medium- A.Both inbound and outbound TCP traffic are allowed
- ✓ B.Inbound TCP traffic is allowed, but all outbound traffic is denied
- C.All inbound traffic is allowed
- D.All outbound traffic is allowed
Why B: The inbound rule explicitly allows TCP traffic (protocol 6) from any source (0.0.0.0/0). However, the outbound rules consist only of a default deny rule, which blocks all outbound traffic. Therefore, inbound TCP traffic is allowed, but all outbound traffic is denied. Option A is incorrect because outbound traffic is denied, not allowed. Option C is incorrect because only inbound TCP is allowed, not all inbound traffic. Option D is incorrect because outbound traffic is denied.
Keep practising
More ANS-C01 practice questions
- A financial services company has a VPC with a public subnet and a private subnet. EC2 instances in the private subnet ne…
- A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The se…
- A company is using AWS Direct Connect to connect its on-premises network to AWS. The company wants to encrypt all traffi…
- A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. The secur…
- A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application must be acc…
- A global e-commerce company uses a hub-and-spoke network topology with a transit VPC in us-east-1. Each spoke VPC has an…
Last reviewed: Jun 20, 2026
This ANS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ANS-C01 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.