ANS-C01 Network ACL Statelessness Practice Question
This ANS-C01 practice question tests your understanding of network implementation. Examine the command output carefully: the correct answer depends on what the output actually shows, not on general recall alone. A key principle to apply: network ACL Statelessness. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit. The following is an excerpt from a VPC Flow Log:
2 123456789010 eni-12345678 10.0.1.5 10.0.2.10 443 12345 6 10 1000 1234567890 1234567890 ACCEPT OK
2 123456789010 eni-12345678 10.0.1.5 10.0.2.10 443 12346 6 10 1000 1234567890 1234567890 REJECT OK
A network engineer is reviewing VPC Flow Logs for a VPC. The logs show that traffic from 10.0.1.5 to 10.0.2.10 on port 443 is being accepted and rejected intermittently. Both instances are in the same VPC. What is the most likely cause?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Exhibit
Refer to the exhibit. The following is an excerpt from a VPC Flow Log:
2 123456789010 eni-12345678 10.0.1.5 10.0.2.10 443 12345 6 10 1000 1234567890 1234567890 ACCEPT OK
2 123456789010 eni-12345678 10.0.1.5 10.0.2.10 443 12346 6 10 1000 1234567890 1234567890 REJECT OK
A
The security group on the destination instance is configured to allow inbound HTTPS but deny outbound traffic.
Why wrong: Incorrect. Security groups are stateful, so outbound deny rules on the destination do not affect established inbound connections. Return traffic for allowed inbound connections is automatically permitted regardless of outbound rules.
B
The network ACL is blocking traffic.
Correct. A network ACL is stateless and requires both inbound and outbound rules to allow traffic. If outbound rules block response traffic, the flow will show intermittent ACCEPT and REJECT.
C
The route table is misconfigured.
Why wrong: Incorrect. Route tables direct traffic between subnets; if they were misconfigured, the traffic would not reach the destination at all, not intermittently.
D
The source instance's security group is denying outbound traffic.
Why wrong: Incorrect. The source instance's security group outbound rules do not affect the destination's response; security groups are stateful and allow return traffic for outbound connections initiated by the source.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The network ACL is blocking traffic.
VPC Flow Logs show intermittent ACCEPT and REJECT for traffic from 10.0.1.5 to 10.0.2.10 on port 443. Since the traffic is within the same VPC, the route table is not involved (Option C is unlikely). Security groups are stateful, so even if the destination security group denies outbound traffic, return traffic for the established inbound connection is still allowed; thus Option A is incorrect. The intermittent behavior is characteristic of a stateless network ACL (NACL). A NACL is applied at the subnet level and evaluates inbound and outbound rules independently. If the NACL allows inbound traffic but blocks outbound response traffic (or vice versa), the flow will be partially accepted (initial packets) and then rejected when return packets hit the blocking rule. This matches the logs showing both ACCEPT and REJECT for the same flow. Therefore, the most likely cause is a misconfigured NACL (Option B).
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The security group on the destination instance is configured to allow inbound HTTPS but deny outbound traffic.
Why it's wrong here
Incorrect. Security groups are stateful, so outbound deny rules on the destination do not affect established inbound connections. Return traffic for allowed inbound connections is automatically permitted regardless of outbound rules.
✓
The network ACL is blocking traffic.
Why this is correct
Correct. A network ACL is stateless and requires both inbound and outbound rules to allow traffic. If outbound rules block response traffic, the flow will show intermittent ACCEPT and REJECT.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Incorrect. Route tables direct traffic between subnets; if they were misconfigured, the traffic would not reach the destination at all, not intermittently.
✗
The source instance's security group is denying outbound traffic.
Why it's wrong here
Incorrect. The source instance's security group outbound rules do not affect the destination's response; security groups are stateful and allow return traffic for outbound connections initiated by the source.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The ANS-C01 exam often tests the distinction between stateful security groups and stateless network ACLs. Candidates may incorrectly assume that intermittent traffic issues are due to security group rules, but the key indicator is the 'intermittent' pattern—a hallmark of stateless firewall behavior where response traffic can be blocked if outbound rules are missing.
Detailed technical explanation
How to think about this question
Security groups in AWS are stateful, meaning that if an inbound rule allows traffic, the corresponding outbound return traffic is automatically permitted regardless of outbound rules. However, this statefulness only applies to the same connection; if the destination instance initiates a new outbound connection (e.g., a separate TCP handshake or a different flow), that traffic is subject to the outbound rules. In this scenario, the intermittent behavior could occur if the destination instance is sending keepalive packets or re-establishing connections that are blocked by a restrictive outbound rule, causing some packets to be rejected while the initial established flow continues to be accepted. This is a common pitfall when security groups are configured with overly restrictive outbound rules, especially in scenarios involving load balancers or auto-scaling groups.
KKey Concepts to Remember
Network ACL Statelessness
Security Group Statefulness
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Network ACL Statelessness
Real-world example
How this comes up in practice
A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.
Visual reference
What to study next
Got this wrong? Here's your next step.
Review network ACL Statelessness, then practise related ANS-C01 questions on the same topic to reinforce the concept.
The correct answer is: The network ACL is blocking traffic. — VPC Flow Logs show intermittent ACCEPT and REJECT for traffic from 10.0.1.5 to 10.0.2.10 on port 443. Since the traffic is within the same VPC, the route table is not involved (Option C is unlikely). Security groups are stateful, so even if the destination security group denies outbound traffic, return traffic for the established inbound connection is still allowed; thus Option A is incorrect. The intermittent behavior is characteristic of a stateless network ACL (NACL). A NACL is applied at the subnet level and evaluates inbound and outbound rules independently. If the NACL allows inbound traffic but blocks outbound response traffic (or vice versa), the flow will be partially accepted (initial packets) and then rejected when return packets hit the blocking rule. This matches the logs showing both ACCEPT and REJECT for the same flow. Therefore, the most likely cause is a misconfigured NACL (Option B).
What should I do if I get this ANS-C01 question wrong?
Review network ACL Statelessness, then practise related ANS-C01 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Network ACL Statelessness
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This ANS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ANS-C01 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.