A security engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises server over a Direct Connect virtual interface. The EC2 instance has a security group that allows outbound traffic to the on-premises CIDR block (10.0.0.0/16). The VPC has a route table entry pointing the on-premises CIDR to the virtual private gateway. The on-premises firewall shows that packets are received from the EC2 instance but responses are not reaching the instance. What is the most likely cause?
Trap 1: The network ACL for the subnet is blocking outbound traffic to the…
Outbound traffic is reaching on-premises, so NACL is not blocking outbound.
Trap 2: The virtual private gateway is not attached to the VPC.
If the gateway were not attached, outbound traffic would not reach on-premises.
Trap 3: The security group does not allow inbound traffic from the…
Security groups are stateful; if outbound is allowed, return traffic is automatically allowed.
- A
The on-premises router does not have a route pointing the VPC CIDR back to the Direct Connect interface.
Without a return route, responses from on-premises are dropped.
- B
The network ACL for the subnet is blocking outbound traffic to the on-premises CIDR.
Why wrong: Outbound traffic is reaching on-premises, so NACL is not blocking outbound.
- C
The virtual private gateway is not attached to the VPC.
Why wrong: If the gateway were not attached, outbound traffic would not reach on-premises.
- D
The security group does not allow inbound traffic from the on-premises server.
Why wrong: Security groups are stateful; if outbound is allowed, return traffic is automatically allowed.