A pharma company is deploying multiple web servers on EC2 instances in multiple VPCs. The security team has provided separate IP pools and TCP ports to reach each of these web servers based on the servers` functions and their access requirements. The security team needs a standard solution to allow and block some of these TCP ports for their current and future deployments. Which of the following options can be used to meet this requirement?

Answer options:

A.Create separate Security Groups for each instance & assign them to each instance. Use NACL to deny TCP ports to all instances at the subnet level.
B.Launch an instance in separate subnet & apply separate NACL to each instance. Use Security Groups to deny TCP ports to all instances.
C. Create separate Security Groups for each instance & assign them to each instance. Use Security Groups to deny TCP ports to all instances in all subnets.
D.Launch an instance in a separate subnet & apply separate NACL to each instance. Use NACL to deny TCP ports to all instances.

Correct Answer – A
NACL can be used at the subnet level to block or allow IP / Ports. Security Groups can be used at the instance level to allow a specific IP address or ports to the instance. Security Groups cannot be used to deny traffic. In the above, since all the servers have different IP Pools & Ports to be allowed, Security Groups can be used per server instance. NACL can be used to deny all unwanted ports which will be applied at the subnet level & will apply to all server instances in that subnet.
Options B & C are incorrect as Security Groups cannot be used to deny traffic.
Option D is incorrect as Launching an instance in a separate subnet is not a feasible option.
For more information on using Security Groups & NACL, refer to the following URLs
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html