A Telecom company has deployed database servers on an EC2 instance within a VPC. These servers are configured within Private subnets. External vendor accesses these servers from the Internet using SSH & RDP via a Jump server configured in public subnet with IP Address 10.10.10.5. Servers also need to access the internet for downloading security patches. Since these are critical servers, Security Team needs a stringent policy on these servers to allow only legitimate traffic to reach servers & block all other traffic. Which of the following NACL rules can be applied to meet this requirement?

Answer options:

A.B.C.D.

Correct Answer – B
 Since external vendors are accessing servers from Jump servers, the Inbound rule should allow Jump Server IP 10.10.10.5 on SSH port 22 & RDP port 3389. Also, corresponding rules need to be added in the outbound rule for return traffic to IP 10.10.10.5 for all ephemeral ports.
For internet access, all traffic should be allowed on port 80 & 443 inbound direction & in inbound direction traffic from the internet should be allowed.
Option A is incorrect as Outbound Response from Servers to Jump servers are missing which will deny SSH/RDP connections.
Option C is incorrect as it allows all IP addresses within Public IP pool 10.10.10.0/24to access servers on SSH & RDP port.
Option D is incorrect as for internet access, traffic needs to be allowed for ports 80 & 443 & not only for 10.10.10.5/32.
For more information on using NACL, refer to the following URL
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-recommended-nacl-r