AIncorrect
Internet gateway
An internet gateway is a component that connects a VPC (your own private virtual network on AWS) to the internet.
It is not a firewall that controls per-instance traffic, so it is incorrect.
Which instance-level virtual firewall controls, for each individual EC2 instance, the traffic allowed (inbound/outbound) by port and by source?
1 / 1
Select an answer
CorrectB
Explanation
Choosing the instance-level virtual firewall.
- 1「each individual EC2 instance」Per-instance control = security group
- 2「instance-level virtual firewall」The definition of a security group itself
- 3「the traffic allowed」Controlled with allow rules
BCorrect
Security group
Correct. A security group is a virtual firewall attached to resources such as EC2 instances, where you set allow rules by port and by source/destination. It is stateful, so the return traffic for allowed connections is automatically allowed. It is the basis of per-instance traffic control.
CIncorrect
Route table
A route table is routing information that decides the destination and next hop of traffic within a subnet.
It is not a firewall that allows or denies traffic, so it is incorrect.
DIncorrect
Amazon CloudFront
CloudFront is a CDN service that delivers content.
It is not a firewall that controls instance-level traffic, so it is incorrect.
Key Takeaway
Security group = per-instance, stateful, allow-rules only. Per-subnet, stateless, and both allow/deny is the NACL. Distinguish them by layer and characteristics.