Scenario 5: Misconfigured Security Groups or Network ACLs Causing Connectivity Issue

(Mindmap and Audio Discussion is a paid feature)

Problem:

• An EC2-hosted application is not accessible to users.
  
  

• The instance is running and healthy but external connectivity is blocked.
  
  

• Investigation points to misconfigured security group or network ACL settings.
  
  

Step-by-Step Troubleshooting:

1. Review Security Group Settings:
   
   

   • Check if the security group allows inbound traffic on required ports.
     
     

     • For web servers, ensure ports 80 (HTTP) and 443 (HTTPS) are open.
       
       

     • For SSH access, ensure port 22 is open.
       
       

   • Confirm the source IP ranges are correct.
     
     

     • Use 0.0.0.0/0 for public access or specific IP ranges for restricted access.
       
       

   • Verify outbound rules allow return traffic if necessary.
     
     

2. Examine Network ACLs:
   
   

   • Network ACLs are stateless, so both inbound and outbound rules must be correctly set.
     
     

   • Ensure inbound rules allow traffic on the required ports to the subnet.
     
     

   • Ensure outbound rules allow responses to traffic back to users.
     
     

   • Check for any deny rules that might override allow rules.
     
     

3. Double-Check VPC and Subnet Configuration:
   
   

   • Ensure the EC2 instance is in a subnet with the correct route table settings.
     
     

   • For public access, confirm the subnet has a route to an Internet Gateway.
     
     

   • Verify that the instance has a public IP address or Elastic IP assigned.
     
     

   • Check DNS settings if the instance is accessed via a domain name.
     
     

4. Test Connectivity:
   
   

   • Use ping to check basic network reachability.
     
     

   • Use telnet to test if specific ports are reachable.
     
     

   • Use SSH to try connecting to the instance from another instance in the same VPC.
     
     

   • If internal connections work, focus on public route or security group issues.
     
     

5. Audit Recent Changes:
   
   

   • Check if any recent changes were made to security groups or network ACLs.
     
     

   • Review configuration change logs in AWS Config if enabled.
     
     

   • Identify if any IAM policy changes affected access.
     
     

   • Roll back or adjust changes that restricted traffic.
     
     

Key AWS Terms:

• Security Group: Virtual firewall at the instance level, stateful in nature.
  
  

• Network ACL (NACL): Stateless firewall at the subnet level, requires explicit inbound and outbound rules.
  
  

• VPC: Virtual Private Cloud where networking configurations are managed.
  
  

• Internet Gateway: Allows instances in a VPC to connect to the Internet.
  
  

• Route Table: Defines how traffic is routed within a VPC.
  
  

Interview Insight:

• When troubleshooting connectivity issues, I always begin with verifying security group rules and NACLs for required ports.
  
  

• I use basic network tools to confirm where the traffic is blocked and ensure VPC settings like Internet Gateway and route tables are properly configured.
  
  

• I also look for recent changes to access rules that might have introduced the problem and use AWS Config if available for change tracking.