12 0 0 1 4 336 1432917094 1432917142 REJECT OKWhat action should be performed to allow the ping to work?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
While securing the connection between a company’s VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139).The ping command did not return a response.The flow log in the VPC showed the following:2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.

12 0 0 1 4 336 1432917094 1432917142 REJECT OKWhat action should be performed to allow the ping to work?

In the security group of the EC2 instance, allow inbound ICMP traffic.

In the security group of the EC2 instance, allow outbound ICMP traffic.

In the VPC’s NACL, allow inbound ICMP traffic.

In the VPC’s NACL, allow outbound ICMP traffic.

Explanations:

The security group governs inbound traffic to the EC2 instance. However, the flow log shows that the return traffic (from EC2 to on-premises) is being rejected.

Security groups control both inbound and outbound traffic. However, the issue is with inbound traffic being rejected, so this does not resolve the problem.

The flow log indicates that the response from EC2 (outbound traffic) is being rejected. NACLs control both inbound and outbound traffic, but the issue is outbound.

The flow log shows the EC2 instance is rejecting the outbound ping response. Adjusting the NACL to allow outbound ICMP traffic would resolve the issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen − ten =