CompTIA Cloud+ Practice Test

Which method should a cloud architect implement to isolate traffic between subnets while allowing stateful communication in an IaaS platform?

• A. Configure security groups.
• B. Configure HIPS policies.
• C. Configure IDS policies.
• D. Configure a network ACL.

The correct answer is: Configure security groups.

Choosing to configure security groups is the most effective method for isolating traffic between subnets while enabling stateful communication in an Infrastructure as a Service (IaaS) platform. Security groups act as virtual firewalls that control inbound and outbound traffic to resources, such as virtual machines, within the cloud environment. They are stateful, meaning that if a request is allowed from an instance, the response is automatically permitted, regardless of subsequent rules configured to deny traffic. By leveraging security groups, a cloud architect can selectively allow communication between specific subnets without exposing every instance to the entirety of the network. This ensures that only specified traffic flows to and from defined resources, maintaining the desired security posture. The other options focus on different aspects of network security. HIPS (Host Intrusion Prevention Systems) and IDS (Intrusion Detection Systems) are more about monitoring and protecting individual host systems rather than managing traffic flow at the subnet level. Network ACLs (Access Control Lists), on the other hand, are also effective for controlling subnet traffic but are stateless. This means that every request and response must be individually assessed against the ACL rules, making them less efficient for managing stateful traffic compared to security groups.