You must be capable of reading and interpreting flow logs and identifying source IP and destination IP addresses, ports, and whether the traffic was blocked or allowed. Also, you need to understand that traffic can be blocked by a network access control list, and that the NACL is enforced before the security group on incoming traffic.
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
1. You are using VPC flow logs to confirm the correct operation of a security group. You are unable to locate the correct log group in CloudWatch. What are potential causes for this issue? (Choose two.)
A. You need to wait longer for the logs to show up.
B. The CloudFront log group has been configured without the correct permissions.
C. The flow log has not captured any traffic.
D. The flow log is not configured with an S3 bucket.
2. Based on the figure shown, what is the most likely cause of the failed connection?
A. A security group is blocking incoming traffic from source IP 10.1.101.112.
B. A security group is blocking incoming traffic on port 22.
C. A security group is blocking outgoing traffic on port 22.
D. A security group is blocking outgoing traffic on port 6.
1. Answer: A and C are correct. Flow logs are aggregated every 10 minutes by default. You may need to wait longer to see the traffic reflected in the flow logs. If there has not been any relevant traffic, there will not be flow log entries.
2. Answer: B is correct. Traffic is incoming from public IP 74.76.58.81, 10.1.101.112 is the destination IP, and port 22 is the source port.
This section covers the following objective of Domain 5 (Networking and Content Delivery) from the official AWS Certified SysOps Administrator – Associate (SOA-C02) exam guide:
5.3 Troubleshoot network connectivity issues
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. What security configuration task must be completed for ELB access logs to function?
2. Are ELB access logs useful for troubleshooting issues such as spikes in request counts and Layer 7 access codes?
1. Answer: The logs are sent to an S3 bucket. The S3 bucket policy must be configured to grant ELB access logs write permissions.
2. Answer: Yes, ELB access logs capture request details and server responses.
ELB access logs are an optional feature that can be used to troubleshoot traffic patterns and issues with traffic as it hits the ELB. ELB access logs capture details of requests sent to your load balancer such as the time of the request, the client IP, latency, and server responses. Access logs are stored in an S3 bucket. Log files are published every five minutes, and multiple logs can be published for the same five-minute period.
The S3 bucket must be in the same region as the ELB. The bucket policy must be configured to allow access logs to write to the bucket. You can use tools such as Amazon Athena, Loggly, Splunk, or Sumo Logic to analyze the contents of ELB access logs.
ELB access logs also include HTTP response codes from the target. If a connection could not be established to the target, it is set to -. Figure 13.7 shows how to configure an S3 bucket as a destination for ELB access logs.
FIGURE 13.7 Enabling ELB access logs
The S3 bucket that is used for ELB access logs must be in the same region as the bucket and must have a bucket policy that allows write permissions on the ELB access logs.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
