This chapter covers the following official AWS Certified SysOps Administrator – Associate (SOA-C02) exam domains:
Domain 5: Networking and Content Delivery
(For more information on the official AWS Certified SysOps Administrator – Associate [SOA-C02] exam topics, see the Introduction.)
This section covers the following objective of Domain 5 (Networking and Content Delivery) from the official AWS Certified SysOps Administrator – Associate (SOA-C02) exam guide:
5.3 Troubleshoot network connectivity issues
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. What configuration tasks must be completed to enable flow logs on a VPC and view them in CloudWatch logs?
2. How frequently are flow logs aggregated by default?
1. Answer: Create an IAM policy and role, a CloudWatch log group, and a VPC flow log.
2. Answer: Flow logs aggregated once per 10 minutes by default.
VPC flow logs are used to capture information about the IP traffic flowing in or out of network interfaces in a VPC. Flow logs can be created for an entire VPC, a subnet, or an individual interface. You can capture all traffic, accepted traffic, or rejected traffic. It can be used to diagnose security group or Network ACL rules. VPC flow logs do not have a performance impact. The data captured can be published to CloudWatch logs or an S3 bucket. Flow logs do not provide the ability to view a real-time stream of traffic. Logs are published every 10 minutes by default but can be configured for faster delivery.
The first step required in configuring VPC flow logs is to create the appropriate IAM role. This role must have the permissions to publish VPC flow logs to CloudWatch logs. Figure 13.1 shows a sample IAM policy. There are prewritten policies that you can copy from the AWS documentation.
FIGURE 13.1 Flow log IAM policy
Now that the policy has been created, you must create an EC2 role that includes that policy, as shown in Figure 13.2. You must also give the new role a trust relationship with VPC flow logs.
FIGURE 13.2 Flow log IAM role
The next step is to create a CloudWatch log group. In Figure 13.3, you can see the configuration of a log group.
FIGURE 13.3 Configuring a log group
Now you are finally ready to enable flow logs. In Figure 13.4, a new flog log is created on a VPC. This flow log will capture all traffic information and send it to the CloudWatch log group shown in Figure 13.3. You could also send the records to an S3 bucket. The flow log has the necessary permissions to do this based on the flow log role shown in Figure 13.2. This flow log will track all interfaces in this VPC. To target a specific subnet or an interface, create the flow log on those objects.
FIGURE 13.4 Creating a flow log on a VPC
In Figure 13.5, you can see some of the captured flow logs. In this case, they are filtered based on a specific IP address (74.76.58.81) to reduce the amount of information displayed. Notice that the traffic has been accepted by the security group.
FIGURE 13.5 Log event example
Figure 13.6 shows traffic that has been blocked by the security group. In this case, 74.76.58.81 is the source IP, 10.1.101.112 is the destination IP, and port 22 is the source port.
FIGURE 13.6 Rejected flow log