Question #652
A developer is using a Border Gateway Protocol (BGP)-based AWS VPN connection to establish connectivity between an on-premises network and Amazon EC2 instances in their VPC. The developer can successfully access an EC2 instance in subnet X but cannot connect to an EC2 instance in subnet Y, which resides in the same VPC and Availability Zone. Both subnets have valid route table entries pointing to the VPN gateway.
Which logging service should the developer use to determine whether traffic from the on-premises network is being routed to subnet Y?
VPN connection logs
BGP session logs
VPC Flow Logs
AWS CloudTrail logs
Explanation
The correct answer is C. VPC Flow Logs because they provide visibility into the IP traffic flowing through the VPC's network interfaces. Since both subnets have valid route table entries, the issue likely lies in security groups, NACLs, or traffic not reaching the subnet. VPC Flow Logs show source/destination IPs, ports, and whether traffic was accepted or rejected, helping diagnose routing or security issues.
Why other options are incorrect:
- A. VPN connection logs: These monitor VPN tunnel status and metrics (e.g., uptime, bytes transferred) but do not provide traffic routing details.
- B. BGP session logs: These track BGP route advertisements and session state, but the question confirms valid route tables, so BGP is likely functioning.
- D. AWS CloudTrail logs: These audit API activity and management events, not network traffic.
Key Points:
- Use VPC Flow Logs to analyze traffic flow and security rules.
- Ensure security groups and NACLs allow traffic to subnet Y.
- Route tables ensure traffic is directed, but Flow Logs confirm delivery.
Answer
The correct answer is: C