Question #1079
A developer has deployed a three-tier application using an Application Load Balancer (ALB), Amazon EC2 instances, and Amazon RDS. The domain name is configured in Amazon Route 53 with an alias record pointing to the ALB. When attempting to access the application via the domain name, the developer encounters a 'Connection Refused' error. Which logs should the developer review to confirm whether the requests are successfully entering the AWS network?
VPC Flow Logs
Amazon Route 53 query logs
AWS CloudTrail logs
Amazon CloudWatch Logs
Explanation
The correct answer is A. VPC Flow Logs. Here's why:
- VPC Flow Logs (A) track IP traffic entering and exiting the VPC. If the logs show incoming traffic on the ALB's ports (e.g., 80/443), it confirms requests are reaching AWS. If no traffic is logged, the issue lies outside AWS (e.g., DNS misconfiguration).
- Route 53 Query Logs (B) show DNS resolution details but do not confirm network connectivity. Since the error is 'Connection Refused' (TCP-level), DNS resolution is likely correct, making this less relevant.
- CloudTrail Logs (C) track API activity, not network traffic, and are unrelated to connection issues.
- CloudWatch Logs (D) (e.g., ALB access logs) only record requests that reach the ALB. If security groups/NACLs block traffic, these logs won't show the requests, making them insufficient to confirm if traffic entered AWS.
Key Points:
- 'Connection Refused' indicates a TCP-layer failure (e.g., ALB not listening on the port, security group blocking traffic).
- VPC Flow Logs help determine if traffic reaches the VPC, narrowing down the issue to AWS network/security configurations.
Answer
The correct answer is: A