Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in differentiating between various AWS logs for network troubleshooting. In production, this is about knowing exactly which logs reveal network traffic visibility versus connection state, especially when working with hybrid environments and VPNs. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
TechPath Solutions, a software development company, is using a Border Gateway Protocol (BGP)-enabled AWS Site-to-Site VPN connection to seamlessly access their Amazon EC2 instances from their corporate data center. The developer team can successfully connect to an EC2 instance located within subnet Alpha of their VPC. However, when attempting to reach another EC2 instance located within subnet Beta (same VPC), the connection fails. The developer suspects that network traffic might not be reaching subnet Beta and wants to verify it.
The Requirement: #
Which type of logs should the developer review to confirm whether the network packets are actually arriving in subnet Beta?
The Options #
- A) VPN logs
- B) BGP logs
- C) VPC Flow Logs
- D) AWS CloudTrail logs
Google adsense #
leave a comment:
Correct Answer #
C) VPC Flow Logs
Quick Insight: The Developer’s Imperative #
The key challenge here is to verify network traffic flow at the subnet level inside the VPC.
- VPN logs show connection status for the VPN tunnel, not intra-VPC traffic.
- BGP logs provide routing updates for the VPN, not actual packet flow.
- VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC subnets, perfect to diagnose if traffic reaches subnet Beta.
- CloudTrail logs track API calls but do not provide network traffic visibility.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C: VPC Flow Logs
The Winning Logic #
VPC Flow Logs are designed to capture information about network traffic going to and from elastic network interfaces (ENIs) in your VPC. Since the issue is connectivity to an EC2 instance within a particular subnet, checking flow logs for that subnet’s ENIs reveals if packets are arriving or being dropped. This network-level visibility is critical for hybrid architectures involving VPNs.
- In the AWS SDK or CLI, enabling VPC Flow Logs involves specifying the VPC or subnet and sending logs to CloudWatch Logs or an S3 bucket where they can be queried/filtered.
- This helps developers confirm if traffic reaches the target EC2’s ENI or if it is being dropped or blocked by NACLs, Security Groups, or routing misconfigurations.
The Trap (Distractor Analysis) #
- Why not A (VPN logs)? - VPN logs show the phase 1/2 tunnel status and IPsec negotiation but not intra-VPC packet flow once traffic traverses the VPN. This makes VPN logs insufficient to diagnose subnet-level traffic issues.
- Why not B (BGP logs)? - BGP logs pertain to route exchange and announcements over the VPN, which will not indicate if packets are successfully hitting an EC2 ENI. BGP could show routes but not traffic flow.
- Why not D (CloudTrail logs)? - CloudTrail logs capture AWS API calls (like starting/stopping instances, or changing security groups) but don’t capture or log network traffic, so no help tracing network packets.
The Technical Blueprint #
# Example: Enabling VPC Flow Logs with AWS CLI for a specific subnet (subnet Beta)
aws ec2 create-flow-logs \
--resource-type Subnet \
--resource-ids subnet-0abcd1234ef567890 \
--traffic-type ALL \
--log-group-name /aws/vpc/flow-logs-techpath-beta \
--deliver-logs-permission-arn arn:aws:iam::123456789012:role/FlowLogsIAMRole
The Comparative Analysis #
| Option | API Complexity | Performance Impact | Use Case |
|---|---|---|---|
| A) VPN logs | Low | Minimal | VPN tunnel status and errors, but no subnet traffic detail |
| B) BGP logs | Medium | Minimal | Routing protocol messages, route updates only |
| C) VPC Flow Logs | Medium | Small (logging overhead) | Network traffic visibility at ENI level for subnet troubleshooting |
| D) CloudTrail logs | Low | None | AWS API usage auditing, not network traffic |
Real-World Application (Practitioner Insight) #
Exam Rule #
“For the exam, always pick VPC Flow Logs when asked to verify if network traffic reaches a VPC subnet.”
Real World #
“In production, developers often combine VPC Flow Logs with Security Group and NACL reviews, and sometimes packet capture on the instance side to pinpoint connectivity issues more granularly.”
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.