Exam Cram: Logging & Monitoring Requirements

This guide focuses on Domain 1, Task 1.4 of the AWS Certified Advanced Networking Specialty (ANS-C01). It covers the tools and strategies required to maintain visibility across AWS and hybrid network environments.

Topic Weighting

[!IMPORTANT] Expect at least 3-5 questions directly testing your ability to distinguish between different logging tools (e.g., when to use Flow Logs vs. Traffic Mirroring).

Key Concepts Summary

• Amazon CloudWatch: The central hub for metrics (performance), logs (text-based data), and alarms (thresholds). Use the CloudWatch Agent for hybrid/on-premises visibility.
• VPC Flow Logs: Captures IP traffic information (5-tuple: src/dest IP, src/dest port, protocol). Does not capture packet payloads.
• AWS CloudTrail: Records API calls. Essential for auditing "Who made this change?" rather than "What is the traffic doing?"
• VPC Traffic Mirroring: Deep Packet Inspection (DPI). Copies raw L2 packets from an ENI to a target for security analysis.
• Transit Gateway Network Manager: Provides a centralized dashboard for global networks, including on-premises branches connected via VPN/Direct Connect.
• Reachability Analyzer: A configuration analysis tool that performs a static check of the path between two points (no packets are actually sent).

Visual Anchors

Log Delivery Path

Traffic Mirroring Architecture

Common Pitfalls

• Flow Logs vs. Traffic Mirroring: Don't choose Flow Logs if the question asks to inspect "HTTP headers" or "malware signatures." You need Traffic Mirroring for that.
• CloudWatch vs. CloudTrail: If the issue is "Why can't my instance connect?" look at Flow Logs. If the issue is "Who deleted my Route Table?" look at CloudTrail.
• Reachability Analyzer vs. Flow Logs: Use Reachability Analyzer first to check for SG/NACL misconfigurations. Use Flow Logs only if the config is valid but traffic is still dropping (e.g., OS firewall).
• Standard vs. Transit Gateway Network Manager: TGW Network Manager is specifically for visualizing hybrid topologies; standard CloudWatch is for individual resource metrics.

Mnemonics / Memory Triggers

• F.L.O.W.: Five-tuple Logs Of Workload (Source/Dest IP, Port, Protocol).
• T.R.A.I.L.: Tracking Requests And Identity Logs (Auditing API activity).
• M.I.R.R.O.R.: Malware Inspection Requires Raw Output Retrieval (Packet-level capture).

Formula / Equation Sheet

Practice Set

1. A security requirement mandates that all packets entering a production VPC must be inspected for data exfiltration patterns. Which tool is required?
   • Answer: VPC Traffic Mirroring (Flow logs do not see payload contents).
2. You need to alert when an unauthorized user attempts to change a BGP configuration on an AWS Direct Connect connection. Where do you look?
   • Answer: AWS CloudTrail (identifies the API call and the user identity).
3. A hybrid network uses a Transit Gateway. How can you visualize the health of the VPN tunnels and the on-premises routers in a single view?
   • Answer: Transit Gateway Network Manager.
4. A developer complains that their app can't reach a database. Reachability Analyzer shows a "Reachable" status. What should you check next?
   • Answer: VPC Flow Logs (to see if traffic is actually reaching the DB or being dropped by an OS-level firewall like iptables).
5. What protocol does VPC Traffic Mirroring use to encapsulate mirrored traffic?
   • Answer: VXLAN (UDP port 4789).

Fact Recall Blanks

• VPC Flow Logs can be sent to three destinations: S3, CloudWatch Logs, and Kinesis Data Firehose.
• The default VPC Flow Log format includes the srcaddr, dstaddr, srcport, dstport, and protocol.
• To monitor custom metrics from an on-premises server, you must install the CloudWatch Agent.
• CloudWatch Insights is used to run complex queries against log data using a SQL-like syntax.

Worked Examples

Analyzing a Connection Drop

Scenario: A web server in a public subnet cannot reach a database in a private subnet.

1. Step 1: Check Config: Run Reachability Analyzer from Web ENI to DB ENI.
   • Result: "Unreachable - Security Group in Private Subnet denies Inbound on Port 3306."
2. Step 2: Remediation: Update the Security Group to allow 3306 from the Web Server's SG ID.
3. Step 3: Verification: Run Reachability Analyzer again.
   • Result: "Reachable."
4. Step 4: Monitoring: If the application still fails, enable VPC Flow Logs with REJECT filters to identify if a Network ACL or internal firewall is dropping the packets after the SG check.

[!TIP] Always remember: Security Groups are stateful (logs show the request), but NACLs are stateless (you must check both inbound and outbound logs).