Exam Cram: Logging & Monitoring Requirements

This guide focuses on Domain 1, Task 1.4 of the AWS Certified Advanced Networking Specialty (ANS-C01). It covers the tools and strategies required to maintain visibility across AWS and hybrid network environments.

Topic Weighting

Domain	Task	Exam Percentage (Approx)
Domain 1: Network Design	1.4: Define logging and monitoring requirements	~5-7% of total exam
Total Domain 1	Network Design	30%

[!IMPORTANT] Expect at least 3-5 questions directly testing your ability to distinguish between different logging tools (e.g., when to use Flow Logs vs. Traffic Mirroring).

Key Concepts Summary

Amazon CloudWatch: The central hub for metrics (performance), logs (text-based data), and alarms (thresholds). Use the CloudWatch Agent for hybrid/on-premises visibility.
VPC Flow Logs: Captures IP traffic information (5-tuple: src/dest IP, src/dest port, protocol). Does not capture packet payloads.
AWS CloudTrail: Records API calls. Essential for auditing "Who made this change?" rather than "What is the traffic doing?"
VPC Traffic Mirroring: Deep Packet Inspection (DPI). Copies raw L2 packets from an ENI to a target for security analysis.
Transit Gateway Network Manager: Provides a centralized dashboard for global networks, including on-premises branches connected via VPN/Direct Connect.
Reachability Analyzer: A configuration analysis tool that performs a static check of the path between two points (no packets are actually sent).

Visual Anchors

Log Delivery Path

Loading Diagram...

Traffic Mirroring Architecture

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Common Pitfalls

Flow Logs vs. Traffic Mirroring: Don't choose Flow Logs if the question asks to inspect "HTTP headers" or "malware signatures." You need Traffic Mirroring for that.
CloudWatch vs. CloudTrail: If the issue is "Why can't my instance connect?" look at Flow Logs. If the issue is "Who deleted my Route Table?" look at CloudTrail.
Reachability Analyzer vs. Flow Logs: Use Reachability Analyzer first to check for SG/NACL misconfigurations. Use Flow Logs only if the config is valid but traffic is still dropping (e.g., OS firewall).
Standard vs. Transit Gateway Network Manager: TGW Network Manager is specifically for visualizing hybrid topologies; standard CloudWatch is for individual resource metrics.

Mnemonics / Memory Triggers

F.L.O.W.: Five-tuple Logs Of Workload (Source/Dest IP, Port, Protocol).
T.R.A.I.L.: Tracking Requests And Identity Logs (Auditing API activity).
M.I.R.R.O.R.: Malware Inspection Requires Raw Output Retrieval (Packet-level capture).

Formula / Equation Sheet

Feature	VPC Flow Logs	VPC Traffic Mirroring	Reachability Analyzer
Data Source	ENI Metadata	ENI Raw Packets	Configuration State
OSI Layer	Layer 3/4	Layer 2-7	N/A (Path logic)
Use Case	Billing, Troubleshooting	Security/DPI	Debugging connectivity
Cost Metric	Per GB processed	Per ENI hour + Data	Per analysis run

Practice Set

A security requirement mandates that all packets entering a production VPC must be inspected for data exfiltration patterns. Which tool is required?
- Answer: VPC Traffic Mirroring (Flow logs do not see payload contents).
You need to alert when an unauthorized user attempts to change a BGP configuration on an AWS Direct Connect connection. Where do you look?
- Answer: AWS CloudTrail (identifies the API call and the user identity).
A hybrid network uses a Transit Gateway. How can you visualize the health of the VPN tunnels and the on-premises routers in a single view?
- Answer: Transit Gateway Network Manager.
A developer complains that their app can't reach a database. Reachability Analyzer shows a "Reachable" status. What should you check next?
- Answer: VPC Flow Logs (to see if traffic is actually reaching the DB or being dropped by an OS-level firewall like iptables).
What protocol does VPC Traffic Mirroring use to encapsulate mirrored traffic?
- Answer: VXLAN (UDP port 4789).

Fact Recall Blanks

VPC Flow Logs can be sent to three destinations: S3, CloudWatch Logs, and Kinesis Data Firehose.
The default VPC Flow Log format includes the srcaddr, dstaddr, srcport, dstport, and protocol.
To monitor custom metrics from an on-premises server, you must install the CloudWatch Agent.
CloudWatch Insights is used to run complex queries against log data using a SQL-like syntax.

Worked Examples

Analyzing a Connection Drop

Scenario: A web server in a public subnet cannot reach a database in a private subnet.

Step 1: Check Config: Run Reachability Analyzer from Web ENI to DB ENI.
- Result: "Unreachable - Security Group in Private Subnet denies Inbound on Port 3306."
Step 2: Remediation: Update the Security Group to allow 3306 from the Web Server's SG ID.
Step 3: Verification: Run Reachability Analyzer again.
- Result: "Reachable."
Step 4: Monitoring: If the application still fails, enable VPC Flow Logs with REJECT filters to identify if a Network ACL or internal firewall is dropping the packets after the SG check.

[!TIP] Always remember: Security Groups are stateful (logs show the request), but NACLs are stateless (you must check both inbound and outbound logs).

Topic Weighting

Domain	Task	Exam Percentage (Approx)
Domain 1: Network Design	1.4: Define logging and monitoring requirements	~5-7% of total exam
Total Domain 1	Network Design	30%

[!IMPORTANT] Expect at least 3-5 questions directly testing your ability to distinguish between different logging tools (e.g., when to use Flow Logs vs. Traffic Mirroring).

Key Concepts Summary

Amazon CloudWatch: The central hub for metrics (performance), logs (text-based data), and alarms (thresholds). Use the CloudWatch Agent for hybrid/on-premises visibility.

VPC Flow Logs: Captures IP traffic information (5-tuple: src/dest IP, src/dest port, protocol). Does not capture packet payloads.

AWS CloudTrail: Records API calls. Essential for auditing "Who made this change?" rather than "What is the traffic doing?"

VPC Traffic Mirroring: Deep Packet Inspection (DPI). Copies raw L2 packets from an ENI to a target for security analysis.

Transit Gateway Network Manager: Provides a centralized dashboard for global networks, including on-premises branches connected via VPN/Direct Connect.

Reachability Analyzer: A configuration analysis tool that performs a static check of the path between two points (no packets are actually sent).

Common Pitfalls

Flow Logs vs. Traffic Mirroring: Don't choose Flow Logs if the question asks to inspect "HTTP headers" or "malware signatures." You need Traffic Mirroring for that.

CloudWatch vs. CloudTrail: If the issue is "Why can't my instance connect?" look at Flow Logs. If the issue is "Who deleted my Route Table?" look at CloudTrail.

Reachability Analyzer vs. Flow Logs: Use Reachability Analyzer first to check for SG/NACL misconfigurations. Use Flow Logs only if the config is valid but traffic is still dropping (e.g., OS firewall).

Standard vs. Transit Gateway Network Manager: TGW Network Manager is specifically for visualizing hybrid topologies; standard CloudWatch is for individual resource metrics.

Feature

VPC Flow Logs

VPC Traffic Mirroring

Reachability Analyzer

Data Source

ENI Metadata

ENI Raw Packets

Configuration State

OSI Layer

Layer 3/4

Layer 2-7

N/A (Path logic)

Use Case

Billing, Troubleshooting

Security/DPI

Debugging connectivity

Cost Metric

Per GB processed

Per ENI hour + Data

Per analysis run

Practice Set

A security requirement mandates that all packets entering a production VPC must be inspected for data exfiltration patterns. Which tool is required?

Answer: VPC Traffic Mirroring (Flow logs do not see payload contents).

You need to alert when an unauthorized user attempts to change a BGP configuration on an AWS Direct Connect connection. Where do you look?

Answer: AWS CloudTrail (identifies the API call and the user identity).

A hybrid network uses a Transit Gateway. How can you visualize the health of the VPN tunnels and the on-premises routers in a single view?

Answer: Transit Gateway Network Manager.

A developer complains that their app can't reach a database. Reachability Analyzer shows a "Reachable" status. What should you check next?

Answer: VPC Flow Logs (to see if traffic is actually reaching the DB or being dropped by an OS-level firewall like iptables).

What protocol does VPC Traffic Mirroring use to encapsulate mirrored traffic?

Answer: VXLAN (UDP port 4789).

Fact Recall Blanks

VPC Flow Logs can be sent to three destinations: S3, CloudWatch Logs, and Kinesis Data Firehose.

The default VPC Flow Log format includes the srcaddr, dstaddr, srcport, dstport, and protocol.

To monitor custom metrics from an on-premises server, you must install the CloudWatch Agent.

CloudWatch Insights is used to run complex queries against log data using a SQL-like syntax.

Worked Examples

Analyzing a Connection Drop

Scenario: A web server in a public subnet cannot reach a database in a private subnet.

Step 1: Check Config: Run Reachability Analyzer from Web ENI to DB ENI.

Result: "Unreachable - Security Group in Private Subnet denies Inbound on Port 3306."

Step 2: Remediation: Update the Security Group to allow 3306 from the Web Server's SG ID.

Step 3: Verification: Run Reachability Analyzer again.

Result: "Reachable."

Step 4: Monitoring: If the application still fails, enable VPC Flow Logs with REJECT filters to identify if a Network ACL or internal firewall is dropping the packets after the SG check.

[!TIP] Always remember: Security Groups are stateful (logs show the request), but NACLs are stateless (you must check both inbound and outbound logs).

ANS-C01 Exam Cram: Logging & Monitoring Requirements

Exam Cram: Logging & Monitoring Requirements

Topic Weighting

Key Concepts Summary

Visual Anchors

Log Delivery Path

Traffic Mirroring Architecture

Common Pitfalls

Mnemonics / Memory Triggers

Formula / Equation Sheet

Practice Set

Fact Recall Blanks

Worked Examples

Analyzing a Connection Drop

ANS-C01 Exam Cram: Logging & Monitoring Requirements

Exam Cram: Logging & Monitoring Requirements

Topic Weighting

Key Concepts Summary

Visual Anchors

Log Delivery Path

Traffic Mirroring Architecture

Common Pitfalls

Mnemonics / Memory Triggers

Formula / Equation Sheet

Practice Set

Fact Recall Blanks

Worked Examples

Analyzing a Connection Drop