ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 8
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)

  • A. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
  • B. Enable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
  • C. Configure Traffic Mirroring on the NAT gateway's elastic network interface. Send the traffic to an additional EC2 instance. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic.
  • D. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
  • E. Enable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
by zaazanuna at March 18, 2023, 6:06 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
devilman222
Highly Voted 2 years ago
Selected Answer: AD
A. Yes, this would work. B. Not a real thing, wrong C. We don't need to do packet inspection to analyze costs. This won't help with costs at all. D. The most obvious right answer. E. Like B, not a real thing.
upvoted 18 times
...
RavikantKumarRavi
Most Recent 3 months, 2 weeks ago
Selected Answer: BE
NAT gateways do not have their own elastic network interfaces (ENIs) . In such A & D is not correct hence it should be
upvoted 1 times
...
AlirezaNetWorld
7 months, 3 weeks ago
A and C are the best answers based on the requirements
upvoted 1 times
...
rltk8029
11 months, 3 weeks ago
C -- also working answer. In Wireshark you can generate reports for traffic usage.
upvoted 1 times
...
Raphaello
1 year ago
Selected Answer: AD
AD seem to be the correct answers. Enabling "NAT gateway access logs" is not a valid feature.
upvoted 1 times
...
Marfee400704
1 year, 1 month ago
I think that it's answer is AD according to SPOTO products.
upvoted 1 times
...
halukd
1 year, 3 months ago
https://repost.aws/knowledge-center/vpc-find-traffic-sources-nat-gateway Check this re:Post, it seems like A-E
upvoted 1 times
...
cumzle_com
1 year, 4 months ago
A and D - you can only enable VPC flow logs on ENIs rather than on the services in that case NAT Gateway
upvoted 1 times
...
FayeG
1 year, 5 months ago
Selected Answer: AD
A & D are the real answer
upvoted 1 times
...
MEDES
1 year, 6 months ago
Went with A,D given that we want to track which IPs are source of the problem. given that NAT gateway access logs only provide information about connections that are initiated by the NAT gateway. VPC flow logs provide more detailed information about the traffic that passes through the NAT gateway.
upvoted 3 times
...
prajkash
1 year, 9 months ago
Selected Answer: AD
upvoted 1 times
...
emmanuelodenyire
1 year, 11 months ago
Selected Answer: AB
Overall, Options A and B are the most relevant and efficient approaches to investigate the traffic through the NAT gateway and identify the source of increased NAT gateway usage. Although also C and D are correct, but we do not want deeper analysis of the logs. Again remember, both VPC flow logs and NAT gateway access logs can provide network information about the traffic going through the NAT gateway.
upvoted 1 times
Manh
1 year, 10 months ago
AWS NAT gateway access logs are not available as a native feature of AWS NAT gateway. you can use VPC Flow Logs to capture information about the IP traffic going to and from network interfaces in your VPC
upvoted 2 times
...
...
slackbot
2 years ago
Selected Answer: AD
packet captures will require inspection per TCP connection, which is not reasonable, so - A&D
upvoted 4 times
...
ITgeek
2 years ago
Selected Answer: AD
These are correct
upvoted 3 times
...
zaazanuna
2 years ago
my guess was not entirely correct. i am leaning towards to A, B and D, Option D is also a valid approach to investigate the traffic through the NAT gateway. By enabling VPC flow logs on the NAT gateway's elastic network interface and publishing the logs to an S3 bucket, a network engineer can create a custom table for the S3 bucket in Amazon Athena to describe the log structure and use Athena to query and analyze the logs. This approach provides a lot of flexibility in terms of data analysis and long-term storage of the log data. So, technically, options A, B, and D are all valid ways to investigate NAT gateway usage. However, options A and B are probably more efficient because they allow you to query and analyze the logs directly in CloudWatch Logs without having to set up additional infrastructure. so either - AB or AD
upvoted 1 times
titi_r
2 years ago
Such thing - a "NAT gateway access logs" - seems to not exist at all. Read the last sentence in the question like "Which are the VALID options a network Engineer can..." So, A and D.
upvoted 3 times
...
...
study_aws1
2 years ago
Could not find any link that states any details around NAT Gateway access logs. I found the below link with exact same problem statement with options for resolution asked (in this case A and D) https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-traffic-sources-nat-gateway/
upvoted 2 times
...
Narayan
2 years ago
A,D https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-traffic-sources-nat-gateway/
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago