Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 45 discussion

refer this link. https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/

C is not correct because security group is not a valid source

source NAT gateway in VPC reachability no simulates conection EC2 -> Nat gateway , but NAT gateway --> EC2 , then it´s possible to change outbound SG rules and no afect to VPC reachability but afect to EC2 --> NAT gateway. In my opinion the option A is ok.

Correct answer is D. IGW and EC2 are valid Reachability Analyzer source/destination.

I think that it's correcty answer is D.

In this question I would go with letter A. Because with this alarm that we created from Cloudwatch logs, we were able to integrate it with an SNS topic. And that in a simpler way. The link you provided: https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/ Apparently it notifies via SNS and also returns the sg port to the way it was before the rule was removed. But the question focused on just notifying, and not that if any change in the sg occurs, return the port.

D is correct answer.

D- Internet gateway is a valid source

D is correct

D correct. A or B are missing the SNS part. C wrong source

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html Example section at the end metric filter and alarm for a flow log should be A

https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/ D - for sure

By using a security group as the source for the Reachability Analyzer path, you can ensure that traffic originating from any IP address within that security group is able to reach the application on the specified port. This allows you to test connectivity from multiple potential sources, rather than just a single IP address.

should be D, c is not possible the sources are Instances Internet gateways Network interfaces Transit gateways Transit gateway attachments VPC endpoint services VPC endpoints VPC peering connections VPN gateways

https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/

It should be option D) The question requires - "automate a way to verify the network connectivity between the public internet and the EC2 instances", not just on failed connections. By implementing automated reachability assessment using Reachability Analyzer, application issues due to connectivity problems are detected quickly. Below post demonstrates an automated method to verify network connectivity between VPC elements after an infrastructure change is made, and alert administrators in the event reachability has been affected. https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/ Application load Balancer is supported as intermediary path in the reachability analyzer It is option D)

A - correct. Option A enables VPC Flow Logs on the ENI of each EC2 instance to capture REJECT traffic on port 443, which can help identify if there is any traffic getting rejected due to the incorrect security group configuration. Then a CloudWatch Logs metric filter is created for the log group to look for rejected traffic, and an alarm is created to notify the network engineer in case the rejected traffic count exceeds a certain threshold.