ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 46 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 46
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might be accessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate subnets within the same VPC and have a Cluster Autoscaler configured.
The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security team wants to limit the number of flow logs and wants to examine the traffic from only the two applications.
Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create VPC flow logs in the default format. Create a filter to gather flow logs only from the EKS nodes. Include the srcaddr field and the dstaddr field in the flow logs.
  • B. Create VPC flow logs in a custom format. Set the EKS nodes as the resource Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
  • C. Create VPC flow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
  • D. Create VPC flow logs in a custom format. Create a filter to gather flow logs only from the EKS nodes. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by zaazanuna at March 19, 2023, 12:27 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
rhinozD
Highly Voted 1 year, 7 months ago
Selected Answer: C
You cannot set the EKS nodes as the resource of a VPC flow log. So B is wrong. I think C and D are also correct. But "The security team wants to limit the number of flow logs and wants to examine the traffic from only the two applications", so it is easier to set the resource of the VPC flow logs to the subnets of the two clusters. So answer is C.
upvoted 13 times
johnconnor
1 year, 4 months ago
He is right, you can only use IPs. see > https://aws.amazon.com/blogs/networking-and-content-delivery/using-vpc-flow-logs-to-capture-and-query-eks-network-communications/
upvoted 1 times
...
Neo00
1 year, 5 months ago
D doesn't say set EKS node as VPC flow log source, it says create a filter based on EKS node, don't be tricked. so Answer is D
upvoted 2 times
...
...
ILOVEVODKA
Highly Voted 1 year, 9 months ago
B https://aws.amazon.com/blogs/networking-and-content-delivery/using-vpc-flow-logs-to-capture-and-query-eks-network-communications/
upvoted 5 times
...
woorkim
Most Recent 2 months ago
C , because node can not be loggged!
upvoted 1 times
...
Jonalb
6 months, 1 week ago
Selected Answer: C
its corret is C
upvoted 1 times
...
vikasj1in
10 months, 1 week ago
Selected Answer: D
Creating VPC flow logs in a custom format allows you to specify the fields you want to include in the logs, reducing the volume of data and focusing on the specific information needed. By setting a filter to gather flow logs only from the EKS nodes, you can narrow down the logs to the traffic generated by the EKS nodes. Including the pkt-srcaddr (source IP address) and pkt-dstaddr (destination IP address) fields in the flow logs enables the security team to examine traffic from specific applications running on the EKS nodes. Options A, B, and C involve creating flow logs with different configurations but do not specifically address filtering traffic from only the two applications or minimizing operational overhead as effectively as option D.
upvoted 1 times
Spaurito
1 month, 2 weeks ago
D - you can only capture from ENI and filter with IP addresses. Subnets are not a resource and can not be monitored. It's a place holder for IP Addresses.
upvoted 1 times
...
...
marfee
10 months, 2 weeks ago
I think that it's correcty answer is D.
upvoted 1 times
...
jopaca1216
1 year, 1 month ago
With a simple google, i found the correct answer. C is correct. https://docs.aws.amazon.com/cli/latest/reference/ec2/create-flow-logs.html
upvoted 1 times
...
Arad
1 year, 1 month ago
Selected Answer: C
I think the right answer is C. we cannot filter VPC flow logs based on EKS worker nodes (so option D is wrong), but we can create VPC flow logs based on subnets as resource, so option C is correct.
upvoted 1 times
...
neotusca
1 year, 2 months ago
I'm C. You can't setting filter with EKS-node in vpcflowlogs. It's trick. You'll see just all, accept, rejct.
upvoted 2 times
...
Certified101
1 year, 4 months ago
Selected Answer: C
When you create a VPC Flow Log, you can choose to create it for a specific VPC, Subnet, or Network Interface. Therefore, in the context of AWS VPC flow logs, creating a filter to gather flow logs only from the EKS nodes (as stated in option D) is not feasible. Because the two applications are deployed in separate subnets within the same VPC, the best way to capture only the traffic related to these applications is to create flow logs for those specific subnets where the applications are deployed. Therefore, option C remains the most suitable choice.
upvoted 2 times
...
[Removed]
1 year, 5 months ago
Selected Answer: D
option D is the correct solution that meets these requirements with the least operational overhead. C is incorrect because it creates VPC flow logs in a custom format and sets the application subnets as resources. This will include all traffic from the application subnets, not just the two applications that the security team is concerned about1.
upvoted 1 times
[Removed]
1 year, 5 months ago
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
upvoted 1 times
...
...
AdamWest
1 year, 7 months ago
Selected Answer: C
C The other options are less efficient: Option A doesn't allow to focus on just the application traffic. Option B and D would include the traffic from all applications running on the EKS nodes, not just the two applications of interest. So, the option that fulfills the requirement with the least operational overhead is Option C.
upvoted 2 times
confusedyeti69
11 months, 2 weeks ago
You assume there are other applications running on the EKS nodes but not the possibility of other resources in the application subnet??
upvoted 2 times
...
...
AdamWest
1 year, 7 months ago
Selected Answer: C
C - You cannot set EKS nodes a the resource of a VPC flow log.
upvoted 4 times
...
Chinmoy
1 year, 7 months ago
Selected Answer: C
Eks Node can’t be specified in VPC log filter
upvoted 3 times
...
sjoe
1 year, 8 months ago
Option C , is correct . Application Pods can take IPs from both subnets
upvoted 5 times
Kristin01
1 year, 8 months ago
why not B?
upvoted 1 times
...
...
dremm
1 year, 8 months ago
Selected Answer: D
I think D) is correct. CNI plug in adds IPs to the PODs which we can then filter in the VPC Flow logs via pkt-srcaddr. "The Amazon VPC CNI plugin for Kubernetes add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. The add-on creates elastic network interfaces and attaches them to your Amazon EC2 nodes. The add-on also assigns a private IPv4 or IPv6 address from your VPC to each pod and service." - https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html
upvoted 5 times
sudipta0007
1 year ago
D is not correct as its said in question that cluster autoscaller (not HPA) is configured so EKS cluster can launched new done . So Ip of the node is not static due to scaleout event .
upvoted 3 times
...
...
that1guy
1 year, 8 months ago
"EKS nodes" is not a directly supported resource by VPC flow logs. "The clusters are in separate subnets within the same VPC..." easiest is to just enable flow logs for the whole subnet, otherwise you would have to enable it for each ENI individually. See: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
upvoted 4 times
that1guy
1 year, 8 months ago
To clarify, the answer is C
upvoted 5 times
linuxek21
1 year, 8 months ago
To add to the above: The Amazon VPC CNI plugin for Kubernetes add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. The add-on creates elastic network interfaces and attaches them to your Amazon EC2 nodes. If we select only specific ENIs of the nodes for the VPC flow log, we will need to come back again when there are new ENIs added.
upvoted 4 times
study_aws1
1 year, 7 months ago
Bang on!!! The wording in the question "....have a Cluster Autoscaler configured" itself indicates we cannot consider EKS node as a resource even if we read "EKS nodes" and "EKS nodes ENI" in option B). Option C) looks good.
upvoted 3 times
...
...
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago