Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 153 discussion

This is one of the biggest problems with AWS, way too many serivces, that could potentially be doing the same (eg monitoring), and we have know them all and their use cases? Would be a lot easier if their developer just had 2 or 3,and we dont have to remember all these nonsense

This solution meets the requirement of automatically verifying connectivity between resources in a single VPC after changes to security groups, network ACLs, and route tables. Here's why other options are not suitable:

Verify connectivity within a single VPC. This suggests using VPC Reachability Analyzer, which is designed for analyzing paths between resources in a VPC. React automatically to configuration changes. Changes to security groups, NACLs, and route tables are logged in AWS CloudTrail, so monitoring CloudTrail logs is necessary. Automated path validation. Using a Lambda function to invoke the VPC Reachability Analyzer ensures the process is automated.

B - all API calls are recorded in CloudTrail. When you make a change in the console, it is a backend API call.

I thought it was D, but it's about reachability in a single VPC. So it's B.

B https://docs.aws.amazon.com/vpc/latest/reachability/logging-using-cloudtrail.html#:~:text=Reachability%20Analyzer%20is,and%20additional%20details

Option B mentions CloudTrail, which is generally used for auditing AWS API calls rather than tracking changes within a VPC. Option C refers to AWS Transit Gateway Network Manager Route Analyzer, which is designed for analyzing routes in a transit gateway network, not within a single VPC. Option D is similar to Option C and is not applicable for checking connectivity within a single VPC. Therefore, Option A is the most appropriate choice for automatically verifying connectivity after changes in a single VPC.

I think that it's correct answer is C according to SPOTO products.

"When a security group change is made, the change event is logged in AWS CloudTrail. CloudTrail then forwards the change event to Amazon EventBridge, which evaluates the change against a series of rules to determine if any actions must be taken. Within EventBridge, a rule will be created to forward all security group change events from CloudTrail to an AWS Lambda function. The Lambda function is responsible for determining if any EC2 instances are impacted by the security group change, and if any Reachability Analyzer paths assessing the connectivity from the internet to the instance exist. " [https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/]

sure B https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html

B CloudTrail?

B https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html

agreed - B, https://aws.amazon.com/blogs/aws/new-vpc-insights-analyzes-reachability-and-visibility-in-vpcs/

B https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html