Topic: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)

A.
Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
B.
Enable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
C.
Configure Traffic Mirroring on the NAT gateway's elastic network interface. Send the traffic to an additional EC2 instance. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic.
D.
Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
E.
Enable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

A.  Yes,  this would work.
B.  Not a real thing, wrong
C.  We don't need to do packet inspection to analyze costs.  This won't help with costs at all.
D. The most obvious right answer.
E.  Like B,  not a real thing.

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

C -- also working answer. In Wireshark you can generate reports for traffic usage.

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

AD seem to be the correct answers.

Enabling "NAT gateway access logs" is not a valid feature.

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

I think that it's answer is AD according to SPOTO products.

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

https://repost.aws/knowledge-center/vpc-find-traffic-sources-nat-gateway
Check this re:Post, it seems like A-E

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

A and D - you can only enable VPC flow logs on ENIs rather than on the services in that case NAT Gateway

  • FayeG
  • New member
  • Offline

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

A & D are the real answer

  • MEDES
  • New member
  • Offline

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

Went with A,D given that we want to track which IPs are source of the problem.

given that NAT gateway access logs only provide information about connections that are initiated by the NAT gateway. VPC flow logs provide more detailed information about the traffic that passes through the NAT gateway.

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

Went with A,D given that we want to track which IPs are source of the problem.

given that NAT gateway access logs only provide information about connections that are initiated by the NAT gateway. VPC flow logs provide more detailed information about the traffic that passes through the NAT gateway.

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

Selected Answer: AD

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

Overall, Options A and B are the most relevant and efficient approaches to investigate the traffic through the NAT gateway and identify the source of increased NAT gateway usage.

Although also C and D are correct, but we do not want deeper analysis of the logs. Again remember, both VPC flow logs and NAT gateway access logs can provide network information about the traffic going through the NAT gateway.

  • Manh
  • New member
  • Offline

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

AWS NAT gateway access logs are not available as a native feature of AWS NAT gateway. you can use VPC Flow Logs to capture information about the IP traffic going to and from network interfaces in your VPC

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

packet captures will require inspection per TCP connection, which is not reasonable, so - A&D

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

These are correct

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

my guess was not entirely correct. i am leaning towards to A, B and D,

Option D is also a valid approach to investigate the traffic through the NAT gateway. By enabling VPC flow logs on the NAT gateway's elastic network interface and publishing the logs to an S3 bucket, a network engineer can create a custom table for the S3 bucket in Amazon Athena to describe the log structure and use Athena to query and analyze the logs. This approach provides a lot of flexibility in terms of data analysis and long-term storage of the log data.

So, technically, options A, B, and D are all valid ways to investigate NAT gateway usage. However, options A and B are probably more efficient because they allow you to query and analyze the logs directly in CloudWatch Logs without having to set up additional infrastructure.

so either - AB or AD

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

Such thing - a "NAT gateway access logs" - seems to not exist at all.
Read the last sentence in the question like "Which are the VALID options a network Engineer can..."
So, A and D.

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

Could not find any link that states any details around NAT Gateway access logs.
I found the below link with exact same problem statement with options for resolution asked (in this case A and D)

https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-traffic-sources-nat-gateway/

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

A,D
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-traffic-sources-nat-gateway/

Re: AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 8

A,D - correct.
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-traffic-sources-nat-gateway/?nc1=h_ls