Analyzing tool output to assess network performance and troubleshoot connectivity (for example, VPC Flow Logs, Amazon CloudWatch Logs)

Task Statement 3.2: Monitor and analyze network traffic to troubleshoot and optimize connectivity patterns.

📘AWS Certified Advanced Networking – Specialty

Skill Focus:

You must be able to:

  • Read and understand network logs and outputs
  • Identify connectivity problems
  • Analyze performance issues
  • Use logs to find root causes

Main tools in this topic:

  • Amazon VPC Flow Logs
  • Amazon CloudWatch Logs

1. What is Network Traffic Analysis in AWS?

Network traffic analysis means:

  • Observing how data moves between AWS resources
  • Checking whether traffic is allowed or blocked
  • Identifying delays, failures, or unusual behavior

You do this mainly using logs that show:

  • Who is communicating
  • From where to where
  • Whether traffic is allowed or rejected
  • How much data is transferred

2. VPC Flow Logs (MOST IMPORTANT FOR EXAM)

2.1 What are VPC Flow Logs?

Amazon VPC Flow Logs records network traffic metadata in your VPC.

It does NOT capture:

  • Packet payload (actual data inside traffic)

It DOES capture:

  • Traffic metadata (who, where, when, allowed/denied)

2.2 Where can Flow Logs be created?

Flow logs can be enabled at:

  • VPC level
  • Subnet level
  • Network Interface (ENI) level

2.3 Key Flow Log Fields (VERY IMPORTANT)

When analyzing exam questions, focus on these fields:

1. Source and Destination

  • srcaddr → Source IP
  • dstaddr → Destination IP

2. Ports

  • srcport → Source port
  • dstport → Destination port (e.g., 80 for HTTP, 443 for HTTPS)

3. Protocol

  • TCP / UDP / ICMP

4. Action

  • ACCEPT → Traffic allowed
  • REJECT → Traffic blocked

5. Packets and Bytes

  • packets → Number of packets
  • bytes → Data transferred

6. Time Window

  • start and end → Time of traffic capture

2.4 How to Interpret Flow Logs (Exam Skill)

Case 1: Traffic is NOT working

If you see:

  • Action = REJECT

Then:

  • Traffic is blocked

Possible causes:

  • Security Group denies traffic
  • Network ACL blocks traffic
  • Route table missing route
  • Wrong port used

Case 2: Traffic is working but slow

If you see:

  • Action = ACCEPT
  • High bytes but slow response

Possible causes:

  • Bandwidth limitation
  • Overloaded instance
  • High latency route path
  • Application bottleneck

Case 3: No logs at all

Possible causes:

  • Flow logs not enabled
  • Wrong ENI selected
  • No traffic generated

3. CloudWatch Logs for Network Troubleshooting

3.1 What is CloudWatch Logs?

Amazon CloudWatch Logs stores logs from AWS services and applications.

It is used to:

  • View logs in real time
  • Search log data
  • Create filters and alarms
  • Detect failures automatically

3.2 Key Features for Exam

1. Log Groups

  • Collection of log streams (same application or service)

2. Log Streams

  • Sequence of log events from one source

3. Metric Filters (VERY IMPORTANT)

You can:

  • Search logs for patterns (e.g., “REJECT”)
  • Convert logs into CloudWatch metrics
  • Trigger alarms

Example:

  • If “REJECT” appears too many times → trigger alarm

4. CloudWatch Logs Insights

Used for:

  • Advanced querying of logs
  • Filtering traffic patterns
  • Finding errors quickly

Example query logic:

  • Find all rejected connections
  • Group by destination IP
  • Count failed requests

4. How to Troubleshoot Connectivity Using Logs (Exam Method)

Follow this step-by-step approach:

Step 1: Identify the problem

  • Is traffic not reaching destination?
  • Is it slow?
  • Is it partially working?

Step 2: Check VPC Flow Logs

Look for:

  • REJECT → indicates blocked traffic
  • Missing logs → traffic not reaching VPC or logging disabled

Step 3: Identify blocking layer

If REJECT happens:

Check in this order:

  1. Security Groups (stateful firewall)
  2. Network ACLs (stateless firewall)
  3. Route Tables (routing path)
  4. Subnet association

Step 4: Validate ports and protocols

Common exam mistakes:

  • Using wrong port (e.g., 22 instead of 3389)
  • Wrong protocol (TCP vs UDP)

Step 5: Use CloudWatch Logs for deeper insight

Check:

  • Application errors
  • Timeout logs
  • Authentication failures
  • Connection resets

5. Common Exam Scenarios

Scenario 1: Instance not reachable

Flow Logs show:

  • REJECT

Likely cause:

  • Security Group inbound rule missing

Scenario 2: Internal service communication fails

Flow Logs show:

  • REJECT between subnets

Likely cause:

  • Network ACL blocking traffic

Scenario 3: Intermittent connectivity

Flow Logs show:

  • Mix of ACCEPT and REJECT

Likely cause:

  • NACL rules not properly ordered
  • Ephemeral port issues

Scenario 4: High latency but ACCEPT traffic

Flow Logs show:

  • ACCEPT, high bytes

Likely cause:

  • Overloaded instance or network congestion

6. Key Exam Tips (VERY IMPORTANT)

  • ACCEPT ≠ performance OK (it only means allowed)
  • REJECT always indicates a network policy issue
  • Flow logs show metadata only, not packet content
  • Always check security group before NACL in troubleshooting
  • Use CloudWatch Logs Insights for fast filtering
  • Look for patterns, not single log lines

7. Summary

To pass this topic in the exam, remember:

You must be able to:

  • Read VPC Flow Logs correctly
  • Identify ACCEPT vs REJECT meaning
  • Locate network blocking layers (SG, NACL, route tables)
  • Use CloudWatch Logs for deeper analysis
  • Correlate logs with connectivity issues
  • Troubleshoot systematically step by step
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by