Configuring network monitoring and logging for AWS services

Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.

In AWS, monitoring and logging help you:

Track Network Health – See if your network connections (VPCs, Direct Connect, VPNs) are working correctly.
Troubleshoot Issues – Identify why a service or connection is slow or failing.
Security and Compliance – Detect unauthorized access, data leaks, or policy violations.
Optimize Performance – Find bottlenecks and improve efficiency.

For the exam, you need to know which AWS services provide monitoring/logging, how they work, and when to use them.

AWS has several key services for network monitoring:

Purpose: Monitors AWS resources and applications in real-time.
What you can monitor:
- VPCs, subnets, EC2 network traffic
- VPN connection status
- Transit Gateway metrics
Example metrics:
- NetworkPacketsIn / Out – Number of packets in/out of an EC2 instance
- TunnelState – VPN connection up or down
Exam Tip: Know how CloudWatch alarms can trigger notifications when a network metric crosses a threshold.

Purpose: Logs API calls and changes in your AWS environment.
Use for networking:
- Track who created, deleted, or modified VPCs, Security Groups, NACLs, or Route Tables
Exam Tip: CloudTrail logs are essential for audit and compliance. Know that it records events, not metrics.

Purpose: Captures network traffic metadata for a VPC, subnet, or ENI.
What it logs:
- Source/destination IP
- Protocol (TCP/UDP)
- Packet/byte counts
- Accept/reject traffic status (allow/deny by security group/NACL)
Where logs go: CloudWatch Logs or S3
Example: You notice traffic from a suspicious IP being blocked by your NACL. Flow Logs show it.
Exam Tip: Understand the difference between accepted vs rejected traffic logs, and how it helps troubleshoot connectivity issues.

Purpose: Visualizes and monitors global network connectivity across multiple VPCs and on-premises sites.
Features:
- View connections between multiple AWS Regions and on-premises networks
- Detect network health issues
Exam Tip: Know that it integrates with CloudWatch for alerts.

Purpose: Tests network paths and routing between two endpoints.
Use case:
- Verify if an EC2 instance in one VPC can reach another instance via VPN or Transit Gateway
Exam Tip: These are diagnostic tools, not continuous monitoring tools. Know their difference from VPC Flow Logs.

Enable VPC Flow Logs for all critical subnets – Helps troubleshoot connectivity and security issues.
Send logs to S3 for long-term storage – Retain for audits or compliance.
Use CloudWatch for real-time alerts – Immediate notification of failures or anomalies.
Enable CloudTrail globally – Track all API changes across accounts.
Tag resources properly – Makes filtering and monitoring logs easier.

When connecting AWS to on-premises networks via Direct Connect or VPN, monitor:

Direct Connect: Use CloudWatch metrics like ConnectionState, BytesIn/Out, and BGP status.
VPN Connections: Monitor TunnelState metrics. Set alarms for tunnel down events.
Hybrid Networks: Transit Gateway + Network Manager to visualize multi-site connectivity.

Exam Tip: Know how to combine CloudWatch alarms + Flow Logs to detect and troubleshoot hybrid network issues.

Topic	Key Points
CloudWatch	Metrics, alarms, network packets, VPN tunnel state
CloudTrail	API logging, VPC modifications, audit trail
VPC Flow Logs	Traffic metadata, accept/reject logs, troubleshooting
Transit Gateway Network Manager	Multi-VPC/multi-region monitoring, health visualization
Reachability Analyzer	Test network paths, connectivity verification
Best Practices	Enable logging, use CloudWatch alarms, store logs for audits

Think of it like layers: Flow Logs → CloudWatch → Network Manager → Alerts. Each layer gives you more visibility into your network.