You are planning to use VPC Flow logs to monitor the traffic to EC2 Instances in your VPC.
Which of the following types of traffic will not get monitored by VPC Flow logs? Choose 2 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B and D.
The AWS Documentation mentions the following.
The Flow Logs will not include any of the following traffic.
Traffic to Amazon DNS servers, including queries for private hosted zones.
Windows license activation traffic for licenses provided by Amazon.
Requests for instance metadata.
DHCP requests or responses.
Based on the above information, all other information becomes invalid.
For information on VPC Flow Logs, please visit the below URL.
https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/VPC Flow Logs is a feature in Amazon Virtual Private Cloud (VPC) that allows users to capture and log all the traffic that passes through the network interfaces in a VPC. It provides visibility into the network traffic, which helps to troubleshoot connectivity issues, monitor security, and identify potential security threats.
However, there are some types of traffic that VPC Flow Logs cannot monitor. Let's discuss each option:
A. Instances that have multiple ENIs: If an instance has multiple Elastic Network Interfaces (ENIs), VPC Flow Logs can monitor the traffic that passes through only the primary network interface. If the traffic passes through the secondary ENI, it will not be captured by VPC Flow Logs. So, this option is correct.
B. Traffic that flows to Amazon DNS servers: VPC Flow Logs can monitor the traffic that flows between the instances in the VPC and the internet, but it cannot monitor the traffic that flows to the Amazon DNS servers. The DNS queries and responses are not captured by VPC Flow Logs. So, this option is correct.
C. Instances that have Elastic IP's assigned to the ENI: When an Elastic IP (EIP) is associated with a network interface in an instance, the traffic that flows through that interface is not treated as internet traffic, even if the EIP is associated with a public IP address. Instead, the traffic is treated as internal VPC traffic, and VPC Flow Logs can capture it. So, this option is incorrect.
D. Requests for instance metadata: Instance metadata is a service provided by Amazon EC2 that allows instances to access information about themselves. Requests for instance metadata are not considered network traffic, and VPC Flow Logs cannot capture them. So, this option is correct.
In summary, the two types of traffic that will not get monitored by VPC Flow logs are instances that have multiple ENIs and requests for instance metadata.