Answer-first summary for fast verification
Answer: Configure VPC flow logs to be delivered into an Amazon S3 bucket. Use Amazon Athena to query the data and to filter for the port number that is used by the old protocol.
To verify that no application is still using the old protocol without causing any downtime, the most effective solution is to use VPC flow logs and Amazon Athena. VPC flow logs capture information about the IP traffic going to and from network interfaces in your VPC. By delivering these logs to an Amazon S3 bucket and using Amazon Athena to query the data, you can filter for the port number used by the old protocol. This method allows for a comprehensive analysis of network traffic without impacting the operation of the applications. Option A, using Amazon Inspector, is not suitable because it focuses on security and compliance rather than monitoring specific port usage. Option B, enabling Amazon GuardDuty, is more about threat detection and might not provide the detailed port usage information needed. Option D, inspecting and modifying security groups, could potentially cause downtime if the old protocol is still in use and the port is removed from the security groups. Therefore, the correct solution is to use VPC flow logs and Amazon Athena as described in option C.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A company has transitioned from an outdated TCP-based application layer protocol to a new one, with both protocols using different port numbers. After migrating numerous applications running on Amazon EC2 instances and containers, the company wants to confirm that no applications are still using the old protocol. What solution can a network engineer implement to verify this without causing any downtime?
A
Use Amazon Inspector and its Network Reachability rules package. Wait until the analysis has finished running to find out which EC2 instances are still listening to the old port.
B
Enable Amazon GuardDuty. Use the graphical visualizations to filter for traffic that uses the port of the old protocol. Exclude all internet traffic to filter out occasions when the same port is used as an ephemeral port.
C
Configure VPC flow logs to be delivered into an Amazon S3 bucket. Use Amazon Athena to query the data and to filter for the port number that is used by the old protocol.
D
Inspect all security groups that are assigned to the EC2 instances that host the applications. Remove the port of the old protocol if that port is in the list of allowed ports. Verify that the applications are operating properly after the port is removed from the security groups.
No comments yet.