AWS Certified Cloud Practitioner

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create VPC flow logs for the EC2 instance's elastic network interface to check for rejected traffic.

VPC Flow Logs on the ENI will show if traffic is accepted or rejected by SG or NACL, including from VPN. This helps identify if it's network ACL, security group, or routing issue. CloudWatch logs for instance or VPN may not show network rejects. Instance Connect is for SSH not RDP.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Create VPC flow logs for the EC2 instance's elastic network interface to check for rejected traffic.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

On-premises users cannot connect via RDP to a Windows EC2 instance in a private subnet over Site-to-Site VPN. The third-party firewall allows RDP traffic. How should the SysOps administrator troubleshoot?

Exam-Like

UAnonymous

Last updated: April 30, 2026 at 11:42

Create CloudWatch logs for the EC2 instance to check for blocked traffic.

Create CloudWatch logs for the Site-to-Site VPN to check for blocked traffic.

Create VPC flow logs for the EC2 instance's elastic network interface to check for rejected traffic.

Instruct users to use EC2 Instance Connect.