Question 427 of 1,740
Monitoring and LoggingmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to enable VPC Flow Logs for the subnets and analyze the logs to identify dropped connections during the error spikes. This is correct because VPC Flow Logs capture metadata about all IP traffic to and from network interfaces, including whether each connection was accepted or rejected. Since the application logs show 'Connection timed out' errors while EC2 CPU and memory metrics remain normal, the bottleneck is clearly in the network path—likely a security group, NACL, or routing issue—rather than the application or compute layer. On the AWS Certified DevOps Engineer Professional DOP-C02 exam, this scenario tests your ability to differentiate between application-layer and network-layer troubleshooting; a common trap is to focus on EC2 or ALB metrics when the real culprit is a dropped packet. Remember the mnemonic: "Timeouts? Trace the Flow"—if instance health is fine but connections time out, VPC Flow Logs will reveal where the traffic is being silently rejected.

DOP-C02 Monitoring and Logging Practice Question

This DOP-C02 practice question tests your understanding of monitoring and logging. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company runs a production web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application is deployed across three Availability Zones. The DevOps team recently noticed that the application's error rate is spiking periodically, but they cannot correlate the spikes with any known deployments or changes. The team has enabled detailed CloudWatch metrics for the ALB and EC2, and they are using CloudWatch Logs for application logs. They also have AWS X-Ray enabled for tracing.

The team observes that during error spikes, the ALB's 5XX count increases, but the EC2 instance-level CPU and memory metrics remain normal. The application logs show 'Connection timed out' errors. The team suspects the issue is related to network connectivity but is not sure.

Which course of action should the DevOps team take to identify the root cause of the periodic error spikes?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Enable VPC Flow Logs for the subnets and analyze the logs to identify dropped connections during the error spikes.

VPC Flow Logs capture metadata about IP traffic going to and from network interfaces in a VPC, including whether the traffic was accepted or rejected. Since the application logs show 'Connection timed out' errors and instance-level metrics are normal, the issue likely lies in the network path (e.g., security groups, NACLs, or subnet routing) rather than the application or compute layer. Analyzing VPC Flow Logs during the error spikes will reveal if connections are being dropped or rejected, pinpointing the root cause of the timeouts.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Enable VPC Flow Logs for the subnets and analyze the logs to identify dropped connections during the error spikes.

    Why this is correct

    Correct: VPC Flow Logs capture network traffic metadata and can show blocked or rejected connections.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Increase the EC2 instance size to handle higher traffic and reduce timeouts.

    Why it's wrong here

    Incorrect: The issue is not resource-related; CPU and memory are normal.

  • Configure a step scaling policy for the Auto Scaling group based on ALB 5XX count.

    Why it's wrong here

    Incorrect: Scaling does not address the root cause; it only adds more instances.

  • Enable ALB access logs and analyze the 5xx response patterns.

    Why it's wrong here

    Incorrect: Access logs show request/response details but not network connectivity drops.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often jump to scaling or access logs (options C or D) because they focus on the 5XX error symptom, but the question specifically points to network-level timeouts, making VPC Flow Logs the only diagnostic tool that can reveal dropped or rejected packets at the network layer.

Trap categories for this question

  • Command / output trap

    Incorrect: Access logs show request/response details but not network connectivity drops.

Detailed technical explanation

How to think about this question

VPC Flow Logs use the 'accept' or 'reject' field to indicate whether traffic was allowed by security groups or NACLs; a 'reject' entry during error spikes would confirm a network ACL or security group rule is blocking traffic. The 'Connection timed out' error typically occurs when a TCP SYN packet is sent but no SYN-ACK is received within the timeout window, which can happen if a NACL is stateless and blocks return traffic or if a security group rule is missing. In real-world scenarios, periodic spikes can be caused by ephemeral port exhaustion on the ALB or a misconfigured NACL that only drops traffic during certain traffic patterns.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related DOP-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DOP-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DOP-C02 question test?

Monitoring and Logging — This question tests Monitoring and Logging — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Enable VPC Flow Logs for the subnets and analyze the logs to identify dropped connections during the error spikes. — VPC Flow Logs capture metadata about IP traffic going to and from network interfaces in a VPC, including whether the traffic was accepted or rejected. Since the application logs show 'Connection timed out' errors and instance-level metrics are normal, the issue likely lies in the network path (e.g., security groups, NACLs, or subnet routing) rather than the application or compute layer. Analyzing VPC Flow Logs during the error spikes will reveal if connections are being dropped or rejected, pinpointing the root cause of the timeouts.

What should I do if I get this DOP-C02 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More DOP-C02 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DOP-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DOP-C02 exam.