A network engineer is analyzing VPC Flow Logs for a VPC with CIDR 10.0.0.0/16. The exhibit shows a sample log entry. The engineer notices that traffic from 10.0.1.10 to 10.0.2.10 on port 443 is being accepted. However, the application team reports that the connection is failing. What is the most likely reason for the disconnect?
Flow logs only show network-level acceptance; application issues are not captured.
Why this answer
The VPC Flow Logs show that traffic from 10.0.1.10 to 10.0.2.10 on port 443 is being accepted (ACCEPT record), which indicates that the network layer (security groups, network ACLs, and routing) is permitting the traffic. Since the application team reports the connection is failing, the issue must be at a higher layer, specifically the application layer (e.g., TLS handshake failure, certificate mismatch, or the application not listening on port 443). Flow logs capture only network-layer metadata (IP, port, protocol, action) and cannot detect application-layer errors.
Exam trap
AWS often tests the distinction between network-layer acceptance (ACCEPT in flow logs) and application-layer success, trapping candidates who assume an ACCEPT record guarantees a successful connection.
How to eliminate wrong answers
Option A is wrong because if security groups were blocking the traffic, the flow log entry would show a REJECT or DROP action, not ACCEPT. Option B is wrong because incorrect route tables would cause packet loss or unreachability, which would also result in DROP or no flow log entry for the destination, not an ACCEPT record. Option C is wrong because the flow log entry is present and shows ACCEPT, indicating the logs are capturing traffic correctly; misconfiguration would result in missing or incomplete logs, not a false ACCEPT.