Troubleshooting Missing Flow Logs for Subnet | PCNE Exam Answer
Question
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet.
When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find: " Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
" The subnetwork logs are not excluded from Stackdriver.
" The instance that is hosting the application can communicate outside the subnet.
" Other instances within the subnet can communicate outside the subnet.
" The external resource initiates communication.
What is the most likely cause of the missing log lines?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Based on the provided information, we know that an application hosted on a Compute Engine virtual machine instance cannot communicate with a resource outside of its subnet. However, when reviewing the flow and firewall logs, no denied traffic is listed.
We also know that flow logs are enabled for the VPC subnet, and all firewall rules are set to log. The subnetwork logs are not excluded from Stackdriver. Furthermore, the instance that is hosting the application can communicate outside the subnet, and other instances within the subnet can communicate outside the subnet. The external resource initiates communication.
Given this information, we can conclude that the issue is likely related to the expected ingress or egress rule not being matched. The fact that there is no denied traffic listed suggests that the traffic is not being blocked by the firewall.
Option A, which suggests that the traffic is matching the expected ingress rule, is unlikely because if the traffic was matching the ingress rule, it would be allowed through the firewall and logged in the flow and firewall logs.
Option B, which suggests that the traffic is matching the expected egress rule, is a possibility. If the traffic is matching the egress rule, it would be allowed to leave the subnet, and the issue could be related to the external resource not being able to receive the traffic.
Option C, which suggests that the traffic is not matching the expected ingress rule, is also a possibility. If the traffic is not matching the ingress rule, it would be blocked by the firewall and not logged in the flow and firewall logs.
Option D, which suggests that the traffic is not matching the expected egress rule, is less likely because if the traffic was not matching the egress rule, it would be blocked by the firewall and logged in the flow and firewall logs.
In summary, the most likely cause of the missing log lines is that the traffic is not matching the expected ingress rule (Option C). However, it is also possible that the traffic is matching the expected egress rule (Option B). Further investigation and analysis would be needed to determine the exact cause of the issue.
