Capture Network Traffic for Analysis
Question
You are running a real-time gaming application on Compute Engine that has a production and testing environment.
Each environment has their own Virtual Private Cloud (VPC) network.
The application frontend and backend servers are located on different subnets in the environment's VPC.
You suspect there is a malicious process communicating intermittently in your production frontend servers.
You want to ensure that network traffic is captured for analysis.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
To capture network traffic for analysis in a situation where there is suspected malicious activity, the recommended course of action is to enable VPC Flow Logs. VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC, including information such as source and destination IP addresses, ports, protocols, and the amount of data transferred.
In this scenario, there are two environments - production and testing - each with their own VPC network. The application frontend and backend servers are located on different subnets within each environment's VPC.
Option A suggests enabling VPC Flow Logs only on the production VPC network frontend and backend subnets with a sample volume scale of 0.5. This means that only a random 50% sample of the traffic will be logged. While this could help with reducing the amount of data that needs to be analyzed, it could potentially miss capturing the malicious traffic if it is not captured within the sampled traffic.
Option B suggests enabling VPC Flow Logs on the production VPC network frontend and backend subnets only with a sample volume scale of 1.0. This means that all traffic will be logged, ensuring that all network traffic is captured for analysis. This option would be a better choice compared to Option A.
Option C suggests enabling VPC Flow Logs on both testing and production VPC network frontend and backend subnets with a sample volume scale of 0.5. This is similar to Option A but also includes the testing environment. However, it is recommended to apply changes in testing before production, which may cause delays in capturing the malicious traffic if it is happening in the production environment.
Option D suggests enabling VPC Flow Logs on both testing and production VPC network frontend and backend subnets with a sample volume scale of 1.0. This option is similar to Option B but also includes the testing environment. However, it is still recommended to apply changes in testing before production.
In summary, the best option in this scenario would be to enable VPC Flow Logs on the production VPC network frontend and backend subnets with a sample volume scale of 1.0 (Option B), as it ensures that all network traffic is captured for analysis. However, if there are concerns about potential malicious activity in the testing environment, Option D could also be considered.
