You are an architect in your organization.
One of the application team in your organization comes to you stating recently they noticed the requests sending from an EC2 instance to an RDS in the same VPC but in another subnet are getting timed out.
They claim that connections were working before.
How do you troubleshoot this issue?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
For option A, VPC Flow Logs captures IP traffic going to and from network interfaces in your VPC.
Flow log data is stored using Amazon CloudWatch Logs.
After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
You can create a flow log for a VPC, a subnet, or a network interface.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-logs-basicsVPC Flow Logs capture following information and logs them to CloudWatch logs,
version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status.
Find more information about each record here.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-log-recordsSo, using VPC flow logs, we can identify if the traffic is being rejected by RDS instance when sent from the EC2 instance on a certain port.
From there on, we can identify if there any overly restrictive Security Group rules or Network ACL rules.
For option B, CloudWatch metrics for RDS gives the details about RDS underlying database instance metrics.
But this does not contain details about networking requests sent to RDS instance.
For more information on CloudWatch metrics for RDS, refer documentation here.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/rds-For option C, RDS underlying OS is managed by AWS and cannot be accessed by AWS customers.
For option D, enabling OS level logs at the EC2 instance where the request is being made does not provide any information on why the request is being timed out at RDS instance.
So, the correct answer is option A.
To troubleshoot the issue of timed-out requests from an EC2 instance to an RDS instance in the same VPC but in another subnet, the following steps can be taken:
Verify the connectivity between the two subnets: The first step is to verify if there is connectivity between the subnets where the EC2 instance and RDS instance are launched. This can be done by checking the network ACLs and security groups attached to the subnets. Ensure that the necessary ports are open in the security groups and network ACLs.
Check the VPC routing: Check if the VPC routing is configured correctly. Ensure that the subnets have the correct route tables attached to them. The EC2 instance should be able to communicate with the RDS instance through the correct route.
Check the RDS instance status: Check the status of the RDS instance. Ensure that the RDS instance is running, and there are no performance issues.
Create VPC flow logs: Create VPC flow logs for the subnet where the RDS instance is launched. This will help to identify the traffic flow between the EC2 instance and RDS instance. It will provide information on the source and destination IP addresses, ports, and protocol.
Check CloudWatch metrics: Check the CloudWatch metrics for the RDS instance. The CloudWatch metrics provide information on the RDS instance's CPU usage, network throughput, disk usage, and other performance metrics. This will help to identify any performance issues with the RDS instance.
Check OS-level logs: Check the OS-level logs inside the RDS instance and EC2 instance. The logs may provide information on any errors or issues related to the database or application.
In summary, to troubleshoot the issue of timed-out requests from an EC2 instance to an RDS instance in the same VPC but in another subnet, you should verify the connectivity between the subnets, check the VPC routing, check the RDS instance status, create VPC flow logs, check CloudWatch metrics, and check the OS-level logs.