Lesson 4 taught you to debug by reasoning. This lesson gives you evidence. When "it doesn't work" strikes, AWS keeps receipts — the most important being VPC Flow Logs: a record of every connection attempt at every network interface, including the ones that were rejected. Reading them is a superpower; most engineers never learn.
Anatomy of a flow log record
One line per traffic flow per interface, space-separated. The fields you care about:
ACCEPT and REJECT mean one specific thing: what the security layer (SG + NACL) decided at that interface. That precision is the diagnostic gold — and its absence is a clue too, as you're about to see.
The flow log game
Find the smoking gun
Three incidents. For each: read the symptom, generate the logs, and click the log line that best explains the failure. (Sometimes the answer is subtle.)
Symptom: the ALB marks targets in tg-app unhealthy every ~30s, then healthy, then unhealthy. Users see intermittent 502s.
When flow logs aren't enough
Flow logs tell you what the security layer decided — but a routing failure often leaves no REJECT at all (the packet dies at a route table, never reaching an interface that would log it). For those, AWS has Reachability Analyzer: you give it a source and destination, and it computes — from your actual configuration, without sending a packet — whether a path exists, and if not, which hop breaks it ("no route to destination in rtb-0abc", "sg-app has no inbound rule matching port 8080"). It's the debugging checklist from Lesson 4, automated. Slower and per-analysis priced, so the habit is: flow logs first for allow/deny questions, Reachability Analyzer for "does a path even exist."
Loose ends worth knowing
ENI — elastic network interfaceThe actual object everything attaches to. An "instance's IP" and "instance's SGs" really belong to its ENI. ECS awsvpc-mode tasks each get their own ENI — which is why each task can wear its own security group.
Elastic IPA static public IPv4 you own and can re-attach — to an instance, a NAT gateway, an NLB. Scarce and now billed per hour. ALBs can't use them (their IPs float); that's an NLB feature.
IPv6 & the egress-only IGWIPv6 addresses in a VPC are globally routable — there's no NAT because there's no address shortage. The private-subnet pattern becomes an egress-only internet gateway: outbound allowed, inbound connections refused. Same effect as NAT, different mechanism.
MTU & jumbo framesPackets have a max size (1500 bytes on the internet, up to 9001 inside a VPC). Mismatches cause the weirdest symptom in networking: small requests work, big ones hang. If SSH connects but the big file transfer freezes — think MTU.
The complete debugging liturgy
Name — does DNS resolve, and to what you expect? (dig, Lesson 5)
Path — do route tables give the packet somewhere to go, both directions? (Lessons 1 & 6; Reachability Analyzer)
Permission — do SGs/NACLs admit it? Flow logs answer definitively: REJECT = security, no line at all = usually path. (Lesson 2, this lesson)
Health — is the target in rotation, is the listener rule matching? (Lesson 3)
Application — only now blame the code. Something must be listening on the port the target group points at.
Course complete. You've now covered addressing (VPC/CIDR), reachability (routes, IGW, NAT), permission (SG/NACL), distribution (ALB), naming (DNS), inter-network topology (peering/TGW/hybrid), private service access (endpoints/PrivateLink), the edge (CDN/TLS/WAF), and evidence (flow logs). That's the full working vocabulary of cloud networking — everything else is composition of these ten ideas.
Final check
1. Flow logs for a failing connection show the outbound ACCEPT at the source ENI — and no line at all at the destination ENI. Most likely layer?
An SG denial would produce a REJECT line at the destination ENI. Silence means the packet never got there — missing route, wrong route table, blackholed peering. This "absence of evidence IS evidence" trick is the sharpest tool in flow log reading.
2. A connection shows ACCEPT at the destination ENI, but the client still gets "connection refused." What layer is broken?
ACCEPT means SG and NACL both admitted the packet to the host. A "connection refused" (TCP RST) after that is the operating system saying no process is bound to the port — wrong port in the target group, crashed process, container not started. Step 5 of the liturgy.
3. Which failure would flow logs NOT directly reveal?
Flow logs see VPC network interfaces. A cache hit at a CloudFront edge never generates VPC traffic at all — the request is answered before it reaches your network. Edge problems need edge telemetry (CloudFront logs, x-cache headers).