Which combination of steps should the SysOps administrator take to meet this requirement?
(Choose two.)
Configure Amazon CloudWatch Logs on the elastic network interface of each task.
Configure VPC Flow Logs on the elastic network interface of each task.
Specify the awsvpc network mode in the task definition.
Specify the bridge network mode in the task definition.
Specify the host network mode in the task definition.
Explanations:
Configuring Amazon CloudWatch Logs on the elastic network interface of each task does not directly monitor traffic flows between ECS tasks. CloudWatch Logs are more suited for logging application outputs rather than network traffic monitoring.
VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. Enabling VPC Flow Logs for the elastic network interfaces of ECS tasks allows monitoring of traffic flows specifically between those tasks.
Specifying the awsvpc network mode in the task definition allocates an Elastic Network Interface (ENI) to each task, allowing each task to have its own private IP address. This is essential for monitoring traffic flows between ECS tasks since it provides detailed traffic information at the task level.
The bridge network mode does not assign a unique ENI to each task. Instead, it uses a single network interface on the host instance. This limits the ability to monitor traffic flows between tasks as they share the same network stack, making it unsuitable for the requirement.
The host network mode allows tasks to share the network stack of the underlying EC2 instance, meaning that all tasks use the instance’s network interface. This mode does not facilitate monitoring traffic flows between individual tasks, as they do not have separate network interfaces.
It seems to me that the answer is:
Configure VPC Flow Logs on the elastic network interface of each task.