4164. AWS-VPC Flow Logs
AWS and VPC Flow Logs

Monitor the traffic with VPC Flow Logs.

1. VPC Flow Logs

1.1 What is VPC Flog Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.

1.2 Usage of Flog Logs

Flow logs can help you with a number of tasks, such as:

  • Diagnosing overly restrictive security group rules.
  • Monitoring the traffic that is reaching your instance.
  • Determining the direction of the traffic to and from the network interfaces.

1.3 Logging Level

Flow logs can be created at 3 levels:

  • VPC
  • Subnet
  • Network Interface Level

1.4 Summary of VPC Flow Logs

  • You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account.
  • You cannot tag a flow log.
  • After you’ve created a flow log, you cannot change its configuration; for example, you can’t associate a different IAM role with the flow log.

Not all IP Traffic is monitored:

  • Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.
  • Traffic generated by a Windows instance for Amazon Windows license activation.
  • Traffic to and from 169.254.169.254 for instance metadata.
  • DHCP traffic.
  • Traffic to the reserved IP address for the default VPC router.

2. Lab - VPC Flow Logs

2.1 Creating Log Group in CloudWatch

Go to Services->Management & Governance->CloudWatch->Logs->Create log group. image Go to VPC console, select the custom VPC, actions->Create flow log. This VPC is used by a web server instance. image Click the link “Set Up Permissions”. image Create a new role, Allow. image Go back to create the flow log. image Now the flow log is enabled. Visit the web page hosted by the web server instance to trigger the logging. image Then go to CloudWatch, select Logs and click the log group. image You will see some log streams. image Click on any of them, you will see the detailed logs. image

3. References