This post deals with how to monitor VPC traffics. VPC Flow Logs can capture IP traffic information going from or to the network interfaces in a VPC.
Features
- VPC Flows Logs can be enabled at 3 levels: VPC, Subnet, or Network Interface.
- Once a flow log is created, you cannot change its configurations.
- Logs can monitor:
- Source IP address/port
- Destination IP address/port
- Protocol
- Data bytes
- ALLOW and REJECT status
Settings
- Name
- Filter
- Accept, Reject, or All
- Destination
- CloudWatch Logs
- S3
- Kinesis Firehose
- Log Record Format
- AWS Default format
- Custom Format
-- AWS default format
${version} ${account-id} ${interface-id} ${srcaddr}
${dstaddr} ${srcport} ${dstport} ${protocol} ${packets}
${bytes} ${start} ${end} ${action} ${log-status}
Limitations
- Flow Logs do not capture real-time log streams for your network interfaces.
- Flow Logs do not capture the content of traffic.
- Not all IP traffics is monitored. The following traffic types are excluded:
- Traffic generated by instances when they contact the Amazon DNS Server.
- Windows activation
- Traffic for instance metadata (169.254.169.254)
- DHCP traffic
- Traffic to the reserved IP addresses for the default VPC router
Analyzing Logs
VPC Flow Logs can be passed to CloudWatch Logs, S3, or Kinesis Firehose.
- CloudWatch Logs: It knows how to interpret VPC Flow Logs data. It is more expensive than S3 but you can analyze the flow easily.
- S3: Logs can be saved in S3 and be analyzed using other tools such Athena.
Scriptorium 