[AWS] VPC – VPC Flow Logs

This post deals with how to monitor VPC traffics. VPC Flow Logs can capture IP traffic information going from or to the network interfaces in a VPC.


  • VPC Flows Logs can be enabled at 3 levels: VPC, Subnet, or Network Interface.
  • Once a flow log is created, you cannot change its configurations.
  • Logs can monitor:
    • Source IP address/port
    • Destination IP address/port
    • Protocol
    • Data bytes
    • ALLOW and REJECT status


  • Flow Logs do not capture real-time log streams for your network interfaces.
  • Flow Logs do not capture the content of traffic.
  • Not all IP traffics is monitored. The following traffic types are excluded:
    • Traffic generated by instances when they contact the Amazon DNS Server.
    • Windows activation
    • Traffic for instance metadata (
    • DHCP traffic
    • Traffic to the reserved IP addresses for the default VPC router

Analyzing Logs

VPC Flow Logs can be passed to CloudWatch Logs or S3.

  • CloudWatch Logs: It knows how to interpret VPC Flow Logs data. It is more expensive than S3 but you can analyze the flow easily.
  • S3: Logs can be saved in S3 and be analyzed using other tools such Athena

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s