This post deals with how to monitor VPC traffics. VPC Flow Logs can capture IP traffic information going from or to the network interfaces in a VPC.
- VPC Flows Logs can be enabled at 3 levels: VPC, Subnet, or Network Interface.
- Once a flow log is created, you cannot change its configurations.
- Logs can monitor:
- Source IP address/port
- Destination IP address/port
- Data bytes
- ALLOW and REJECT status
- Flow Logs do not capture real-time log streams for your network interfaces.
- Flow Logs do not capture the content of traffic.
- Not all IP traffics is monitored. The following traffic types are excluded:
- Traffic generated by instances when they contact the Amazon DNS Server.
- Windows activation
- Traffic for instance metadata (169.254.169.254)
- DHCP traffic
- Traffic to the reserved IP addresses for the default VPC router
VPC Flow Logs can be passed to CloudWatch Logs or S3.
- CloudWatch Logs: It knows how to interpret VPC Flow Logs data. It is more expensive than S3 but you can analyze the flow easily.
- S3: Logs can be saved in S3 and be analyzed using other tools such Athena