VPC Flow logs

Bikram
2 min readSep 11, 2021

--

  • VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
  • Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.
  • Helps to monitor & troubleshoot connectivity issues.

Three types of flow logs

  1. VPC Flow Logs
  2. Subnet Flow Logs
  3. Elastic Network Interface Flow Logs
  • You can create flow logs for network interfaces that are created by other AWS services, such as — Elastic Load Balancing, Amazon RDS, Amazon ElastiCache, Amazon Redshift, Amazon WorkSpaces, NAT gateways, Transit gateways.
  • Query VPC flow logs using Athena on S3 or CloudWatch Logs Insight.

Flow Log Syntax

<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log- status>

  • <version> — The VPC Flow Logs version. The defaults version is 2.
  • <account-id> — The AWS account ID of the owner of the source network interface for which traffic is recorded.
  • <interface-id> — The ID of the network interface for which the traffic is recorded.
  • <srcaddr> — The source address for incoming traffic.
  • <dstaddr> — The destination address for outgoing traffic.
  • <srcport> — The source port of the traffic.
  • <dstport> — The destination port of the traffic.
  • <protocol> — The IANA protocol number of the traffic
  • <packets> — The number of packets transferred during the flow.
  • <bytes> — The number of bytes transferred during the flow.
  • <start> — The time, in Unix seconds, when the first packet of the flow was received within the aggregation interval.
  • <end> — The time, in Unix seconds, when the last packet of the flow was received within the aggregation interval.
  • <action> The action that is associated with the traffic:

ACCEPT — The recorded traffic was permitted by the security groups and network ACLs.

REJECT — The recorded traffic was not permitted by the security groups or network ACLs.

  • <log- status>- The logging status of the flow log:

OK — Data is logging normally to the chosen destinations.

NODATA — There was no network traffic to or from the network interface during the aggregation interval.

SKIPDATA — Some flow log records were skipped during the aggregation interval. This may be because of an internal capacity constraint, or an internal error.

Flow logs reference — https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

AWS flow logs with Athena — https://docs.aws.amazon.com/athena/latest/ug/vpc-flow-logs.html

Athena
Aws Athena
Vpc Flow Logs
Vpc
Aws Certification

--

--

Bikram

Written by Bikram

180 Followers

Certified Kubernetes Administrator

More from Bikram

See all from Bikram

Recommended from Medium

Lists

Staff Picks

323 stories81 saves

Stories to Help You Level-Up at Work

19 stories46 saves

Self-Improvement 101

20 stories92 saves

Productivity 101

20 stories95 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech