VPC Flow logs

• VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
• Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.
• Helps to monitor & troubleshoot connectivity issues.

Three types of flow logs

1. VPC Flow Logs
2. Subnet Flow Logs
3. Elastic Network Interface Flow Logs

• You can create flow logs for network interfaces that are created by other AWS services, such as — Elastic Load Balancing, Amazon RDS, Amazon ElastiCache, Amazon Redshift, Amazon WorkSpaces, NAT gateways, Transit gateways.
• Query VPC flow logs using Athena on S3 or CloudWatch Logs Insight.

Flow Log Syntax

<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log- status>

• <version> — The VPC Flow Logs version. The defaults version is 2.
• <account-id> — The AWS account ID of the owner of the source network interface for which traffic is recorded.
• <interface-id> — The ID of the network interface for which the traffic is recorded.
• <srcaddr> — The source address for incoming traffic.
• <dstaddr> — The destination address for outgoing traffic.
• <srcport> — The source port of the traffic.
• <dstport> — The destination port of the traffic.
• <protocol> — The IANA protocol number of the traffic
• <packets> — The number of packets transferred during the flow.
• <bytes> — The number of bytes transferred during the flow.
• <start> — The time, in Unix seconds, when the first packet of the flow was received within the aggregation interval.
• <end> — The time, in Unix seconds, when the last packet of the flow was received within the aggregation interval.
• <action> The action that is associated with the traffic:

ACCEPT — The recorded traffic was permitted by the security groups and network ACLs.

REJECT — The recorded traffic was not permitted by the security groups or network ACLs.

• <log- status>- The logging status of the flow log:

OK — Data is logging normally to the chosen destinations.

NODATA — There was no network traffic to or from the network interface during the aggregation interval.

SKIPDATA — Some flow log records were skipped during the aggregation interval. This may be because of an internal capacity constraint, or an internal error.

Flow logs reference — https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

AWS flow logs with Athena — https://docs.aws.amazon.com/athena/latest/ug/vpc-flow-logs.html