AWS VPC Flow Logs: Difference between revisions

From Dave-Wiki
(Created page with "= Setting Up VPC Flow Logs and Using Them for Troubleshooting Network Issues = == Introduction == '''VPC Flow Logs''' capture network traffic metadata in AWS, allowing visibility into IP traffic to and from network interfaces in a VPC. This guide covers: * How to '''set up VPC Flow Logs''' using the AWS Console, CLI, and Terraform. * Best practices for '''storing and analyzing flow logs'''. * How to use flow logs for '''troubleshooting network connectivity issues'''. =...")
 
m (Dave moved page VPC Flow Logs to AWS VPC Flow Logs)
 
(No difference)

Latest revision as of 00:53, 3 February 2025

Setting Up VPC Flow Logs and Using Them for Troubleshooting Network Issues

Introduction

VPC Flow Logs capture network traffic metadata in AWS, allowing visibility into IP traffic to and from network interfaces in a VPC. This guide covers:

  • How to set up VPC Flow Logs using the AWS Console, CLI, and Terraform.
  • Best practices for storing and analyzing flow logs.
  • How to use flow logs for troubleshooting network connectivity issues.

Prerequisites

Before proceeding, ensure the following:

  • AWS IAM permissions to create VPC Flow Logs and configure logging destinations.
  • An existing AWS VPC with resources (EC2, ALBs, VPNs, etc.).
  • CloudWatch Logs, S3, or Kinesis configured as a log destination (for analysis).

Enabling VPC Flow Logs

Option 1: Using AWS Console

  1. Navigate to VPC > Your VPCs in the AWS Management Console.
  2. Select the target VPC, then click Actions > Create Flow Log.
  3. Configure the following:
    1. Filter: Choose All, Reject, or Accept.
    2. Destination: Select CloudWatch Logs, S3, or Kinesis Data Firehose.
    3. If using CloudWatch, create or select a log group.
    4. If using S3, specify the bucket ARN.
  4. Click Create Flow Log. The log will start capturing network traffic.

Option 2: Using AWS CLI

aws ec2 create-flow-logs \
    --resource-type VPC \
    --resource-ids vpc-12345678 \
    --traffic-type ALL \
    --log-destination-type cloud-watch-logs \
    --log-group-name vpc-flow-logs-group \
    --deliver-logs-permission-arn arn:aws:iam::123456789012:role/FlowLogsRole

Option 3: Using Terraform

<syntaxhighlight lang="hcl"> resource "aws_flow_log" "vpc_flow_log" { 

 log_destination_type = "cloud-watch-logs"
 log_destination      = aws_cloudwatch_log_group.vpc_flow_logs.arn
 traffic_type         = "ALL"
 vpc_id              = "vpc-12345678"
 iam_role_arn        = aws_iam_role.flow_logs_role.arn

}

resource "aws_cloudwatch_log_group" "vpc_flow_logs" { 

 name = "vpc-flow-logs-group"

}

resource "aws_iam_role" "flow_logs_role" { 

 name = "FlowLogsRole"
 assume_role_policy = jsonencode({
   Statement = [{
     Action    = "sts:AssumeRole"
     Effect    = "Allow"
     Principal = { Service = "vpc-flow-logs.amazonaws.com" }
   }]
 })

} </syntaxhighlight>

Understanding VPC Flow Log Fields

A sample flow log entry: 

2 123456789012 eni-abc12345 192.168.1.10 10.0.0.5 443 32768 6 10 500 1612345678 1612345680 ACCEPT OK

Key fields explained:

  • srcaddr: Source IP address.
  • dstaddr: Destination IP address.
  • srcport / dstport: Source and destination ports.
  • protocol: Protocol number (e.g., 6 for TCP, 17 for UDP).
  • packets / bytes: Number of packets and bytes transferred.
  • start / end: Timestamps of the flow.
  • action: ACCEPT or REJECT.
  • log-status: OK (successful), NODATA (no traffic), SKIPDATA (logs dropped).

Analyzing VPC Flow Logs for Troubleshooting

VPC Flow Logs help diagnose common network issues, including:

  • Connectivity issues between instances
  • Blocked traffic due to security groups or NACLs
  • VPN and Direct Connect connectivity problems
  • Unusual traffic patterns (potential security threats)

Example 1: Identifying Dropped Traffic

To check if security groups or NACLs are blocking traffic:

  1. Open CloudWatch Logs and search for:
"REJECT"
  1. Look at the srcaddr, dstaddr, protocol, and port fields to identify blocked requests.
  2. Verify security group rules and NACLs for the VPC, subnets, and instances.

Example 2: Investigating VPN Issues

If a site-to-site VPN is not working:

  1. Filter logs by the VPN’s Elastic Network Interface (ENI):
"eni-abc12345"
  1. Look for traffic being rejected between AWS and on-prem IPs.
  2. Check if the VPC route table has correct routes for on-prem networks.

Example 3: Analyzing Latency or Slow Performance

  1. Look for large numbers of packets with high delay timestamps:
"start" "end"
  1. Compare flow logs from multiple ENIs to isolate slow responses.

Example 4: Detecting Unusual Traffic Patterns

  1. Search logs for unexpected high traffic from a single IP:
"192.168.1.100"
  1. If an unexpected external IP is generating high traffic, investigate possible security incidents.

Best Practices for Managing VPC Flow Logs

Storage and Retention

  • Use S3 for long-term storage and archiving.
  • Apply lifecycle policies to delete old logs and reduce storage costs.

Performance Optimization

  • Filter logs to capture only necessary traffic (e.g., REJECT logs).
  • Use Kinesis Data Firehose for real-time log streaming and analysis.

Security Best Practices

  • Restrict access to logs using IAM policies.
  • Enable AWS CloudTrail to track who enabled or modified flow logs.

Conclusion

VPC Flow Logs provide deep insights into AWS network traffic. By enabling logs and analyzing them efficiently, you can quickly troubleshoot and optimize AWS networking. Using CloudWatch Insights, S3 analytics, and structured queries, teams can automate monitoring and enhance security.

For further automation, consider integrating Amazon Athena to query large datasets stored in S3.

Would you like additional examples for Athena queries or automating alerting with AWS Lambda?

Retrieved from "https://davehome.net/wiki/index.php?title=AWS_VPC_Flow_Logs&oldid=525"