VPC Flow Logs | Notion

What are VPC Flow Logs?

Purpose: VPC Flow Logs capture information about IP traffic going to and from network interfaces within your VPC. This includes traffic at various levels: the VPC itself, individual subnets, and specific Elastic Network Interfaces (ENIs).
Utility: They're instrumental for monitoring network traffic, troubleshooting connectivity issues, and understanding network behavior within a VPC.

Features and Benefits

Capture Locations: Flow logs can be published to Amazon S3, CloudWatch Logs, and Kinesis Data Firehose, offering flexibility in how you store and analyze the data.
Support for AWS Managed Interfaces: They capture traffic for AWS managed services like ELB, RDS, ElastiCache, Redshift, WorkSpaces, NAT Gateway, and Transit Gateway, providing a comprehensive view of network activity.
Data Fields: A flow log record includes essential metadata such as version, account ID, interface ID, source/destination addresses and ports, protocol, and action (accept or reject), which help in detailed analysis.
Security Insights: By analyzing the source and destination IP addresses and ports, and the action taken (accepted or rejected), you can identify potential security threats or misconfigurations in security groups and network ACLs (Access Control Lists).

Untitled

Analyzing VPC Flow Logs

Troubleshooting Security Groups and NACLs: The action field in the flow log is crucial for identifying whether traffic was allowed or denied by security groups (stateful) or NACLs (stateless), aiding in troubleshooting.
Analytics and Monitoring: VPC Flow Logs can be used to analyze usage patterns, detect anomalous behavior, perform port scans, and monitor for security threats.
Querying Options: AWS Athena is recommended for querying logs stored in S3, while CloudWatch Logs Insights is suitable for real-time analysis.

Applications and Examples

CloudWatch Contributor Insights: Identify top IP addresses contributing to network traffic.
Metric Filters and Alarms: Monitor for unusual SSH or RDP activity and trigger alarms.
Amazon Athena and QuickSight: Perform SQL queries on logs in S3 and visualize the data for deeper insights.

In summary, VPC Flow Logs are a vital tool in the AWS ecosystem for ensuring network security, performance, and reliability. By capturing detailed information about IP traffic, they enable AWS users to monitor their network infrastructure effectively, identify and troubleshoot issues, and gain insights into network usage patterns.