Many organizations collect, store, and analyze network flow logs. They use this information to troubleshoot connectivity and security issues, and to make sure that network access rules are working as expected.
Up until now, AWS customers collected this data by installing agents on their Amazon Elastic Compute Cloud (EC2) instances. Doing so imposed some overhead on each instance, and also provided a view that was limited to network flows that were visible to the instance.
New VPC Flow Logs
In order to provide better support for this important aspect of network monitoring, we are introducing Flow Logs for the Amazon Virtual Private Cloud. Once enabled for a particular VPC, VPC subnet, or Elastic Network Interface (ENI), relevant network traffic will be logged to CloudWatch Logs for storage and analysis by your own applications or third-party tools.
You can create alarms that will fire if certain types of traffic are detected; you can also create metrics to help you to identify trends and patterns.
The information captured includes information about allowed and denied traffic (based on security group and network ACL rules). It also includes source and destination IP addresses, ports, the IANA protocol number, packet and byte counts, a time interval during which the flow was observed, and an action (ACCEPT or REJECT).
Enabling VPC Flow Logs
You can enable VPC Flow Logs from the AWS Management Console or the AWS Command Line Interface (CLI), or by making calls to the EC2 API. Here’s how you would enable them for a VPC:
This will display the Create Flow Log wizard:
New Flow Logs will appear in the Flow Logs tab of the VPC dashboard.
The Flow Logs are saved into log groups in CloudWatch Logs. The log group will be created approximately 15 minutes after you create a new Flow Log. You can access them via the CloudWatch Logs dashboard.
Each group will contain a separate stream for each Elastic Network Interface (ENI):
Each stream, in turn, contains a series of flow log records:
Go With the Flow
Here are a couple of things to keep in mind when you use VPC Flow Logs.
Flows are collected, processed, and stored in capture windows that are approximately 10 minutes long. The log group will be created and the first flow records will become visible in the console about ten minutes after you create the Flow Log.
You can create up to two Flow Logs on one resource.
The Flow Logs will not include any of the following traffic:
- Traffic to Amazon DNS servers, including queries for private hosted zones.
- Windows license activation traffic for licenses provided by Amazon.
- Requests for instance metadata.
- DHCP requests or responses.
This feature is available today in the US West (Northern California), US West (Oregon), US East (Northern Virginia), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Singapore), Europe (Ireland), and Europe (Frankfurt) regions. There is no charge for the use of this feature; you pay only for the storage of the CloudWatch Logs (see CloudWatch Pricing for more information).
PS – Several AWS Partners are working on tools to process, analyze, and perhaps even visualize the VPC Flow Logs! I’ll have more to say about this before too long.