VPC Flow Logs

Overview

• VPC level

• Subnet level

• Elastic Network Interface (ENI) level

• VPC-level Flow Logs

• Subnet-level Flow Logs

• ENI-level Flow Logs

Use Cases

• Monitor and troubleshoot connectivity.

• Analyze traffic for security, compliance, and performance.

• Detect anomalies such as port scans or suspicious IPs.

Destinations

• Amazon CloudWatch Logs

• Amazon S3

• Amazon Kinesis Data Firehose

Supported AWS Services

• Elastic Load Balancer (ELB)

• RDS

• ElastiCache

• Redshift

• WorkSpaces

• NAT Gateway

• Transit Gateway

Architecture Context

• Public Subnet: Public EC2 instances, IGW, SG/NACL, public route table.

• Private Subnet: Private EC2 instances, NAT Gateway for outbound internet, private route table.

• Flow logs collect data from network interfaces in these subnets, as well as from VPC Peering links and VPC Endpoints.

Flow Log Record – Key Fields

• srcaddr / dstaddr – Source/Destination IP

• srcport / dstport – Source/Destination Port

• protocol – Protocol used (TCP/UDP)

• action – ACCEPT or REJECT

• log-status – Log capture status

• packets, bytes – Traffic volume

• start / end – Flow timestamps

• Athena (for logs in S3)

• CloudWatch Logs Insights (for logs in CloudWatch)

Troubleshooting SG & NACL Issues

• SGs are stateful: allow return traffic automatically.

• NACLs are stateless: must allow both inbound and outbound explicitly.

• REJECT in inbound direction → likely NACL inbound or SG inbound block.

• ACCEPT inbound but REJECT outbound → likely NACL outbound block.

Example Architectures

• Flow Logs → CloudWatch Logs → Contributor Insights & Metric Filters

• Detect top talkers, traffic trends, or unauthorized protocol use.

• SNS alerts for events like SSH/RDP attempts.

• Flow Logs → S3 → Athena queries

• Visualize with QuickSight for audit/compliance dashboards.