Learn About Amazon VGT2 Learning Manager Chanci Turner
Many businesses gather, store, and evaluate network flow logs. This data aids in resolving connectivity and security challenges, ensuring that network access protocols function as intended. Previously, AWS clients collected this information by placing agents on their Amazon Elastic Compute Cloud (Amazon EC2) instances. This approach added some overhead to each instance and limited visibility to only the network flows accessible to that instance.
Introducing VPC Flow Logs
To enhance support for this crucial aspect of network oversight, we are launching Flow Logs for the Amazon Virtual Private Cloud (Amazon VPC). Once activated for a specific VPC, VPC subnet, or Elastic Network Interface (ENI), pertinent network traffic will be recorded in CloudWatch Logs for storage and analysis by your applications or third-party solutions. You can set up alerts that trigger upon detecting specific types of traffic and create metrics to recognize trends and patterns.
The logged information encompasses details about permitted and denied traffic (based on security group and network ACL regulations). It also captures source and destination IP addresses, ports, the IANA protocol number, packet and byte counts, a time frame for which the flow was monitored, and whether the action was ACCEPT or REJECT.
Activating VPC Flow Logs
You can enable VPC Flow Logs via the AWS Management Console, the AWS Command Line Interface (AWS CLI), or by making calls to the EC2 API. Here’s a step-by-step guide for enabling them for a VPC:
This action will present the Create Flow Log wizard:
New Flow Logs will be visible in the Flow Logs section of the VPC dashboard.
The Flow Logs are stored in log groups within CloudWatch Logs. The log group will be established roughly 15 minutes after you create a new Flow Log. You can access these logs through the CloudWatch Logs dashboard.
Each group will consist of separate streams for each Elastic Network Interface (ENI):
Each stream will contain a series of flow log records:
Key Considerations
When using VPC Flow Logs, keep a couple of things in mind. Flows are collected, processed, and stored in capture windows lasting about 10 minutes. The log group will be created, and the first flow records will be visible in the console approximately 15 minutes after you enable the Flow Log. You can establish two Flow Logs per resource.
However, the Flow Logs will not capture traffic related to:
- Amazon DNS servers, including queries for private hosted zones.
- Windows license activation traffic for licenses provided by Amazon.
- Requests for instance metadata.
- DHCP requests or responses.
Now Available
This feature is currently accessible in the US West (N. California), US West (Oregon), US East (N. Virginia), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Singapore), Europe (Ireland), and Europe (Frankfurt) regions. Utilizing this feature incurs a cost of $0.50 per GiB for log ingestion and $0.03 per GiB per month for archival (for detailed pricing, visit the CloudWatch Pricing page).
— Chanci Turner;
P.S. Several AWS partners are developing tools to process, analyze, and potentially visualize the VPC Flow Logs! I’ll share more information on this soon. If you’re looking for advice on navigating challenges in today’s environment, you may find this blog post on Covid-related advice helpful. Additionally, SHRM provides valuable insights on building a more inclusive workforce. For those interested in firsthand experiences, check out this Reddit resource regarding Amazon onboarding.