VPC Flow Logs

You can use VPC Flow Logs to monitor traffic entering and leaving your Virtual Private Cloud.  You can monitor VPC, a subnet, or an Elastic Network Interface (ENI), and relevant network traffic can be logged to CloudWatch Logs for storage and analysis.  You can use a third-party application to consume the logs and deliver information to your management and analytical tools.  VPC Flow Logs is most likely to show up in the AWS Certified Solutions Architect Associate Exam as well as the SysOps Administrator Associate Exams

In this example, I have launched an EC2 Instance running standard Amazon Linux AMI.  The instance is launched in the Public Subnet of the default VPC and has the following ENI ID: eni-092fe904e7efeb7a3

Steps to Follow

  • Navigate to the VPC Console in your Amazon Account
  • Right-click on your VPC that you want to monitor and click Create Flow Log

Create VPC Flow Logs

 

You will need to set up IAM Permissions for the destination CloudWatch Account
Setup VPC Flows for you VPC

 

  • Click Set Up Permissions
  • Go ahead and click Create a New IAM Role and type in a Role Name

VPC FLow Logs Permissions

 

  • Click Allow in the bottom right-hand corner of the screen
  • You will receive a ‘Success’ message on the screen
  • You also need to create a CloudWatch Logs log group to which the flow logs will be published. In another browser tab, navigate to your AWS CloudWatch Console
  • Click Create Log Group

Create a CloudWatch Log Group

 

  • Type in a suitable name and Create
  • Navigate back to the previous browser tab with the VPC Flow Configuration
  • Select the appropriate values as displayed below

Creat VPC FLow Log FInal Screen

 

  • Click Create Flow Log
  • New Flow Logs will appear in the Flow Logs tab of the VPC dashboard.
  • The Flow Logs are saved to CloudWatch Logs. Navigate back to the AWS CloudWatch Console
  • Click on the Log Group you create

 

CloudWatch Log Group

 

  • After about 10 minutes, you will note that your ENI on your EC2 Instance is reporting to the log

Log Streams in Amazon CloudWatch Logs

 

 

  • Click on the ENI
  • You will be presented with all incoming traffic to that ENI

 

Log Streams for ENI of EC2 Instance in CloudWatch

You can then publish this log data to a third party app for further analysis. Flows are collected, processed, and stored in capture windows that are approximately 10 minutes long. The log group will be created and the first flow records will become visible in the console about ten minutes after you create the Flow Log. You can create up to two Flow Logs on one resource.

The Flow Logs will not include any of the following traffic:

  • Traffic to Amazon DNS servers, including queries for private hosted zones.
  • Windows license activation traffic for licenses provided by Amazon.
  • Requests for instance metadata.
  • DHCP requests or responses

 

AWS Certification – 900 Practice Exam Questions – Get Prepared for your Exam Day!

Our AWS Exam Simulator with 900 practice exam questions comes with comprehensive explanations that will help you prepare for one of the most sought-after IT Certifications of the year.  Register Today and start preparing for your AWS Certification.