VPC Flow LogsLearn how VPC Flow Logs and Elastic Network Interfaces (ENIs) provide insights into your AWS VPC traffic, helping you monitor, troubleshoot, and optimize your network.
ByAnis Mer_

VPC Flow Logs

Monitoring and Troubleshooting Your Network

Understanding what’s happening inside your VPC is crucial for maintaining a secure and well-functioning infrastructure. This is where VPC Flow Logs come in. They provide visibility into the traffic flowing in and out of your VPC, enabling you to monitor, troubleshoot, and optimize your network.

In this article, we’ll explore what VPC Flow Logs are, how they work, and how to set them up. We’ll also dive into Elastic Network Interfaces (ENIs), the most specific resource you can monitor with Flow Logs, to provide a deeper understanding of AWS networking.

What Are VPC Flow Logs?

A VPC Flow Log is a feature in AWS that captures metadata about network traffic going to and from your VPC, subnets, or individual Elastic Network Interfaces (ENIs). These logs provide valuable insights into your network activity without capturing the actual packet content.

Mental Model: Flow Logs as Security Cameras

Think of VPC Flow Logs as security cameras for your network:

  • They don’t record the full details of what's inside the "packages" (traffic content).
  • Instead, they capture essential metadata about where the packages came from, where they went, and whether they were accepted or rejected.

What is an Elastic Network Interface (ENI)?

An Elastic Network Interface (ENI) is a virtual network card in AWS that connects your EC2 instances or other AWS resources to your VPC. It’s the smallest unit of network connectivity that you can monitor with Flow Logs.

Key Features:

  1. Primary and Secondary Interfaces:

    • Every EC2 instance has a primary ENI by default.
    • You can attach additional secondary ENIs for advanced networking setups, like separating public and private traffic.

  2. Multiple IP Addresses:

    • ENIs can have one or more IP addresses:
      • Private IPs for internal communication.
      • Public IPs or Elastic IPs for external communication.

  3. Reusability:

    • ENIs can be detached from one instance and reattached to another, maintaining the same IP address and network settings.

  4. Security Groups:

    • Each ENI has its own security groups, providing resource-specific traffic control.

Mental Model: ENIs as Network Adapters

Think of ENIs as virtual network adapters for AWS resources. They enable your EC2 instances to:

  • Communicate with other resources in the VPC.
  • Access the internet via gateways.
  • Handle multiple, separate network connections.

How Flow Logs Work with ENIs

Flow Logs can be scoped to specific ENIs to provide granular visibility into the traffic handled by those interfaces. For example:

  • Monitor traffic to a specific instance in detail.
  • Troubleshoot issues for an interface handling public-facing traffic.
  • Analyze rejected traffic due to misconfigured security groups or NACLs.

Key Benefits of Scoping Flow Logs to ENIs:

  • Granular Insights: Track network activity at the individual interface level.
  • Troubleshooting: Identify and isolate traffic issues for a specific ENI.
  • Targeted Monitoring: Focus on high-priority or critical resources.

How to Set Up VPC Flow Logs

1. Choose the Scope

Decide whether to create flow logs for:

  • An entire VPC (broad visibility).
  • A specific subnet (focused monitoring).
  • A single ENI (granular details).

2. Configure the Flow Log

  1. Navigate to VPC Dashboard > Your VPCs.
  2. Select your VPC and click Create Flow Log.
  3. Configure the settings:
    • Destination: Choose CloudWatch Logs, S3, or Kinesis.
    • Filter: Decide which traffic to log:
      • ALL: Logs all traffic.
      • ACCEPT: Logs only allowed traffic.
      • REJECT: Logs only denied traffic.
    • Log Format: Use the default or customize to include additional fields.

3. Set Permissions

  • Ensure the IAM role for your Flow Log has permissions to write to the chosen destination.
    • Example: If using CloudWatch, attach the CloudWatchLogsFullAccess policy.

4. View and Analyze Logs

  • Access logs in your selected destination and use tools like CloudWatch Insights to filter and analyze traffic patterns.

Sample Log Record

Here’s an example of what a Flow Log record looks like:

2 123456789012 eni-abc12345 10.0.1.10 203.0.113.1 443 53102 6 2024-01-01T10:00:00Z ACCEPT OK
  • 2: Log format version.
  • 123456789012: AWS account ID.
  • eni-abc12345: Network interface ID (ENI).
  • 10.0.1.10: Source IP address (inside your VPC).
  • 203.0.113.1: Destination IP address (outside the VPC).
  • 443: Destination port (e.g., HTTPS).
  • 53102: Source port.
  • ACCEPT: Indicates traffic was allowed.
  • OK: Log recording status.

Big Words Defined

  • VPC Flow Logs: A feature that captures metadata about network traffic within a VPC, subnet, or ENI.
  • ENI (Elastic Network Interface): A virtual network card attached to AWS resources like EC2 instances.
  • Log Group: A container in CloudWatch or S3 where logs are stored.
  • Log Stream: A sequence of log events in a log group.
  • ACCEPT/REJECT: Traffic status indicating whether it was allowed or denied.

What’s Next?

Next, we’ll explore Peering Connections and Transit Gateways — the keys to connecting multiple VPCs and enabling seamless cross-region communication.

Back