VPC Flow Logs
- VPC FLow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
- Flow log data is stored using Amazon CloudWatch logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
- Flow Logs can be created at the following levels
- VPC – Captures all data flowing in and out of the VPC
- Subnet – – Captures all data flowing in and out of the Subnet
- Network Interface – for specific instances
To Create a Flow Log
- VPC > Select VPC > Actions > Create Flow Log
- Filter:
- All (Log all traffic)
- Accept (Log only accepted traffic)
- Reject (Log only rejected traffic)
- Role
- Requires a IAM role to access CloudWatch. This can be created at this time.
- Destination Log Group
- This needs to be setup in CloudWatch.
- CloudWatch > Logs > Actions > Create log group > “MyVPCFlowLog”
- Select the log you just created.
Viewing the log
- CloudWatch > Logs > Click LogFileName.
- Logs can be streamed to Lambda, which can filter and take action
- Data can be exported to S3
- Data can be streamed to Elasticsearch Service
Exam Tips
- You cannot enable Flow Logs for VPCs that are peered with your VPC unless the peer VPC is in your account.
- You cannot Tag a flow log
- After you’ve created a flow log, you cannot change its configuration – for example, you cann to associate a different IAM role with a flow log.
- Not all traffic is monitored
- Traffic to and from Amazon DNS services.
- Traffic generated by a Windows instance for Amazon Windows license activation.
- Traffic to and from 169.254.169.254 for instance metadata
- DHCP traffic
- Traffic to the reserved IP address for the default VPC router.