You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
You cannot secure or optimise what you cannot see. VPC Flow Logs capture metadata about the IP traffic flowing through your network interfaces, subnets, and VPCs. Combined with other AWS monitoring tools, they give you the visibility needed to troubleshoot connectivity issues, detect threats, and meet compliance requirements.
VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. Each flow log record describes a network flow — a 5-tuple of source IP, destination IP, source port, destination port, and protocol — over a defined aggregation interval.
| Level | What It Captures |
|---|---|
| VPC | All traffic in the VPC (all subnets, all ENIs) |
| Subnet | All traffic in a specific subnet |
| Network Interface (ENI) | Traffic on a single ENI |
You can run flow logs at multiple levels simultaneously. Subnet-level or VPC-level logging is most common for broad visibility.
A flow log record contains fields separated by spaces. The default format (Version 2) includes:
| Field | Description | Example |
|---|---|---|
version | Flow log version | 2 |
account-id | AWS account ID | 123456789012 |
interface-id | ENI ID | eni-0a1b2c3d |
srcaddr | Source IP address | 10.0.1.50 |
dstaddr | Destination IP address | 54.200.10.5 |
srcport | Source port | 49152 |
dstport | Destination port | 443 |
protocol | IANA protocol number | 6 (TCP) |
packets | Number of packets | 15 |
bytes | Number of bytes | 4500 |
start | Start time (Unix epoch) | 1620000000 |
end | End time (Unix epoch) | 1620000060 |
action | ACCEPT or REJECT | ACCEPT |
log-status | OK, NODATA, or SKIPDATA | OK |
2 123456789012 eni-0a1b2c3d 10.0.1.50 54.200.10.5 49152 443 6 15 4500 1620000000 1620000060 ACCEPT OK
This tells us: 15 TCP packets (4,500 bytes) were sent from 10.0.1.50:49152 to 54.200.10.5:443 over a 60-second window, and the traffic was accepted.
You can include additional fields in a custom format:
| Additional Field | Description |
|---|---|
vpc-id | VPC ID |
subnet-id | Subnet ID |
tcp-flags | TCP flags (SYN, ACK, FIN, RST) |
type | IPv4 or IPv6 |
pkt-srcaddr | Packet-level source (before NAT) |
pkt-dstaddr | Packet-level destination (before NAT) |
region | AWS Region |
flow-direction | ingress or egress |
traffic-path | Path the traffic took |
Flow logs can be published to three destinations:
| Destination | Best For | Query Tool |
|---|---|---|
| CloudWatch Logs | Real-time alerts and metric filters | CloudWatch Logs Insights |
| Amazon S3 | Long-term archival, cost-effective storage | Amazon Athena |
| Amazon Kinesis Data Firehose | Streaming to third-party SIEM tools | Splunk, Datadog, etc. |
If you store flow logs in S3, you can query them with Amazon Athena using SQL:
SELECT srcaddr, dstaddr, dstport, action, SUM(bytes) AS total_bytes
FROM vpc_flow_logs
WHERE action = 'REJECT'
AND dstport = 22
GROUP BY srcaddr, dstaddr, dstport, action
ORDER BY total_bytes DESC
LIMIT 20;
This query finds the top 20 sources of rejected SSH attempts — a common security investigation.
If you store flow logs in CloudWatch Logs, you can create metric filters to trigger alarms:
Scenario: An EC2 instance cannot reach an RDS database.
Check the flow logs for the ENI on the EC2 instance:
action = REJECT for the database port (e.g., 3306), the security group or NACL is blocking traffic.Scenario: Detect unauthorised access attempts.
Query for rejected traffic on sensitive ports:
| Port | Service |
|---|---|
| 22 | SSH |
| 3389 | RDP |
| 3306 | MySQL |
| 5432 | PostgreSQL |
High volumes of rejected traffic from external IPs on these ports may indicate brute-force attacks.
Many compliance frameworks (PCI DSS, HIPAA, SOC 2) require network traffic logging. VPC Flow Logs provide evidence that:
Analyse flow logs to identify:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.