Flow Logs Basics

AWS is jam packed with tons of information to learn and use.  One of these things are Flow Logs.

A Flow log is an option in Cloudwatch that allows you to monitor activity on various AWS resources.   A flow log generally monitors traffic into different AWS resources.

In particular, Flow Logs can be tracked on:

  1. VPC’s
  2. Subnets
  3. EC2 instances (using Network Adaptors)

Flow logs capture various pieces of information.  it all has to do with what is flowing into and out of the Resource.  With flow logs, you can view things like the IP Address of the Source and Destination, along with the Port Numbers of the source and destination.  To be technical the Quintuple or (five official data points) you can get from a flow log are the following:

  1. The Source IP entering the resource (VPC, Subnet, or EC2)
  2. The Source Port Number
  3. The Destination IP address
  4. The Destination Port Number
  5. The Protocol being used in transporting.

Let’s take a quick example of a VPC flow log.  You first need to create the flow log in the VPC console:

After enabling flow logs on the VPC, you then can see the traffic flow into and out of the VPC using Cloudwatch.

Once you’re in the flow logs, you will see a bunch of fields starting with “eni”.  As far as I’m aware, eni is referring to an network card attached to an EC2 instance.  (Please comment below if that is incorrect).

For example, the below log is for one particular Network Card attached to a particular EC2 instance I have running in a VPC.

The first IP address is the Source.  The 2nd IP is the destination.  The third is the source Port # and the 4th number is the Destination Port #.  And finally, the 5th number is the protocol.  All of this is in the massive AWS documentation.

I waned to see flow logs in action, so I did a basic test.  I spun up an EC2 instance in the VPC, after creating the VPC Flow log.  Then I connected to the instance, for the purposes of generating data for the flow log.

The orange highlighted IP address was my own.  As you can see, my first attempt to connect failed, which is why it said, “reject ok”.  But later in the 4th line, I tried connecting again, and it worked, which is why at the end it says, “Accept OK”.   My first attempt failed because the security group was not open on the EC2 instance to accept SSH requests.

And there you have it.  VPC Flow logs in action.

Leave a Reply