VPC Flow Logs Analysis

VPC Flow Logs are a feature that captures metadata about the IP traffic going to and from network interfaces in a VPC. They are analogous to a network tap or a packet capture at layer 3/4, but without the payload. The primary use cases are: - Security analysis: Identify denied traffic, detect anomalies, investigate security incidents. - Network troubleshooting: Diagnose connectivity issues, verify that traffic is flowing as expected. - Compliance: Meet audit requirements by logging network traffic. - Usage monitoring: Understand traffic patterns, bandwidth usage, and application behavior.

Flow logs are not a replacement for deep packet inspection tools like AWS Network Firewall or third-party NGFWs, but they provide a cost-effective, native way to get baseline network visibility.

When you create a flow log, you specify: - Resource: A VPC, subnet, or individual network interface (ENI). - Destination: Amazon CloudWatch Logs log group or Amazon S3 bucket. - Traffic type: ACCEPT, REJECT, or ALL. - Format: The default format includes specific fields; you can also use custom formats.

The flow log service runs in the background on each hypervisor that hosts EC2 instances. It captures all IP traffic (IPv4 and IPv6) that passes through the virtual network interface. For each network interface, the service aggregates traffic into flows. A flow is defined as a set of packets with the same source and destination IP, source and destination port, protocol, and direction (ingress/egress). For each flow, the service records a log entry at intervals (default 10 minutes, but can be set to 1 minute for higher granularity).

Each log entry contains fields like: - version: The flow log version (currently 2-5). - account-id: The AWS account ID. - interface-id: The ENI ID. - srcaddr: Source IP address. - dstaddr: Destination IP address. - srcport: Source port. - dstport: Destination port. - protocol: IANA protocol number (e.g., 6 for TCP, 17 for UDP). - packets: Number of packets in the flow. - bytes: Number of bytes in the flow. - start: Start time (Unix timestamp). - end: End time (Unix timestamp). - action: ACCEPT or REJECT. - log-status: OK, NODATA, or SKIPDATA. - vpc-id, subnet-id, instance-id, etc.

- Aggregation interval: Default 10 minutes. Minimum 1 minute (additional charge). The service collects packets for the interval, then writes a log entry summarizing the flow. - Log destination: CloudWatch Logs (real-time streaming) or S3 (batch delivery, typically within a few minutes). - Traffic types: ACCEPT only, REJECT only, or ALL. - Log format: Default includes 14 fields (version, account-id, interface-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log-status). Custom formats can include additional fields like region, az-id, subnet-id, instance-id, pkt-srcaddr, pkt-dstaddr, tcp-flags, type, drop-cause. - Log status: - OK: Data is being logged normally. - NODATA: No network traffic to/from the ENI during the aggregation interval. - SKIPDATA: Some log entries were skipped (e.g., due to internal capacity issues). - Pricing: No charge for creating flow logs, but you pay for CloudWatch Logs ingestion and storage, or S3 storage and requests. - Limitations:

Creating a flow log using AWS CLI:

aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-12345678 --log-group-name my-flow-logs --traffic-type ALL --deliver-logs-permission-arn arn:aws:iam::123456789012:role/FlowLogsRole

Creating a flow log with custom format to S3:

aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-12345678 --log-destination-type s3 --log-destination arn:aws:s3:::my-bucket/prefix/ --traffic-type ALL --log-format '${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${region} ${az-id} ${subnet-id} ${instance-id} ${pkt-srcaddr} ${pkt-dstaddr} ${tcp-flags} ${type} ${drop-cause}'

Verifying flow logs:

aws ec2 describe-flow-logs --filter "Name=resource-id,Values=vpc-12345678"

Viewing logs in CloudWatch Logs:

aws logs get-log-events --log-group-name my-flow-logs --log-stream-name eni-12345678-all

Custom formats allow you to include fields like pkt-srcaddr and pkt-dstaddr which are the original packet IP addresses (useful when traffic goes through a NAT or load balancer). The tcp-flags field captures TCP flags (SYN, FIN, RST, etc.) for detailed analysis. The drop-cause field (available in version 5) indicates why a packet was dropped (e.g., security-group-rule, network-acl-rule, no-route, blackhole-route, etc.). This is extremely useful for troubleshooting.

Common scenarios: - Connectivity failure: Check if the action is REJECT. If so, look at the source/destination IP and port to identify which security group or NACL rule is blocking. - Asymmetric routing: If you see traffic in one direction but not the reverse, there may be a routing issue. - Missing logs: Check log status. If SKIPDATA, the flow log service is overwhelmed; consider reducing the aggregation interval or splitting resources. - No data: Ensure the flow log is attached to the correct resource and that the IAM role (for CloudWatch) or bucket policy (for S3) allows delivery.

A financial services company detects unusual outbound traffic from an EC2 instance in a production VPC. The security team suspects a compromised instance exfiltrating data. They enable VPC Flow Logs for the entire VPC (if not already enabled) with 1-minute aggregation interval and custom format including tcp-flags, pkt-srcaddr, and drop-cause. Within minutes, they see a flow from the instance's ENI to an unknown IP on port 443 with high byte counts. The tcp-flags show only SYN and FIN packets, indicating a TCP connection. The action is ACCEPT. They correlate this with CloudTrail logs to see who launched the instance and what IAM roles it had. They isolate the instance, take a forensic snapshot, and use the flow log data as evidence for compliance. Without flow logs, they would have no visibility into the data exfiltration.

A SaaS company deploys a new microservice in a private subnet that needs to communicate with an RDS database in another subnet. Users report timeouts. The network engineer checks the VPC Flow Logs for the microservice's ENI and sees that traffic to the RDS endpoint (IP and port 3306) is being REJECTED. The drop-cause field shows security-group-rule. The engineer reviews the security group attached to the microservice: it allows outbound traffic to the RDS security group on port 3306, but the RDS security group does not allow inbound traffic from the microservice's security group. After updating the RDS security group, the flow logs show ACCEPT. This quick diagnosis saves hours of packet-level analysis.

A large e-commerce platform uses flow logs to monitor traffic patterns across hundreds of microservices. They store flow logs in S3 and use Athena to query them weekly. They generate reports on top talkers (by bytes and packets), identify which services communicate most frequently, and plan scaling accordingly. They also use flow logs to attribute network costs to specific business units by tagging ENIs and extracting the instance-id from logs. One misconfiguration: they initially used default format and could not identify which instance generated traffic because the instance-id field is not in the default format. They had to recreate flow logs with custom format including ${instance-id}. They also encountered a SKIPDATA status during a major sales event, which they resolved by reducing the aggregation interval from 10 minutes to 1 minute and increasing the log group's retention policy.