Welcome to Day 28 of 100 Days of DevOps, Focus for today is VPC Flow logs
What are VPC Flow logs?
- It comprised of IP traffic information
- These logs are useful for troubleshooting network conversations and can be assigned to(Capture Points)
* Elastic Network Interface
NOTE: Flow logs don’t capture data, so you can’t do packet analysis even if its un-encrypted.
Setup VPC Flow Logs
Go To AWS Console --> VPC --> Select your VPC --> Flow logs --> Create flow log
* Filter: Select All(Other options Accept/Reject)* Destination: Send to CloudWatch Logs* Destination log group: Go to AWS Console --> CloudWatch --> Logs --> Create log group
- IAM Role(Click on Set Up Permissions)
- After filling all the values it will look like this
- After creating flow logs, if you look for the subnet of this VPC, you will see subnet have flow logs associated with it and this is because it inherited flowlogs from VPC.
Flow Log Record Syntax
A flow log record is a space-separated string that has the following format:
<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>2 123456789010 eni-abc123de 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
If you go back to CloudWatch Log group, you will see something like this
- As I applied flow logs at the VPC level and as we see that subnet automatically inherited it, if we go at the instance create under this VPC and check the Network Interface, you will see that even your Elastic Network Interface(ENI) inherited these logs
Flow logs do not capture all IP traffic. The following types of traffic are not logged:
- Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.
- Traffic generated by a Windows instance for Amazon Windows license activation.
- Traffic to and from
169.254.169.254for instance metadata.
- Traffic to and from
169.254.169.123for the Amazon Time Sync Service.
- DHCP traffic.
- Traffic to the reserved IP address for the default VPC router.
- Traffic between an endpoint network interface and a Network Load Balancer network interface.
GitHub Code Link
Contribute to 100daysofdevops/100daysofdevops development by creating an account on GitHub.
Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on DevOps work and post your progress using any of the below medium.
- Twitter: @100daysofdevops OR @lakhera2015
- Facebook: https://www.facebook.com/groups/795382630808645/
- Medium: https://medium.com/@devopslearning
- Slack: https://devops-myworld.slack.com/messages/CF41EFG49/
- GitHub Link:https://github.com/100daysofdevops