Ref: https://learn.cantrill.io/courses/1820301/lectures/41301379

• Summary:
• Contents:

VPC Flow Logs

• 🔧 Monitor traffic flow to and from ENIs within a VPC
• ‼️ ONLY capture packet metadata!
  • e.g. SRC/DST IPs, ports… → anything to do with flow of data through VPC
  • ❗ Flow Logs do NOT capture packet contents!! → Need a packet sniffer for that
• ‼️ NOT real-time!!
  • delay present, best effort
• Three different levels of attachment (capture from specified point downwards)
  1. VPC-level → captures flow to and from all ENIs in all subnets of the VPC
  2. Subnet-level → captures flow to and from all ENIs in this subnet
  3. ENI-level → direct attachment, captures only flow to and from this particular ENI
• ❗ Can capture accepted, rejected or ALL metadata
• Possible Log Destinations:
  1. S3
     • Can use Athena for querying
     • Ref: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html
  2. CWLogs
     • Ref: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html
• ❗ NOT ALL types of traffic logged with Flow Logs! Some excluded stuff:
  • EC2 Metadata service (http://169.254.169.254)
    • Any accesses to metadata service running inside EC2 instances won't be logged
  • Time server requests (http://169.254.169.123)
    • Uses Network Time Protocol (NTP)
  • DHCP requests running inside the VPC
  • Communications with Amazon DNS server
  • Communications with Amazon Windows license server (Windows EC2 instances)
• Architecture Diagram

Flow Log Records

• Each row captures the flow of a packet through the ENI, with several fields
• Important fields: srcaddr, dstaddr, srcport, dstport, protocol, action
• Important protocol numbers (assigned by IANA):
  • 1 → ICMP (Internet Control Message Protocol)
    • Typical networking “ping” uses ICMP
  • 6 → TCP
  • 17 → UDP
• Example Flow Logs from an ICMP ping (common connectivity and latency assessment)