VPC Flow Logs and VPC Traffic Mirroring - Master AWS Certified Solutions Architect Associate SAA-C03 Exam

Press + to interact

Important points

A few important points related to VPC flow logs are listed below:

It helps monitor and troubleshoot our network issues.
VPC flow logs can be stored in Amazon S3, CloudWatch, and Kinesis Firehose.
The EC2 instance to which an elastic network interface (ENI) is attached must have a public IP address.
In VPC peering, we can create flow logs for the peered VPC only if that VPC belongs to our AWS account.
Once the VPC flow log is created, we can’t modify its settings, fields, or formats. We must delete it and create a new one with the required configurations.

Flow logs at the VPC level

When the flow log is configured at a VPC level, it monitors all the network interfaces in all the subnets attached to the resources. Configuring flow logs at the VPC level is useful when resources are deployed in different subnets, and we want to monitor traffic flow between them. The diagram below shows the flow log configured for the VPC and stores the logs in Amazon S3.

Press + to interact

Field	Description
`account-id`	The AWS account ID of the source network interface for which the logs are maintained.
`interface-id`	The ID of the interface for which the flow logs are recorded.
`srcaddr`	The source address of the incoming traffic, or It can be the IPv4 or IPv6 address of the network interface for the outgoing traffic.
`dstaddr`	The destination address of the outgoing traffic, or It can be the IPv4 or IPv6 address of the network interface for the incoming traffic.
`srcport` and `dstport`	The source and destination port number of the traffic, respectively.
`start` and `end`	The time at which the first and the last data packet received during the aggregation interval.
`action`	The action taken against the IP traffic. This field has two values; either `ACCEPT` or `REJECT`.

Troubleshooting tip: Security groups and NACLs are important in traffic’s acceptance and rejection.

VPC Traffic Mirroring

AWS offers a Traffic Mirroring service to capture and inspect traffic within a VPC. It captures the traffic from the network interface of the source and transfers it to the network interfaces of the target EC2 instances or a network load balancer. Traffic Mirroring also allows us to filter traffic and truncate packets that are not required.

Traffic Mirroring is used for content inspection, threat monitoring, and troubleshooting by mirroring the traffic to the monitoring appliances running on separate instances. The following illustration shows that the source_Instance communicates with the internet traffic, and some security appliance applications run on EC2 instances managed by the Auto Scaling group. A network load balancer is attached to the instances.

Press + to interact

Traffic Mirroring is configured between source_Instance and Auto Scaling group of appliance applications to mirror the traffic. We can filter traffic and process it as required.

VPC Traffic Mirroring vs. VPC Flow Logs

VPC flow logs capture the IP traffic flowing in and out of the elastic network interfaces in our VPC. VPC flow logs collect logs without getting in the way of your traffic route, so the network throughput or latency is not disturbed.

Whereas, Traffic Mirroring is a feature that copies the inbound and outbound traffic from the source ENI to the target ENIs. Traffic Mirroring takes bandwidth from the instances, and if the network gets choked, then priority will be given to the actual traffic flow, and the traffic mirroring is dropped.

We’ve studied VPC flow logs and their importance in monitoring and troubleshooting network issues in our VPC. Flow logs can be configured at three levels and the logs can be stored in Amazon S3, Amazon CloudWatch, or Kinesis Firehose. We also discussed some important fields from the flow logs.

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena