Note_Tech
All technological notes.
Project maintained by simonangel-fong Hosted on GitHub Pages — Theme by mattgraham
AWS Networking - Flow Logs
VPC Flow Logs
-
Capture information about IP traffic going into your interfaces:
- VPC Flow Logs
- Subnet Flow Logs
- Elastic Network Interface (ENI) Flow Logs
- Helps to monitor & troubleshoot connectivity issues
- Flow logs data can go to
S3,CloudWatch Logs, andKinesis Data Firehose -
Captures network information from AWS managed interfaces too:
- ELB, RDS, ElastiCache, Redshift, WorkSpaces, NATGW, Transit Gateway…
- Sample:
- How can you capture information about IP traffic inside your VPCs?
- Enable VPC Flow Logs
- Traffic Mirroring is copying.
- How can you capture information about IP traffic inside your VPCs?
Syntax
srcaddr&dstaddr– help identify problematic IPsrcport&dstport– help identity problematic portsAction– success or failure of the request due to Security Group / NACL- Can be used for analytics on usage patterns, or malicious behavior
- Query VPC flow logs using
AthenaonS3orCloudWatch Logs Insights - Flow Logs examples: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs- records-examples.html
Troubleshoot SG & NACL issues
-
Look at the
ACTIONfield -
Incoming Requests
- Inbound
REJECT=>NACLorSG - Inbound
ACCEPT, OutboundREJECT=>NACL(stateless, sg=stateful)
- Inbound
- Outgoing Requests
- Outbound
REJECT=>NACLorSG - Outbound
ACCEPT, InboundREJECT=>NACL(stateless, sg=stateful)
- Outbound
Architectures
- Top-10:
- CloudWatch + Contributor
- Alarm + SNS
- Analysis
Hands-on
- Create flow log: s3
-
Analyze using Athena with S3
-
Create a bucket for athena
- Specify the location of Athena’s query result
-
Create Athena table for flow log
- ref: https://docs.aws.amazon.com/athena/latest/ug/vpc-flow-logs.html
- Modify location
-
Location of URI in the S3 where flow log is stored.
- Create table
-
Alter table for dates
-
URI to replace
- Alter table
- Query
- Create a new role
- Create a log group in CW
- Create flow log: cw
- In CW logs
