Enable Flow Logs for your VPC and collect all traffic in and out of your VPC network
Surya Shankar
Posted on April 6, 2023
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
Flow logs can help you with a number of tasks, such as:
- Diagnosing overly restrictive security group rules
- Monitoring the traffic that is reaching your instance
- Determining the direction of the traffic to and from the network interfaces
Create your VPC , Subnet , InternetGateway & Routes table with Subnets Associations.
Create a VPC in Mumbai region.
VPC name :- VPC-Mumbai
Ipv4 CIDR :- 11.0.0.0/16
Create a public subnet inside that VPC
Subnet name :- Pub-subnet
AZ :- ap-south-1b
Ipv4 CIDR :- 11.0.1.0/24
Create a InternetGateway and attach it to your VPC
Create a route table for subnet association
Allow 0.0.0.0/0 inside route for internet access
Create a EC2 instance inside the public subnet
Create IAM Role to allow Flow Logs to be sent to the CloudWatch Log Group
First, we need to create an IAM Role there allows the Flow Logs to send data into a CloudWatch Log Group, so go to IAM > Roles and click Create role.
Now select Custom trust policy under the Trusted entity type and add the vpc-flow-logs.amazonaws.com as a principal service.
You should click next until you hit the review pages where you name your new role with a name you easily can find, this role can be reused every time you need a flow log role to send logs into CloudWatch Log Group.
After you have created your role it can be found under your roles before we are finished with the role we need to attach an inline policy to it so click on your new role.
Click add permissions > create inline policy to start editing your policy for this role.
Copy the policy into the inline policy and click next
You need to give the inline policy a name before you are finished with creating this inline policy for the role.
Now your role should end up with your new policy attached to your role as you created it and your role is now ready for use.
Create a CloudWatch Logs group
Search for cloud watch and click on log groups
When you create the log group you need to change the retention settings to 3 months and give your log group a name, after that you can create your group.
Create Flow Logs for your VPC
To create a flow log you need to go for VPC and right-click on the VPC you want to create a flow log on, then click Create flow log.
You need a name for your flow log and select your CloudWatch Log Group and the IAM Role you created before, use the AWS default format for logging.
When you have created your flow log you can see it by clicking on your VPC and going to Flow logs, here you can click on your destination name to visit the logs for this flow log.
Now you can see the log stream for each network eni-* click on the log stream you want to watch out for , Here No logs are there because nothing happended inside our network till now.
Now lets try to RDP inside the window server that we created earlier.
Now Go to log groups --> log streams
Here You can able to watch all the logs
Each group will contain a separate stream for each Elastic Network Interface (ENI):
Each stream, in turn, contains a series of flow log records.
Posted on April 6, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.