Tuesday, February 17, 2026

VPC Flow Logs

 

🌐 What Are VPC Flow Logs?



VPC Flow Logs capture metadata about IP traffic going to and from:

  • VPC

  • Subnet

  • Network Interface (ENI)

They do NOT capture packet payload, only metadata.

Think of it as:

“Network traffic audit trail for your VPC”

🧠 What Information Does It Capture?

Each log entry contains fields like:

version
account-id
interface-id
srcaddr
dstaddr
srcport
dstport
protocol
packets
bytes
start
end
action (ACCEPT / REJECT)
log-status

Example:

2 123456789 eni-abc123 1.2.3.4 10.0.1.10 53000 443 6 10 840 1693000000 1693000060 ACCEPT OK

Meaning:

Client IP 1.2.3.4 accessed EC2 on port 443
Traffic was ACCEPTED

🔥 Why VPC Flow Logs Are Important

✔ Debug connectivity issues
✔ Identify blocked traffic (NACL / SG issues)
✔ Detect suspicious IP activity
✔ Compliance auditing
✔ Security investigations

🏗 Where Flow Logs Can Be Enabled

You can enable Flow Logs at:

  • VPC level (entire VPC traffic)

  • Subnet level

  • ENI level (very specific)

Best practice:

Enable at VPC level for complete visibility.

🛠 How To Enable VPC Flow Logs (Step-by-Step)

Method 1 — From AWS Console

1️⃣ Go to VPC → Flow Logs
2️⃣ Click "Create Flow Log"
3️⃣ Choose:

  • Resource Type: VPC / Subnet / ENI

  • Destination:

    • CloudWatch Logs (most common)

    • S3 (for long-term storage)

    • Kinesis (real-time streaming)

4️⃣ Choose Traffic Type:

  • ACCEPT

  • REJECT

  • ALL (recommended for troubleshooting)

5️⃣ Select IAM Role
6️⃣ Create

🔎 How To Check VPC Flow Logs

If using CloudWatch:

1️⃣ Go to CloudWatch
2️⃣ Log Groups
3️⃣ Select log group
4️⃣ Open latest log stream

You can search using:

filter pattern:
10.0.1.10

Or:

REJECT

🔬 Real Debugging Example

Problem:

Website not accessible.

Steps:

1️⃣ Check Flow Logs
2️⃣ Search for:

dstport=443

If you see:

REJECT

Then:

Traffic blocked by NACL or SG.

If:

No entry → Route table or IGW issue.

🎯 Flow Log Architecture Diagram

Here is the architecture flow:

EC2 / ENI
    |
    v
+--------------------+
|  VPC Flow Logs     |
|  (Traffic Capture) |
+--------------------+
    |
    v
+--------------------+
|  CloudWatch Logs   |
|  OR                |
|  S3 Bucket         |
|  OR                |
|  Kinesis Stream    |
+--------------------+

🧠 ACCEPT vs REJECT Meaning

ActionMeaning
ACCEPTAllowed by SG + NACL
REJECTDenied by NACL (SG denies are not logged as REJECT explicitly, they simply don't allow traffic)

Important:

Flow logs capture NACL rejects clearly.

Security Group deny behavior appears as no ACCEPT entry.

🔐 Advanced Production Use

✔ Detect brute-force attacks
✔ Monitor east-west traffic in VPC
✔ Send to SIEM
✔ Athena query from S3
✔ Real-time alerting using CloudWatch Alarms

🎯 Interview 30-Second Answer

“VPC Flow Logs capture IP traffic metadata at the VPC, subnet, or ENI level. They help monitor, audit, and troubleshoot network connectivity by logging ACCEPT or REJECT traffic and can be sent to CloudWatch, S3, or Kinesis.”

at

Configuring Java and Maven

  1️⃣ Configure Java Environment Open the Java environment file. sudo vi /etc/profile.d/java.sh Add these lines inside the file: expor...

  • NACL and Security Group
     I’ll cover: What is Security Group (SG) What is Network ACL (NACL) Stateful vs Stateless (deep explanation) Rule evaluation log...
  • VPC Flow Logs
      🌐 What Are VPC Flow Logs? VPC Flow Logs capture metadata about IP traffic going to and from: VPC Subnet Network Interface (ENI...
  • COMPLETE NUMBERED LIST OF ML EVALUATION METRICS
      📊 COMPLETE NUMBERED LIST OF ML EVALUATION METRICS 🔵 A) REGRESSION METRICS (6) 1️⃣ Mean Squared Error (MSE) 2️⃣ Root Mean Squared Err...