VPC Flow Logs — is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you’ve created a flow log, you can retrieve and view its data in the chosen destination.
Flow logs can help you with a number of tasks, such as:
- Diagnosing overly restrictive security group rules
- Monitoring the traffic that is reaching your instance
- Determining the direction of the traffic to and from the network interfaces
Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency. You can create or delete flow logs without any risk of impact on network performance.
Flow log basics
You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored.
Flow log data for a monitored network interface is recorded as flow log records, which are log events consisting of fields that describe the traffic flow.
To create a flow log, you specify:
- The resources for which to create the flow log
- The type of traffic to capture(accepted traffic, rejected traffic, or all traffic)
- The destinations to which you want to publish the flow log data
Flow log limitations
To use flow logs, you need to be aware of the following limitations:
- You can’t enable flow logs for the network interfaces that are in the EC2-Classic platform. This includes EC2-Classic instances that have been linked to a VPC through ClassicLink.
- You can’t enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account.
- After you’ve created a flow log, you can’t change its configuration or the flow log record format. For example, you can’t associate a different IAM role with the flow log or add or remove fields in the flow log record. Instead, you can delete the flow log and create a new one with the required configuration.
- When your network interface is attached to a Niro-based instance, the aggregation interval is always 1 minute or less, regardless of the specified maximum aggregation interval.
Flow logs do not capture all IP traffic. The following types of traffic are not logged:
- Traffic is generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.
- Traffic generated by a Windows instance for Amazon Windows license activation
- Traffic to and from 169.254.169.254 for instance metadata
- Traffic to and from 169.254.169.123 for the Amazon Time Sync Service
- DHCP traffic
- Traffic to the reserved IP address for the default VPC router
- Traffic between an endpoint network interface and a Network Load Balancer network interface