📡 You're offline — showing cached content
New version available!
Quick Access
🗺️ Roadmaps 🃏 Flashcards 📚 Series 🎓 Tutorials 🗺️ My Path 🎤 Mock Interview Cheat Code 📄 Resume Builder 🛠️ Dev Tools
Tutorials AWS Solutions Architect VPC Flow Logs

VPC Flow Logs

4 min read Quiz at the end
Configure VPC Flow Logs for network visibility, security analysis, and compliance. Query flow logs with Athena or CloudWatch Logs Insights.

VPC Flow Logs — Network Traffic Visibility

VPC Flow Logs capture metadata about ALL IP traffic flowing through your VPC, subnets, and network interfaces. They are essential for security analysis, compliance, and network troubleshooting.

Teacher Note: VPC Flow Logs are like a security camera system for your network. They record every network 'conversation' — who talked to whom, on which port, how much data was transferred, and whether it was accepted or rejected. The cameras don't record the CONTENT of conversations (packet payload), just the metadata.

What Flow Logs Capture

Version AccountID InterfaceID SrcAddr DstAddr SrcPort DstPort Protocol Packets Bytes StartTime EndTime Action

2 123456789012 eni-1234567890 10.0.1.15 52.0.0.1 45678 443 6 20 4000 1725000000 1725000060 ACCEPT
2 123456789012 eni-1234567890 203.0.113.5 10.0.1.15 1234 22 6 5 240 1725000000 1725000010 REJECT

Action ACCEPT = traffic was allowed by security group/NACL
Action REJECT = traffic was blocked
Protocol 6 = TCP, 17 = UDP, 1 = ICMP

Flow Log Destinations

DestinationUse CaseQuery Method
CloudWatch LogsReal-time analysis, alertingCloudWatch Logs Insights
S3Long-term storage, complianceAthena SQL queries
Kinesis Data FirehoseStream to OpenSearch or SplunkThird-party SIEM tools

Security Analysis with Flow Logs

# Find rejected connections (potential attack attempts)
SELECT srcaddr, COUNT(*) as attempts
FROM vpc_flow_logs
WHERE action = 'REJECT'
GROUP BY srcaddr
ORDER BY attempts DESC
LIMIT 10
-- Running in Athena on flow logs stored in S3

# Find unusual outbound traffic (potential data exfiltration)
SELECT dstaddr, SUM(bytes) as total_bytes
FROM vpc_flow_logs
WHERE direction = 'egress'
  AND bytes > 10000000  -- over 10MB
GROUP BY dstaddr
ORDER BY total_bytes DESC
Exam Tip: Flow Logs do NOT capture: DNS queries to Route 53 (use Route 53 resolver query logs instead), EC2 metadata traffic (169.254.169.254), Windows license activation traffic, and traffic to/from the default VPC DNS server. Enable flow logs at the VPC level to capture ALL traffic without managing per-ENI logs.