Guided Lab: Capture Network Traffic Information with VPC Flow Logs to CloudWatch Logs

Description

Have you ever wondered about the details of the IP traffic flowing through your Virtual Private Cloud (VPC)? With VPC Flow Logs, you can capture and analyze this critical information. Whether you’re aiming to monitor your network, enhance security, or troubleshoot issues, VPC Flow Logs provide the insights you need.

In this lab, you’ll learn how to create VPC Flow Logs for a network interface of an EC2 instance using the AWS Management Console. VPC Flow Logs is a feature in Amazon Web Services (AWS) that enables the capture of information about the IP traffic going to and from network interfaces in your Virtual Private Cloud (VPC). This data can be used for various purposes, such as network monitoring, security analysis, and troubleshooting. By the end of this lab, you will have configured VPC Flow Logs to capture detailed information about network traffic, sent this information to Amazon CloudWatch Logs, and verified the flow logs by generating and reviewing network traffic. This setup will provide valuable insights into traffic patterns, help identify security vulnerabilities, and optimize network performance.

Prerequisites

This lab assumes you have basic knowledge of AWS networks and are familiar with AWS core services like EC2 (Elastic Compute Cloud), CloudWatch, and VPC.

If you find any gaps in your knowledge, consider taking the following lab:

Objectives

By the end of this lab, participants will be able to:

  • Set up a log group in CloudWatch to store VPC Flow Log data.
  • Creating and configuring VPC Flow Logs to capture IP traffic information.
  • Generating network traffic to ensure the Flow Logs are capturing data.
  • Reviewing the log data in CloudWatch to verify proper configuration.

Lab Steps

Launch an EC2 Instance

1. Navigate to the EC2 Dashboard

2. Launch an EC2 Instance using the following configurations:

  • Name: MyWebServer
  • AMI: Amazon Linux
  • Instance type: t2.micro
  • Key pair: (Please create a new one.)
    • Key pair name: myKeyPair
    • Key pair type: RSA
    • Private key file format: .pem
  • Network settings: (Click “Create security group”)
    • Auto-assign public IP: Select Enable
    • Firewall (security groups): tick on the Create security group
    • Ensure that Allow SSH traffic from is checked and is My IP

  • Click Launch Instance.

3. Wait for the EC2 instance to be in the Running state.

4. Select the instance and click on the Actions dropdown.

5. Navigate on Networking > Change source/destination check

6. Tick the stop checkbox and Save


The “Source/Destination Check” in an EC2 instance is a network setting that controls whether the instance must be the source or destination of traffic it sends or receives.

  • Enabled (default): The instance only accepts traffic addressed to its own IP. This is when the Stop checkbox is unchecked.
  • Disabled: The instance can forward traffic, useful for NAT, routing, or firewall roles. This is when the Stop checkbox is checked.
Create a CloudWatch Log Group

1. Navigate to the Cloudwatch.

2. Locate the Logs section in the left-side navigation and click on Log groups to view the existing log groups.

3. Click the Create log group button at the top.

4. Enter a name for your new log group in the Log group name field. Ensure the name is descriptive and relevant to the logs it will contain.

5. Click Create log group to finalize the process.

Create a VPC Flow Log

1. Navigate to the VPC Dashboard.

2. In the left navigation pane, click VPC and select the VPC where your EC2 instance is running. In this lab, we choose the default VPC.

3. Click Actions and select Create flow log.

4. Configure the flow log:

  • Name: my-flow-log-01
  • Filter: All
  • Maximum aggregation interval: 1 minute
  • Destination: Send to CloudWatch Logs
  • Log group name: Choose the Log group created previously MyLogGroup
  • IAM role: Select PlayCloud-Sandbox
  • Log record format: Select AWS default format

5. Click Create Flow Log.

6. To check the flow log, navigate to the Flow logs tab in the VPC Dashboard. Ensure that the VPC is selected.

7. Scroll to the right to check the status of this flow log.

8. Navigate back to the EC2 Dashboard > Network & Security > Network Interfaces.

9. Find and select the network interface associated with your EC2 instance.

10. Go to the Flow logs tab to see the same flow log group created previously.

11. Take your time to review the flow logs.

Test the Flow Logs

1. Connect to your EC2 instance using SSH.

  • Open your terminal
  • Navigate to the directory of your .pem key.
  • Copy the command in the EC2 > Instances > <Instance_ID> > Connect to instance
  • Paste it to your Terminal.

2. Generate network traffic by running commands such as ping or accessing websites using curl.

  • Example: ping google.com

3. Navigate to the CloudWatch Dashboard > Log groups

4. You should see log entries detailing the network traffic to and from your EC2 instance.

5. Click on the log stream. You should see Log events similar to the image below. 

6. Take your time to review and familiarize yourself with the log format:
${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}

That’s it! Congratulations, you successfully created VPC Flow Logs for the network interface of an EC2 instance using the AWS Management Console. By setting up VPC Flow Logs, you enabled detailed logging of IP traffic for monitoring and troubleshooting purposes. Additionally, you tested the flow logs by generating network traffic and verifying the logs in CloudWatch, ensuring that the setup works correctly. This setup provides valuable insights into network traffic, helping to enhance security, troubleshoot network issues, and optimize performance in your AWS environment.

Skip to content