So if I select that interface, if I just drag this up a little bit, and we have three tabs here, details, flow logs, and tags. As you can see, it's this bottom instance here. So what I need to do is go down to our network interfaces under network and security and select the ENI of the logging server. Okay so firstly I'm going to set up a VPC Flow Log for the running instance that we've used in a previous demonstration which was for the logging server. Let me now show you how to create a flow log for an interface on an instance, a subnet, and lastly the VPC itself. If you wanted to create flow logs, then you need to also grant the use of the IAM permission of iam:passrole which allows the service to assume the role mentioned previously to create these flow logs on your behalf. The logs:GetLogData permissions is used to enable you to list log events from a data stream. These being ec2:CreateFlowLogs, ec2:DeleteFlowLogs, and ec2:DescribeFlowLogs. The following three EC2 permissions allows you to create, delete, and describe flow logs. While on the topic of permissions, I want to also show you the required permissions for someone to review and access the VPC Flow Logs or indeed be able to create one in the first place. This can be achieved with the following permissions. In addition to this, you will also need to ensure that the VPC Flow Log service can assume that IAM role to perform the delivery of logs to CloudWatch. At a minimum, the following permissions must be associated to the role. If your role does not have the required permissions, then your log data will not be delivered to the CloudWatch group. This role is selected during the setup configuration of the VPC Flow Log. To enable your flow log data to be pushed to a CloudWatch log group, an IAM role is required for permissions to do so. Each of these logs captures data during a window of approximately 10 to 15 minutes. And within each of these streams, there will be the flow log event data that shows the content of the log entries. For every network interface that publishes data to the CloudWatch log group, it will use a different log stream. I mentioned earlier that this data is then sent to CloudWatch logs via a CloudWatch log group. As a result, data is captured for all network interfaces either within the subnet or the VPC respectively. Obviously for option two and three, this will contain a number of different resources. These being a network interface on one of your instances, a subnet within your VPC, and your VPC itself. You can set up and create a flow log against three separate resources. All other traffic both ingress and egress can be captured at a network IP level. Traffic relating to an Amazon Windows activation license from a Windows instance and finally the traffic between a network load balancer interface and an endpoint network interface. Any traffic destined to the IP address for the VPC default router and traffic to and from the following addresses, 169.254.169.254 which is used for gathering instance metadata, and 169.254.169.123 which is used for the Amazon Time Sync Service. However, if you decide to use and implement your own DNS Server within your environment, then the traffic to this will be logged and recorded within the VPC Flow Log. DHCP traffic within the VPC, traffic from instances destined for the Amazon DNS Server. In addition to this, the following traffic is not monitored and captured by the logs. To alter the VPC Flow Log configuration, you need to delete it and then recreate a new one. And once a VPC Flow Log has been created, it cannot be changed. Or if you are still running resources within the EC2-Classic environment, then unfortunately you are not able to retrieve information from their interfaces. If you are running a VPC peered connection, then you'll only be able to see flow logs of peered VPCs that are within the same account. Before creating your VPC Flow Logs, you should be aware of some of the limitations which might prevent you from implementing or configuring them. Instead, the log data captured is sent to CloudWatch logs. Unlike S3 access logs and CloudFront access logs, the log data generated by VPC Flow Logs is not stored in S3. This data is useful for a number of reasons, largely to help you resolve incidents with network communication and traffic flow in addition to being used for security purposes to help spot traffic reaching a destination that should be prohibited. VPC Flow Logs allows you to capture IP traffic information that flows between your network interfaces of your resources within your VPC. Within your VPC, you could potentially have hundreds or even thousands of resources all communicating between different subnets both public and private and also between different VPCs through VPC peering connections. Hello and welcome to this lecture covering VPC Flow Logs.
0 Comments
Leave a Reply. |