1. Overview

VPC Flow Logs capture metadata about IP traffic flowing through network interfaces in your VPC. They are essential for security monitoring, troubleshooting connectivity issues, and compliance auditing.

What Flow Logs Capture

Flow Logs record: source/destination IP, source/destination port, protocol, packet count, byte count, start/end time, and the ACTION (ACCEPT or REJECT). They do NOT capture packet contents (not a packet sniffer). They capture metadata only.

2. Flow Log Levels

3 Flow Log Destinations

4. Flow Log Record Format

Default Flow Log Record (v2):
version account-id interface-id srcaddr dstaddrsrcport dstport protocol packets bytes start end action log-status
Example:2 123456789012 eni-abc123 10.0.1.5 52.94.76.8949152 443 6 20 4000 1620000000 1620000060 ACCEPT OK
Decoded: Source: 10.0.1.5:49152 (private instance, ephemeral port) Dest: 52.94.76.89:443 (HTTPS to an AWS service) Protocol: 6 = TCP Packets: 20, Bytes: 4000 Action: ACCEPT (allowed by SG + NACL)
Custom fields (v5) can include: vpc-id, subnet-id, instance-id,tcp-flags, pkt-srcaddr, pkt-dstaddr, region, az-id, and more.

5. Common Protocol Numbers

6. Troubleshooting with Flow Logs

7. What Flow Logs Do NOT Capture

  1. DNS requests to Amazon Route 53 Resolver (use Route 53 Resolver query logs instead)
  2. Traffic to Amazon DNS server (169.254.169.253)
  3. Instance metadata traffic (169.254.169.254)
  4. DHCP traffic
  5. Traffic to the reserved IP of the VPC router (e.g., 10.0.0.1)
  6. NTP traffic to Amazon Time Sync (169.254.169.123)
  7. Traffic between a Network Load Balancer ENI and an endpoint ENI

8. Flow Logs + Athena

For large-scale analysis, send Flow Logs to S3 and query with Amazon Athena:

-- Find top talkers (most data transferred)SELECT srcaddr, dstaddr, SUM(bytes) as total_bytesFROM vpc_flow_logsWHERE action = 'ACCEPT'GROUP BY srcaddr, dstaddrORDER BY total_bytes DESCLIMIT 10;
-- Find rejected traffic (potential attacks)SELECT srcaddr, dstaddr, dstport, COUNT(*) as attemptsFROM vpc_flow_logsWHERE action = 'REJECT'GROUP BY srcaddr, dstaddr, dstportORDER BY attempts DESCLIMIT 20;

9. Traffic Mirroring

For full packet capture (not just metadata), use VPC Traffic Mirroring:

  1. Copies actual network traffic from an ENI to a target (NLB or another ENI)
  2. Full packet capture: headers + payload (not just metadata like Flow Logs)
  3. Use for: deep packet inspection, threat detection, content analysis, forensics
  4. Filter by source/dest IP, protocol, port
  5. Send to third-party security appliances (IDS/IPS) for analysis
  6. More expensive than Flow Logs (data processing + target infrastructure)

Exam Tip

VPC Flow Logs: metadata only (not packet contents). 3 levels: VPC, Subnet, ENI. 3 destinations: CloudWatch, S3, Firehose. ACCEPT = allowed, REJECT = blocked. "Inbound ACCEPT + outbound REJECT" = NACL issue (ephemeral ports). "ACCEPT but app fails" = app-level issue. Does NOT capture DNS/DHCP/metadata traffic. For full packet capture = Traffic Mirroring (not Flow Logs). Query in S3 with Athena.