AWS Flow Logs: Private Subnet Traffic

TL;DR

Flow logs aren’t capturing traffic from a private subnet because they need to be enabled on the VPC itself, not just the subnets. This ensures all network interfaces within the VPC are monitored, including those in private subnets.

Solution Guide

1. Understand the Problem: Flow logs record IP traffic going to and from Elastic Network Interfaces (ENIs) within your Virtual Private Cloud (VPC). If you only enable them on a subnet, ENIs in other subnets – like private ones – won’t be monitored.
2. Enable Flow Logs at the VPC Level: This is the key step.
   • Go to the AWS Management Console and navigate to VPC.
   • In the left-hand navigation pane, select Flow Logs.
   • Select your VPC from the list.
   • Click Create flow log.
3. Configure Flow Log Settings:
   • Log destination: Choose where to store the logs.
     • CloudWatch Logs: Easy for basic analysis and alerting.
     • Amazon S3: Better for long-term storage and more complex analysis (e.g., with Athena).
     • Amazon Kinesis Data Firehose: For real-time streaming to other services.
   • Log format: Select the log format.
     • Standard: Human-readable, easier for debugging.
     • AWS Flow Logs Format Version 2: More structured and efficient for analysis.
   • Filter settings (Optional): You can filter traffic based on source/destination IP ranges or ports to reduce log volume. Be careful with filtering, as you might miss important data.
4. Example using AWS CLI: If you prefer the command line:

   aws ec2 create-flow-logs --vpc-id vpc-xxxxxxxxxxxxxxxxx --log-destination-type cloudwatch-logs --log-group-name my-flow-log-group

5. Verify Flow Log Creation: After creating the flow log, check its status in the Flow Logs section of the VPC console. It should show as ‘Active’.
6. Check CloudWatch Logs or S3 Bucket: Depending on your chosen destination:
   • CloudWatch Logs: Go to the CloudWatch service and find the log group you specified. You should see logs appearing from all ENIs in your VPC, including those in private subnets.
   • S3 Bucket: Check the bucket for new log files.
7. Troubleshooting:
   • IAM Permissions: Ensure that the IAM role associated with your VPC has permission to write logs to the chosen destination (CloudWatch Logs or S3).
   • Network ACLs and Security Groups: Verify that network ACLs and security groups allow traffic to flow. Flow logs record what *actually* happens, so if traffic is blocked by these rules, it won’t appear in the logs.