Monitoring Your Network

Monitoring Your Network

Network Troubleshooting Scenarios

When your Amazon VPC is configured and in use with resources deployed in subnets, issues can occur requiring further investigation. It’s important to monitor your network and build automated recovery processes.

Common Issues

• Performance Problems: “My EC2 instance response times are very slow”

  • Possible DDoS attacks from spam bots overloading network/server
  • Legitimate user traffic can’t reach server or be processed successfully

• Connectivity Issues: “I can’t access my EC2 instance through SSH”

  • Security group rules may not allow traffic through
  • Configuration issues preventing traffic on specific ports (e.g., port 22 for SSH)

• Maintenance Problems: “My EC2 database instance isn’t applying patches”

  • Check security group configurations
  • Verify route tables and NAT gateway configurations for private subnet internet access

Amazon VPC Flow Logs

VPC Flow Logs capture packet-level information about network traffic in your VPC, providing detailed traffic analysis capabilities.

Flow Log Scope Options

• VPC Level: Monitor entire VPC traffic
• Subnet Level: Monitor specific subnet traffic
• Elastic Network Interface Level: Monitor individual ENI traffic

Traffic Capture Options

When creating a flow log, choose to capture:

• All traffic: Complete network activity
• Accepted traffic: Only successful connections
• Rejected traffic: Only blocked/denied connections

Delivery Destinations

Amazon CloudWatch

Access Method: AWS Management Console Features: Filter and view logs through console interface Use Case: Real-time monitoring and alerting

Amazon S3

Access Method: Amazon Athena for interactive querying Formats: Plain text or Parquet Use Case: Long-term storage and analysis

Amazon Kinesis Data Firehose

Destinations: Amazon OpenSearch Service, Splunk, other third-party solutions Features: Real-time streaming to analytics platforms Use Case: Advanced analytics and visualization

Note

Performance Impact Flow logs operate outside of your VPC network and will not affect your VPC latency and performance.

Flow Log IAM Access Policy

By default, users don’t have permission to work with flow logs. Create an IAM policy to grant necessary permissions:

flow-logs-policy.json

{
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "ec2:CreateFlowLogs",
      "ec2:DescribeFlowLogs",
      "ec2:DeleteFlowLogs"
    ],
    "Resource": "*"
  }
]
}

This IAM policy allows users to create, describe, and delete EC2 flow logs on any AWS resource.

Flow Log Record Structure

Flow log data is recorded as flow log records - log events consisting of fields describing traffic flow within an aggregation interval or capture window.

Example Flow Log Record (SSH Traffic)

Version 2 Fields:

Field	Description	Example Value
version	VPC Flow Logs version	2
account-id	Network owner AWS account	123456789010
interface-id	Traffic network interface	eni-1235b8ca123456789
srcaddr	Source address	172.31.16.139
dstaddr	Destination address	172.31.16.21
srcport	Traffic source port	20641
dstport	Traffic destination port	22
protocol	IANA protocol number	6 (TCP)

Traffic Metrics:

Field	Description	Example Value
packets	Number of packets transferred	20
bytes	Number of bytes transferred	4249
start	Unix time of first packet	1418530010
end	Unix time of last packet	1418530070
action	Accept or reject indicator	ACCEPT
log-status	Flow log status	OK

Action Field Values

• ACCEPT: Traffic was allowed through security groups or network ACLs
• REJECT: Traffic was blocked by security groups, network ACLs, or connection timing

Log Status Field Values

• OK: Data logging functioning normally
• NODATA: No network traffic during aggregation interval
• SKIPDATA: Some records skipped due to capacity constraints or errors

Additional VPC Troubleshooting Tools

Reachability Analyzer

Purpose: Test connectivity between source and destination resources in VPC

Capabilities:

• Produces hop-by-hop details when destination is reachable
• Identifies blocking components when destination is unreachable
• Analyzes security groups, network ACLs, route tables, load balancers

Example: Verify SSH connectivity from internet gateway to EC2 instance on port 22

Network Access Analyzer

Purpose: Identify unintended network access to AWS resources

Benefits:

• Understand and improve network security posture
• Verify compliance requirements
• Eliminate unintended network access

Example: Verify logical network isolation for credit card processing systems

Traffic Mirroring

Purpose: Copy network traffic for security and monitoring appliances

Use Cases:

• Analyze actual packet content and payload
• Determine root cause of performance issues
• Detect network attacks or compromised workloads
• Monitor insider abuse

Example: Mirror TCP/UDP traffic to security appliances for packet inspection

Monitoring Best Practices

1. Enable Flow Logs: Activate VPC Flow Logs for traffic visibility and troubleshooting

2. Choose Appropriate Scope: Select VPC, subnet, or ENI level monitoring based on requirements

3. Configure Proper IAM: Set up IAM policies for flow log management access

4. Select Delivery Destination: Choose CloudWatch for real-time monitoring, S3 for analysis, or Kinesis for streaming

5. Use Additional Tools: Leverage Reachability Analyzer, Network Access Analyzer, and Traffic Mirroring for specific troubleshooting needs

Tip

Flow Log Analysis Flow log records consist of all flows within an aggregation interval, providing comprehensive network traffic visibility for security analysis and performance troubleshooting.

VPC monitoring through Flow Logs and additional tools provides comprehensive network visibility for troubleshooting connectivity issues, analyzing security threats, and optimizing performance while maintaining detailed audit trails of network activity.