I want to find the top contributors of traffic through the NAT gateway in my Amazon Virtual Private Cloud (Amazon VPC).
Short description
To find the top contributors of traffic through the NAT gateway in your Amazon VPC, complete the following steps:
- Use Amazon CloudWatch metrics to identify the time of traffic spikes.
- Use CloudWatch Logs to identify the instances that cause traffic spikes.
- Use Amazon Simple Storage Service (Amazon S3) or Amazon Athena to identify the instances that cause traffic spikes.
Resolution
Use CloudWatch metrics to identify the time of traffic spikes
Use the following CloudWatch metrics to identify and monitor the NAT gateway and specific time of the spikes:
- BytesInFromSource — upload
- BytesInFromDestination — download
Check that you turned on Amazon VPC Flow Logs for your Amazon VPC or NAT gateway elastic network interface. If you didn't turn on Amazon VPC Flow Logs, then create a flow log to turn it on. When you turn on Amazon VPC Flow Logs, flow log data is published to either CloudWatch Logs or Amazon S3.
Use CloudWatch Logs Insights to identify the instances that cause traffic spikes
Note: For the commands in steps 5, 6, and 7, replace example-NAT-private-IP with your NAT gateway private IP address and example-VPC-CIDR with your Amazon VPC CIDR.
1. Open the CloudWatch console.
2. In the navigation pane, choose Logs Insights.
3. From the dropdown list, select the log group for your NAT gateway.
4. Select a predefined time range, or choose Custom to set your own time range.
5. Run the following command to identify instances that send the most traffic through your NAT gateway:
filter (dstAddr like example-NAT-private-IP and isIpv4InSubnet(srcAddr, example-VPC-CIDR)) | stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
6. Run the following command to identify traffic that goes to and from the instances:
filter (dstAddr like example-NAT-private-IP and isIpv4InSubnet(srcAddr, example-VPC-CIDR)) or (srcAddr like example-NAT-private-IP and isIpv4InSubnet(dstAddr, example-VPC-CIDR))| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
7. Run the following commands to identify the internet destinations that the instances in your Amazon VPC communicate the most with:
For uploads:
filter (srcAddr like example-NAT-private-IP and not isIpv4InSubnet(dstAddr, example-VPC-CIDR)) | stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
For downloads:
filter (dstAddr like example-NAT-private-IP and not isIpv4InSubnet(srcAddr, example-VPC-CIDR)) | stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10
Use Amazon S3 or Athena to identify the instances that cause traffic spikes
Note: For the commands in steps 3, 4, and 5, replace example-database-name.example-table-name with your database and table names. Replace example-y.y with the first two octets of your Amazon VPC CIDR and example-NAT-private-IP with your NAT gateway private IP address.
1. Open the Amazon S3 console or the Athena console.
2. Create a table. Annotate the database and table name, and then add the following filters to check for the top contributors of a specific time range:
- start>= (example-timestamp-start)
- end>= (example-timestamp-end)
3. Run the following command to identify instances that send the most traffic through your NAT gateway:
SELECT srcaddr,dstaddr,sum(bytes) FROM example-database-name.example-table-name WHERE srcaddr like example-y.y AND dstaddr like example-NAT-private-IP group by 1,2 order by 3 desc
limit 10;
4. Run the following command to identify traffic that goes to and from the instances:
SELECT srcaddr,dstaddr,sum(bytes) FROM example-database-name.example-table-name WHERE (srcaddr like example-y.y AND dstaddr like example-NAT-private-IP) or (srcaddr like example-NAT-private-IP AND dstaddr like example-y.y) group by 1,2 order by 3 desc
limit 10;
5. Run the following commands to identify the internet destinations that the instances in your Amazon VPC communicate the most with:
For uploads:
SELECT srcaddr,dstaddr,sum(bytes) FROM example-database-name.example-table-name WHERE (srcaddr like example-NAT-private-IP AND dstaddr not like example-y.y) group by 1,2 order by 3 desc
limit 10;
For downloads:
SELECT srcaddr,dstaddr,sum(bytes) FROM example-database-name.example-table-name WHERE (srcaddr not like example-y.y AND dstaddr like example-NAT-private-IP) group by 1,2 order by 3 desc
limit 10;
Related information
Sample queries
Querying Amazon VPC flow logs
How do I analyze the Amazon VPC flow logs using Amazon Athena?
Using AWS Cost Explorer to analyze data transfer costs