Weird vpc flow logs entries for NAT GATEWAY in an empty VPC

1

Hi,

I'm seeing weird VPC flow log entries for a NAT Gateway in an empty VPC where I only have a NAT Gateway. Most of the time I only see half way of a tcp flow, from outside IP to my NAT Gateway and no return path.

I wonder if this is related to some monitoring of internet connectivity of NAT Gateway, so can someone provide some insights on this ?

You can easily reproduce this :

  1. Create a VPC with a NAT Gateway
  2. Enable VPC flow logs
  3. Check the logs and you will see activities in logs

Here's some entries I observe in VPC flow logs (the most weird one is the last entry with src port 12022 and dst port 0 )

Timestamp Message

2022-05-24T17:39:29.000+02:00	2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406769 1653406801 - NODATA

2022-05-24T17:39:32.000+02:00	2 ************* eni-0ee10eb2f451143fe 134.122.110.201 10.0.8.0 47621 64109 6 1 40 1653406772 1653406773 ACCEPT OK

2022-05-24T17:39:38.000+02:00	2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406778 1653406809 - NODATA

2022-05-24T17:39:41.000+02:00	2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406781 1653406812 - NODATA

2022-05-24T17:39:57.000+02:00	2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406797 1653406828 - NODATA

2022-05-24T17:40:02.000+02:00	2 ************* eni-0ee10eb2f451143fe 185.191.34.200 10.0.8.0 44435 26646 6 1 40 1653406802 1653406802 ACCEPT OK

2022-05-24T17:40:09.000+02:00	2 ************* eni-0ee10eb2f451143fe 47.106.199.57 10.0.8.0 8082 11211 17 1 115 1653406809 1653406824 ACCEPT OK

2022-05-24T17:40:09.000+02:00	2 ************* eni-0ee10eb2f451143fe 178.128.10.117 10.0.8.0 46673 2230 6 1 40 1653406809 1653406824 ACCEPT OK

2022-05-24T17:40:23.000+02:00	2 ************* eni-0ee10eb2f451143fe 162.142.125.253 10.0.8.0 27962 62902 6 1 44 1653406823 1653406823 ACCEPT OK

2022-05-24T17:40:38.000+02:00	2 ************* eni-0ee10eb2f451143fe 192.241.220.32 10.0.8.0 55482 443 6 1 40 1653406838 1653406839 ACCEPT OK

2022-05-24T17:40:39.000+02:00	2 ************* eni-0ee10eb2f451143fe 59.126.10.182 10.0.8.0 12022 0 6 1 60 1653406839 1653406839 ACCEPT OK

2022-05-24T17:40:41.000+02:00	2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406841 1653406872 - NODATA

2022-05-24T17:40:57.000+02:00	2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406857 1653406888 - NODATA
asked 2 years ago1072 views
1 Answer
0
Accepted Answer

Hi,

This is explained in detail in this Knowledge center article

NAT gateways do not accept traffic initiated from the internet. I would like to inform you that even though the VPC flow logs show traffic from external service as accepted at the NAT Gateway ENI but the traffic actually gets dropped. VPC flow logs show inbound traffic as accepted if the security groups and NACLs permits the traffic. However, the actual traffic isn't accepted by the NAT gateway and gets dropped.

This is also called out in the documentation


A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet.

Hope this helps

profile pictureAWS
EXPERT
answered 2 years ago
  • Thanks for the answer. Is there a reason that we don't allow SG to be assigned to NAT Gateway ? Because it makes VPC Flow monitoring a bit confusing seeing these entries as ACCEPT in flow logs. Or maybe it is better to mark them as DROPPED, as in fact it is really dropped at NAT Gateway level.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions