- Newest
- Most votes
- Most comments
Yes, VPC flow logs will show public IPs being either accepted or rejected based on the flow log settings:
Also take a look at this blog: https://aws.amazon.com/blogs/aws/learn-from-your-vpc-flow-logs-with-additional-meta-data/
As you can see from the examples in it, public IPs are shown in the flow logs as well.
Hmm, lets define some terms:
-public IP, as in routable in the Internet, i.e., publicly accessible
-private IP, as in not public. Note this is not the same as RFC1918, which are forced private
-VPC, a private domain. Addresses in a private domain are private
-NAT, a linking scheme to connect a private domain to Internet (and lots of other things)
-inside, the private side of NAT
-outside, the public side
-IP, the L3 protocol we are talking, all packets have 1 source and 1 destination
Now, VPC flowlogs log packets in the VPC, which inside addresses. For traffic crossing NAT (IGW) the outside peer address (public) is kept as is so you see that public address in the log. For the inside peer, you see the private address.
This is the high level view. If you want more details, then you should understand that the infrastructure where this happens multiplex the links for many clients, so packets travel encapsulated in extra protocols (underlay). So even if one IP packet has only one source and one destination, VPC flowlogs have a srcaddr field and a pkt-srcaddr field (and dst counterparts).
I think this is used only when a NAT gateway is used to track origin and gateway, but have not found a real doc that explains this.
Relevant content
- asked 4 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 9 months ago
