By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS VPC FlowLogs results analysis

0

Hello,

I'm digging data from FlowLogs and during my analysis I discover some calls which are strange to me.

Starting point, i'm talking about traffic happening inside a single VPC with a single route table (with local IPs range pointing to "local"). I have 2 x EC2 instances inside this VPC. For each instance we have a single network interface attached with 1 private IP + 1 public IP. Calls between instances are always made using private DNS name (like ip-172-XX-XX-XXX.my-region.compute.internal).

On FlowLogs results I have results like :

  • public IP of instance A to private IP of instance B
  • private IP of instnce A to public IP of instance B
  • public IP of instance A to private IP of instance A

I'm not sure about the expected behavior but it seems strange to me in regard of our usage and route table configuration. Some helps will be appreciated :)

Regards,

Topics
Networking & Content Delivery
Tags
VPC Flow Logs
Language
English
alxsbn
asked 2 years ago219 views
1 Answer
0

You will see those sorts of flow log entries when one instance (somehow) resolves the IP of the other instance as a public IP. The traffic in that case will go from (say) Instance A to the Internet Gateway (because it is destined for a public IP address that isn't in the VPC address space so it must go outside the VPC and that's where the default route points to); then it will return to Instance B with the source IP address being the public IP of instance A. Because neither instance A nor B are aware of the other's public IP address they think they're communicating with something external to the VPC.

So pretty normal. The question is: How is one of the instances (maybe both) resolving the public IP of the other instance? That, I don't know. You've said that the instances always use the private DNS name but my guess is there is something that isn't.

You might try logging DNS queries inside your VPC to see what is being resolved and when. That might help you track down what is happening.

profile pictureAWS
EXPERT
Brettski-AWS
answered 2 years ago
  • alxsbn
    2 years ago

    Hi ! thanks for your answer. I'm Ok with your analysis when trying to resolve a public IP through IGW (and yes maybe we have something using it). But it's more strange for the case "public IP of instance A to private IP of instance B" ... how can a public IP can contact a private one ?

  • Brettski-AWS EXPERT
    2 years ago

    If instance A resolves the public IP of instance B the outbound packet from instance A will have a source IP of the private address of A and the destination will be the public IP of B. As that leaves the VPC through the IGW and comes back in the source will now be the public IP of A and the destination will be the private IP of B (which it has to be in order to get to the instance). If you have an instance with a public IP assigned to it then there traffic to it will always appear to be from a public IP (on the Internet) but to the private IP (because the iGW does NAT on your behalf). In this case, even though the instances are in the same VPC the IGW doesn't know that - it's the same as if instance A and B were in different VPCs communicating via their public IP addresses.

  • alxsbn
    2 years ago

    Hi ! So, Instance A public IP is linked to a A record on our DNS and some of our features calls this DNS leading I think to the described behavior.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content