Monitoring traffic from certain IPs

What are some ways to alert on excessive amount of data being received by an EC2 instance from certain IPs and on certain ports?

Cloudwatch Metrics shows packets and bytes in/out of an EC2, but it does not allow additional filtering based on IP and port. VPC flow logs along with Custom Metrics can be leveraged for this solution. Here are the steps:

1. Navigate to the CloudWatch Log Group for VPC Flow logs of your VPC > Actions > Create Metric Filter a. For the filter pattern input: [version, account, eni = “ENI-OF-EC2-TO-MONITOR”, source = “SOURCE-IP-TO-MONITOR”, destination, srcport, destport="PORT-TO-MONITOR", protocol, packets, bytes, windowstart, windowend, action="ACCEPT", flowlogstatus] – note that this pattern may be different if you are using additional fields available in later version of Flow Logs. The above is based on the default pattern.
2. Fill out the filter name, metric namespace.
3. For Metric Value enter: $bytes. This will publish the amount of bytes for each entry to the CloudWatch metric.
4. Default value can be set to: 0
5. Unit set to: bytes
6. Leave all else default and create metric.

Once this is done you can navigate to Cloudwatch Metrics and see the metric in your namespace. Every time there is a request made to the ENI, from the IP, to the destination port, the bytes of that request will be logged to the metric.

From the Graphed Metrics tab, an Alarm can be setup on the bytes metric. The alarm can be made on something like “when average bytes sent over 5 minutes exceeds 10,000”. This will depend on what you want to alert on and what is a proper baseline. The Alarm can be configured to trigger an SNS topic that will notify appropriate users, or a Lambda function that can take automated action.