By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Do NW Load Balancers External IP appear in VPC Flow Logs? & VPC Flow Log timestamps?

0

Hi,

I have a question regarding AWS VPC Flow logs version 2 to and from Network Load Balancers. Refer to the below Sample Entry I made up to ask my question. I am trying to understand external traffic to 99.99.99.99. There are only two entries for the traffic.

10.10.10.10 - Internal Network Load Balancer IP 88.88.88.88 - External Network Load Balancer IP 99.99.99.99 - External IP (not part of my account) eni-01947802984080808 - NW Load Balancer ENI

Sample Entry: 2023-04-15T08:12:47.000Z 2 710750178041 eni-01947802984080808 10.10.10.10 99.99.99.99 60935 4100 6 2 80 1681546367 1681546374 ACCEPT OK eni-01947802984080808-all 2023-04-15T08:12:47.000Z 2 710750178041 eni-01947802984080808 99.99.99.99 10.10.10.10 4100 60935 6 2 80 1681546367 1681546374 ACCEPT OK eni-01947802984080808-all

Questions:

  1. Why is an External Network Load Balancer IP (88.88.88.88) never found in any entries? Does only the Internal Network Load Balancer IP traffic appear (10.10.10.10)?
  2. Note the timestamps are the same. Many VPC Flow logs show this same pattern. Is this the actual order?
Topics
Networking & Content Delivery
Tags
Amazon VPCNetwork Load BalancerVPC Flow Logs
Language
English
rePost-User-3910006
asked 2 years ago727 views
1 Answer
1

1.Why is an External Network Load Balancer IP (88.88.88.88) never found in any entries? Does only the Internal Network Load Balancer IP traffic appear (10.10.10.10)?

Ans: Yes, you are correct. You will get only private IP address of the network load balancer in the VPC flow logs. Public IP address is not logged in the VPC flow logs.

2.Note the timestamps are the same. Many VPC Flow logs show this same pattern. Is this the actual order?

Ans: The timestamp in the starting (2023-04-15T08:12:47.000 from sample log) is the time where the logs were delivered to the cloudwatch log group or s3 bucket based on the aggregation time interval. Actual packet timestamp is recorded as below: (from sample log : 1681546367 1681546374) start The time, in Unix seconds, when the first packet of the flow was received within the aggregation interval. This might be up to 60 seconds after the packet was transmitted or received on the network interface. end The time, in Unix seconds, when the last packet of the flow was received within the aggregation interval. This might be up to 60 seconds after the packet was transmitted or received on the network interface.

Reference documents: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-fields

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-aggregration-interval

AWS
SUPPORT ENGINEER
Shivangi
answered 2 years ago
  • rePost-User-0280894
    2 years ago

    Thank you Shivangi! To make sure I fully understand your reply.

    I understand the timestamp is based on when the logs were delivered to the cloudwatch log group.

    However in the sample, both the two events have the same exact packet timestamps of1681546367 1681546374. This is how the events appeared in Cloudwatch.

    1. How do you tell which event came first? Did 10.10.10.10 communicate outbound to 99.99.99.99 first? Or did 99.99.99.99 communicate outbound to 10.10.10.10. first?

    2. If multiple packets fall within the same aggregation internal, will their packet timestamps be the same? I think this is your explanation.

    Thank you again

  • rePost-User-0280894
    2 years ago

    Hi again Shivangi,

    Any thoughts on the above?

    I am seeing this result often in my VPCFLOW logs where two events will both have the exact same packet timestamps, in this instance:1681546367 1681546374

    How do we know which event came first? Is there an offset field or any additional fields in the log entries which show the order?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content