Browse through the questions and answers listed below or filter and sort to narrow down your results.
Creating VPC Flow Logs for AWS Transit Gateway using CloudFormation?
Is it possible to create [VPC Flow Logs for AWS Transit Gateway](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-vpc-flow-logs-for-aws-transit-gateway/) using CloudFormation? I have reviewed the [AWS::EC2::FlowLog](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html) resource documentation, and it appears to only support a network interface, subnet, or VPC. Thanks for your help!
What is these IPs related to 13.212.3.X
In my nat VPC flow logs, I am able to see a huge transfer to 13.212.3.X serious IPs. When I checked about these IPs those are from AWS ISP itself. How do I know much more detail about this transaction is it genuine? Which service is involved in that time of the transaction?
My AWS Batch job service uses a lot of space to S3, while my code doesn't work with S3?
I have 5 Batch jobs running on AWS Batch with Fargate, when it was running I noticed the capacity to S3 spiked through the NAT Gateway. I queried VPC Logs using Athena and found that the destination IP is of S3 None of my code uses S3, when I turn them off the capacity going to S3 is completely reduced. I don't understand why my Batch job service uses S3 while my code doesn't. Is there any way to investigate to know exactly where the capacity is coming from? (except https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-traffic-sources-nat-gateway/?nc1=h_ls , I read it). I understand it is possible to use S3 VPC Endpoint to handle throughput through the NAT Gateway, but I want to find the root cause.
Athena Query Result
Hi Team, I followed the steps to create a table in AWS Athena to query VPC flow logs as mentioned here : > https://docs.aws.amazon.com/athena/latest/ug/vpc-flow-logs.html when I ran the following query in Athena, I had output like this : ``` r����Z�~:�63y�pt���j��0��_�� �])h}�q ���A�ھ�K����3��肌���cf``������"���� ����"������&���xL"E��M�E��M1E��B2 ``` is this because my S3 bucket that contains the VPC flow logs is Encrypted with KMS? Thank you,
Open a parquet file locally
Hi team, I create a VPC flow log with destination S3, file format = parquet it generates files like this : `76451945824541_vpcflowlogs_region_fl-08fsf0225fa03sf9874_20220607T8000Z_9f45sfsff.log.gz` I tried to unzip it via 7-Zip I had a message: cannot open the file, is not archive is there a way to open this parquet file and explore it in windows without passing by Athena? Thank you
Weird vpc flow logs entries for NAT GATEWAY in an empty VPC
Hi, I'm seeing weird VPC flow log entries for a NAT Gateway in an empty VPC where I only have a NAT Gateway. Most of the time I only see half way of a tcp flow, from outside IP to my NAT Gateway and no return path. I wonder if this is related to some monitoring of internet connectivity of NAT Gateway, so can someone provide some insights on this ? You can easily reproduce this : 1. Create a VPC with a NAT Gateway 2. Enable VPC flow logs 3. Check the logs and you will see activities in logs Here's some entries I observe in VPC flow logs (the most weird one is the last entry with src port 12022 and dst port 0 ) ``` Timestamp Message 2022-05-24T17:39:29.000+02:00 2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406769 1653406801 - NODATA 2022-05-24T17:39:32.000+02:00 2 ************* eni-0ee10eb2f451143fe 188.8.131.52 10.0.8.0 47621 64109 6 1 40 1653406772 1653406773 ACCEPT OK 2022-05-24T17:39:38.000+02:00 2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406778 1653406809 - NODATA 2022-05-24T17:39:41.000+02:00 2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406781 1653406812 - NODATA 2022-05-24T17:39:57.000+02:00 2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406797 1653406828 - NODATA 2022-05-24T17:40:02.000+02:00 2 ************* eni-0ee10eb2f451143fe 184.108.40.206 10.0.8.0 44435 26646 6 1 40 1653406802 1653406802 ACCEPT OK 2022-05-24T17:40:09.000+02:00 2 ************* eni-0ee10eb2f451143fe 220.127.116.11 10.0.8.0 8082 11211 17 1 115 1653406809 1653406824 ACCEPT OK 2022-05-24T17:40:09.000+02:00 2 ************* eni-0ee10eb2f451143fe 18.104.22.168 10.0.8.0 46673 2230 6 1 40 1653406809 1653406824 ACCEPT OK 2022-05-24T17:40:23.000+02:00 2 ************* eni-0ee10eb2f451143fe 22.214.171.124 10.0.8.0 27962 62902 6 1 44 1653406823 1653406823 ACCEPT OK 2022-05-24T17:40:38.000+02:00 2 ************* eni-0ee10eb2f451143fe 126.96.36.199 10.0.8.0 55482 443 6 1 40 1653406838 1653406839 ACCEPT OK 2022-05-24T17:40:39.000+02:00 2 ************* eni-0ee10eb2f451143fe 188.8.131.52 10.0.8.0 12022 0 6 1 60 1653406839 1653406839 ACCEPT OK 2022-05-24T17:40:41.000+02:00 2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406841 1653406872 - NODATA 2022-05-24T17:40:57.000+02:00 2 ************* eni-0ee10eb2f451143fe - - - - - - - 1653406857 1653406888 - NODATA ```
NAT Gateway Traffic Capture for a Specific IP.
We want to Export Data For NGW which would give us the EC2 IP which is sending traffic outside via NAT Gateway. Currently we are following one doc and its giving Src Address of Nat Gateway Private IP however we are looking for EC2 IPs which are sending data out. Please let us know how to get the same. We are Using Cloud Watch Insight/Query to export the data. https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-traffic-sources-nat-gateway/
Problem with ELB logs
**Context: **i've created an ELB and have connected to a target group which inturn is connect to an ASG **ASG - Working:** I could see that ASG is working fine aka it creates an instance automatically as per the scaling policy. **Target Group - Working:** I could also see that the target group is indicating the instance as Healthy **ELB - Not Working:** whereas, when I try to hit the ELB's public URL from a browser, I don't see it working, it fails with a timeout error and I've enabled logging for ELB but don't see the logs appearing in S3 buckets (although there's a file created by ELB, which means I've given proper access to it) I literally don't know how else to track a request from ELB and I'm not seeing the logs generating in my application/instances as well. but, when I try to hit the public URL of my instance, the application does work any inputs would be helpful!
AWS VPC FlowLogs results analysis
Hello, I'm digging data from FlowLogs and during my analysis I discover some calls which are strange to me. Starting point, i'm talking about traffic happening inside a single VPC with a single route table (with local IPs range pointing to "local"). I have 2 x EC2 instances inside this VPC. For each instance we have a single network interface attached with 1 private IP + 1 public IP. Calls between instances are always made using private DNS name (like ip-172-XX-XX-XXX.my-region.compute.internal). On FlowLogs results I have results like : - public IP of instance A to private IP of instance B - private IP of instnce A to public IP of instance B - public IP of instance A to private IP of instance A I'm not sure about the expected behavior but it seems strange to me in regard of our usage and route table configuration. Some helps will be appreciated :) Regards,
Centralized logging - one region, perhaps one account (S3/VPC)
Hi, struggling with consolidating logs. I want to enable server access logging in S3 as well as VPC flow logging. Both need to have a logging bucket per region. That is not very scalable. Can't this be consolidated into one bucket? I'd also be fine having it all sent to a centralized log-archive account, if possible, but that probably needs bucket replication and doesn't solve the original issue of so many buckets required. Config logs and cloudtrail logs are nicely consolidated, but server access logs and VPC flow logs are not. A related point is if server access logging must be enabled (security-wise) on the bucket where server access logging takes place, don't you get into an endless loop? :/ Thanks!