VPC Move Logs is an AWS function that captures details about the community site visitors flows going to and from community interfaces in Amazon Digital Non-public Cloud (Amazon VPC). Visibility to the community site visitors flows of your software can assist you troubleshoot connectivity points, architect your software and community for improved efficiency, and enhance safety of your software.

Every VPC movement log document incorporates the supply and vacation spot IP deal with fields for the site visitors flows. The data additionally include the Amazon Elastic Compute Cloud (Amazon EC2) occasion ID that generated the site visitors movement, which makes it simpler to establish the EC2 occasion and its related VPC, subnet, and Availability Zone from the place the site visitors originated. Nevertheless, when you might have a lot of EC2 cases working in your atmosphere, it might not be apparent the place the site visitors is coming from or going to easily based mostly on the EC2 occasion IDs or IP addresses contained within the VPC movement log data.

By enriching movement log data with further metadata reminiscent of useful resource tags related to the supply and vacation spot sources, you’ll be able to extra simply perceive and analyze site visitors patterns in your atmosphere. For instance, prospects usually tag their sources with useful resource names and undertaking names. By enriching movement log data with useful resource tags, you’ll be able to simply question and think about movement log data based mostly on an EC2 occasion identify, or establish all site visitors for a sure undertaking.

As well as, you’ll be able to add useful resource context and metadata concerning the vacation spot useful resource such because the vacation spot EC2 occasion ID and its related VPC, subnet, and Availability Zone based mostly on the vacation spot IP within the movement logs. This manner, you’ll be able to simply question your movement logs to establish site visitors crossing Availability Zones or VPCs.

On this submit, you’ll learn to enrich movement logs with tags related to sources from VPC movement logs in a totally serverless mannequin utilizing Amazon Kinesis Information Firehose and the lately launched Amazon VPC IP Tackle Supervisor (IPAM), and in addition analyze and visualize the movement logs utilizing Amazon Athena and Amazon QuickSight.

Answer overview

On this answer, you allow VPC movement logs and stream them to Kinesis Information Firehose. This answer enriches log data utilizing an AWS Lambda operate on Kinesis Information Firehose in a totally serverless method. The Lambda operate fetches useful resource tags for the occasion ID. It additionally appears to be like up the vacation spot useful resource from the vacation spot IP utilizing the Amazon EC2 API and IPAM, and provides the related VPC community context and metadata for the vacation spot useful resource. It then shops the enriched log data in an Amazon Easy Storage Service (Amazon S3) bucket. After you might have enriched your movement logs, you’ll be able to question, view, and analyze them in all kinds of providers, reminiscent of AWS Glue, Athena, QuickSight, Amazon OpenSearch Service, in addition to options from the AWS Accomplice Community reminiscent of Splunk and Datadog.

The next diagram illustrates the answer structure.

The workflow incorporates the next steps:

1. Amazon VPC sends the VPC movement logs to the Kinesis Information Firehose supply stream.
2. The supply stream makes use of a Lambda operate to fetch useful resource tags as an illustration IDs from the movement log document and add it to the document. You can even fetch tags for the supply and vacation spot IP deal with and enrich the movement log document.
3. When the Lambda operate finishes processing all of the data from the Kinesis Information Firehose buffer with enriched data like useful resource tags, Kinesis Information Firehose shops the end result file within the vacation spot S3 bucket. Any failed data that Kinesis Information Firehose couldn’t course of are saved within the vacation spot S3 bucket below the prefix you specify throughout supply stream setup.
4. All of the logs for the supply stream and Lambda operate are saved in Amazon CloudWatch log teams.

Stipulations

As a prerequisite, you want to create the goal S3 bucket earlier than creating the Kinesis Information Firehose supply stream.

If utilizing a Home windows laptop, you want PowerShell; if utilizing a Mac, you want Terminal to run AWS Command Line Interface (AWS CLI) instructions. To put in the newest model of the AWS CLI, confer with Putting in or updating the newest model of the AWS CLI.

Create a Lambda operate

You possibly can obtain the Lambda operate code from the GitHub repo used on this answer. The instance on this submit assumes you might be enabling all of the obtainable fields within the VPC movement logs. You need to use it as is or customise per your wants. For instance, when you intend to make use of the default fields when enabling the VPC movement logs, you want to modify the Lambda operate with the respective fields. Creating this operate creates an AWS Id and Entry Administration (IAM) Lambda execution function.

To create your Lambda operate, full the next steps:

1. On the Lambda console, select Capabilities within the navigation pane.
2. Select Create operate.
3. Choose Creator from scratch.
4. For Operate identify, enter a reputation.
5. For Runtime, select Python 3.8.
6. For Structure, choose x86_64.
7. For Execution function, choose Create a brand new function with primary Lambda permissions.
8. Select Create operate.

You possibly can then see code supply web page, as proven within the following screenshot, with the default code within the lambda_function.py file.

9. Delete the default code and enter the code from the GitHub Lambda operate aws-vpc-flowlogs-enricher.py.
10. Select Deploy.

To complement the movement logs with further tag data, you want to create an extra IAM coverage to offer Lambda permission to explain tags on sources from the VPC movement logs.

11. On the IAM console, select Insurance policies within the navigation pane.
12. Select Create coverage.
13. On the JSON tab, enter the JSON code as proven within the following screenshot.

This coverage offers the Lambda operate permission to retrieve tags for the supply and vacation spot IP and retrieve the VPC ID, subnet ID, and different related metadata for the vacation spot IP out of your VPC movement log document.

14. Select Subsequent: Tags.

15. Add any tags and select Subsequent: Evaluate.

16. For Title, enter vpcfl-describe-tag-policy.
17. For Description, enter an outline.
18. Select Create coverage.

19. Navigate to the beforehand created Lambda operate and select Permissions within the navigation pane.
20. Select the function that was created by Lambda operate.

A web page opens in a brand new tab.

21. On the Add permissions menu, select Connect insurance policies.

22. Seek for the vpcfl-describe-tag-policy you simply created.
23. Choose the vpcfl-describe-tag-policy and select Connect insurance policies.

Create the Kinesis Information Firehose supply stream

To create your supply stream, full the next steps:

1. On the Kinesis Information Firehose console, select Create supply stream.
2. For Supply, select Direct PUT.
3. For Vacation spot, select Amazon S3.

After you select Amazon S3 for Vacation spot, the Remodel and convert data part seems.

4. For Information transformation, choose Allow.
5. Browse and select the Lambda operate you created earlier.
6. You possibly can customise the buffer dimension as wanted.

This impacts on what number of data the supply stream will buffer earlier than it flushes it to Amazon S3.

7. You can even customise the buffer interval as wanted.

This impacts how lengthy (in seconds) the supply stream will buffer the incoming data from the VPC.

8. Optionally, you’ll be able to allow Report format conversion.

If you wish to question from Athena, it’s really useful to transform it to Apache Parquet or ORC and compress the recordsdata with obtainable compression algorithms, reminiscent of gzip and snappy. For extra efficiency suggestions, confer with High 10 Efficiency Tuning Ideas for Amazon Athena. On this submit, document format conversion is disabled.

9. For S3 bucket, select Browse and select the S3 bucket you created as a prerequisite to retailer the movement logs.
10. Optionally, you’ll be able to specify the S3 bucket prefix. The next expression creates a Hive-style partition for 12 months, month, and day:

AWSLogs/12 months=!{timestamp:YYYY}/month=!{timestamp:MM}/day=!{timestamp:dd}/

11. Optionally, you’ll be able to allow dynamic partitioning.

Dynamic partitioning lets you create focused datasets by partitioning streaming S3 knowledge based mostly on partitioning keys. The fitting partitioning can assist you to save lots of prices associated to the quantity of information that’s scanned by analytics providers like Athena. For extra data, see Kinesis Information Firehose now helps dynamic partitioning to Amazon S3.

Notice that you could allow dynamic partitioning solely while you create a brand new supply stream. You possibly can’t allow dynamic partitioning for an current supply stream.

12. Broaden Buffer hints, compression and encryption.
13. Set the buffer dimension to 128 and buffer interval to 900 for finest efficiency.
14. For Compression for knowledge data, choose GZIP.

Create a VPC movement log subscription

Now you create a VPC movement log subscription for the Kinesis Information Firehose supply stream you created.

Navigate to AWS CloudShell or Terminal/PowerShell for a Mac or Home windows laptop and run the next AWS CLI command to allow the subscription. Present your VPC ID for the parameter --resource-ids and supply stream ARN for the parameter --log-destination.

aws ec2 create-flow-logs  
--resource-type VPC  
--resource-ids vpc-0000012345f123400d  
--traffic-type ALL  
--log-destination-type kinesis-data-firehose  
--log-destination arn:aws:firehose:us-east-1:123456789101:deliverystream/PUT-Kinesis-Demo-Stream  
--max-aggregation-interval 60  
--log-format '${account-id} ${motion} ${az-id} ${bytes} ${dstaddr} ${dstport} ${finish} ${flow-direction} ${instance-id} ${interface-id} ${log-status} ${packets} ${pkt-dst-aws-service} ${pkt-dstaddr} ${pkt-src-aws-service} ${pkt-srcaddr} ${protocol} ${area} ${srcaddr} ${srcport} ${begin} ${sublocation-id} ${sublocation-type} ${subnet-id} ${tcp-flags} ${traffic-path} ${sort} ${model} ${vpc-id}'

Should you’re working CloudShell for the primary time, it would take a couple of seconds to organize the atmosphere to run.

After you efficiently allow the subscription in your VPC movement logs, it takes a couple of minutes relying on the intervals talked about within the setup to create the log document recordsdata within the vacation spot S3 folder.

To view these recordsdata, navigate to the Amazon S3 console and select the bucket storing the movement logs. It’s best to see the compressed interval logs, as proven within the following screenshot.

You possibly can obtain any file from the vacation spot S3 bucket in your laptop. Then extract the gzip file and think about it in your favourite textual content editor.

The next is a pattern enriched movement log document, with the brand new fields in daring offering added context and metadata of the supply and vacation spot IP addresses:

{'account-id': '123456789101',
 'motion': 'ACCEPT',
 'az-id': 'use1-az2',
 'bytes': '7251',
 'dstaddr': '10.10.10.10',
 'dstport': '52942',
 'finish': '1661285182',
 'flow-direction': 'ingress',
 'instance-id': 'i-123456789',
 'interface-id': 'eni-0123a456b789d',
 'log-status': 'OK',
 'packets': '25',
 'pkt-dst-aws-service': '-',
 'pkt-dstaddr': '10.10.10.11',
 'pkt-src-aws-service': 'AMAZON',
 'pkt-srcaddr': '52.52.52.152',
 'protocol': '6',
 'area': 'us-east-1',
 'srcaddr': '52.52.52.152',
 'srcport': '443',
 'begin': '1661285124',
 'sublocation-id': '-',
 'sublocation-type': '-',
 'subnet-id': 'subnet-01eb23eb4fe5c6bd7',
 'tcp-flags': '19',
 'traffic-path': '-',
 'sort': 'IPv4',
 'model': '5',
 'vpc-id': 'vpc-0123a456b789d',
 'src-tag-Title': 'test-traffic-ec2-1', 'src-tag-project': ‘Log Analytics’, 'src-tag-team': 'Engineering', 'dst-tag-Title': 'test-traffic-ec2-1', 'dst-tag-project': ‘Log Analytics’, 'dst-tag-team': 'Engineering', 'dst-vpc-id': 'vpc-0bf974690f763100d', 'dst-az-id': 'us-east-1a', 'dst-subnet-id': 'subnet-01eb23eb4fe5c6bd7', 'dst-interface-id': 'eni-01eb23eb4fe5c6bd7', 'dst-instance-id': 'i-06be6f86af0353293'}

Create an Athena database and AWS Glue crawler

Now that you’ve got enriched the VPC movement logs and saved them in Amazon S3, the following step is to create the Athena database and desk to question the info. You first create an AWS Glue crawler to deduce the schema from the log recordsdata in Amazon S3.

1. On the AWS Glue console, select Crawlers within the navigation pane.
2. Select Create crawler.

3. For Title¸ enter a reputation for the crawler.
4. For Description, enter an non-obligatory description.
5. Select Subsequent.

6. Select Add a knowledge supply.
7. For Information supply¸ select S3.
8. For S3 path, present the trail of the movement logs bucket.
9. Choose Crawl all sub-folders.
10. Select Add an S3 knowledge supply.

11. Select Subsequent.

12. Select Create new IAM function.
13. Enter a job identify.
14. Select Subsequent.

15. Select Add database.
16. For Title, enter a database identify.
17. For Description, enter an non-obligatory description.
18. Select Create database.

19. On the earlier tab for the AWS Glue crawler setup, for Goal database, select the newly created database.
20. Select Subsequent.

21. Evaluate the configuration and select Create crawler.

22. On the Crawlers web page, choose the crawler you created and select Run.

You possibly can rerun this crawler when new tags are added to your AWS sources, in order that they’re obtainable so that you can question from the Athena database.

Run Athena queries

Now you’re prepared to question the enriched VPC movement logs from Athena.

1. On the Athena console, open the question editor.
2. For Database, select the database you created.
3. Enter the question as proven within the following screenshot and select Run.

The next code exhibits among the pattern queries you’ll be able to run:

Choose * from awslogs the place "dst-az-id"='us-east-1a'
Choose * from awslogs the place "src-tag-project"='Log Analytics' or "dst-tag-team"='Engineering' 
Choose "srcaddr", "srcport", "dstaddr", "dstport", "area", "az-id", "dst-az-id", "flow-direction" from awslogs the place "az-id"='use1-az2' and "dst-az-id"='us-east-1a'

The next screenshot exhibits an instance question results of the supply Availability Zone to the vacation spot Availability Zone site visitors.

You can even visualize varied charts for the movement logs saved within the S3 bucket through QuickSight. For extra data, confer with Analyzing VPC Move Logs utilizing Amazon Athena, and Amazon QuickSight.

Pricing

For pricing particulars, confer with Amazon Kinesis Information Firehose pricing.

Clear up

To scrub up your sources, full the next steps:

1. Delete the Kinesis Information Firehose supply stream and related IAM function and insurance policies.
2. Delete the goal S3 bucket.
3. Delete the VPC movement log subscription.
4. Delete the Lambda operate and related IAM function and coverage.

Conclusion

This submit offered a whole serverless answer structure for enriching VPC movement log data with further data like useful resource tags utilizing a Kinesis Information Firehose supply stream and Lambda operate to course of logs to counterpoint with metadata and retailer in a goal S3 file. This answer can assist you question, analyze, and visualize VPC movement logs with related software metadata as a result of useful resource tags have been assigned to sources which might be obtainable within the logs. This significant data related to every log document wherever the tags can be found makes it straightforward to affiliate log data to your software.

We encourage you to comply with the steps offered on this submit to create a supply stream, combine together with your VPC movement logs, and create a Lambda operate to counterpoint the movement log data with further metadata to extra simply perceive and analyze site visitors patterns in your atmosphere.

In regards to the Authors

Chaitanya Shah is a Sr. Technical Account Supervisor with AWS, based mostly out of New York. He has over 22 years of expertise working with enterprise prospects. He likes to code and actively contributes to AWS options labs to assist prospects remedy complicated issues. He supplies steering to AWS prospects on finest practices for his or her AWS Cloud migrations. He’s additionally specialised in AWS knowledge switch and within the knowledge and analytics area.

Vaibhav Katkade is a Senior Product Supervisor within the Amazon VPC group. He’s all in favour of areas of community safety and cloud networking operations. Exterior of labor, he enjoys cooking and the outside.