VPC Flow Logs

You can see the traffic into and out of, and in, your Amazon Virtual Private Cloud (AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. VPC) in CloudGuard. You can select traffic for any of your VPCs and then filter for specific flow items of interest. CloudGuard extracts this information from the cloud platform and enriches it with contextual information, such as source and target names if they are labeled. You can export the displayed information to a file.

In addition, you can see VPC flows from the Configuration Explorer (see Configuration Explorer).

Note - Configuration Explorer is available for AWS VPCs only.

Benefits

  • Console view of all VPC networks and flows on all cloud providers, all accounts, and regions.

  • See flow in network context (in Configuration Explorer, for AWS only).

  • Variety of filter and search options to narrow the scope, and look for specific flows of interest.

Use Cases

Here are some typical use cases for viewing VPC Flow Logs:

Actions

Your AWS environment must be configured for VPC Flow Logs to view them on the CloudGuard portal. This is done on the AWS console, in the VPC Dashboard.

  1. Create a VPC flow log on AWS for our VPC. Follow the steps described in https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/ to enable Flow Logs for a specific VPC. This step must be done for each VPC for which you wish to view flow logs.

    Set the filter on the flow logs to capture all traffic for Accepted and Rejected.

  2. Enable the IAM policy for the CloudGuard user on AWS (this is applicable for AWS for accounts that were added before September 2015). On the AWS console, select the IAMClosed Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Dashboard.

    1. In the AWS IAM Dashboard, select Roles (on the left) and select the CloudGuard-Connect role.

    2. Check that the CloudGuard-readonly-policy appears in the Permissions tab for this role. If the role or the policy do not appear, the AWS account has not been fully onboarded to CloudGuard - check or repeat the procedure in Unified Onboarding of AWS Environments.

View flows for any of your VPCs, in any of your cloud accounts.

  1. Select the VPC (account, region, assets), and the period (back from the present time, or click the Custom Date link to select a specific date & time).

  2. A list of entries for the selected VPC is shown. Each entry represents a flow.

  3. Put the cursor over an entry for more details.

    These are the filter options:

    Icon

    Action

    Show IP address

    Show the geolocation, hostname, and network, of the host

    Filter for this value

    Not this value (for example, other than)

You can filter the flow list to show entries of interest. The filter options are at the top of the list

Filter options:

  • Select the VPC & instance - This is the primary filter.

  • Select specific values for one of the columns (click on the terms, or enter as free text).

  • Add terms to build up the filter. As you add terms, the list of flows is incrementally filtered (the result is the AND of all selections):

  • Filter on a specific value(s) of a field: press the filter icon next to the value to filter for entries with this value.