VPC Flow Logs


You can see the traffic into and out of, and within, your AWS VPCs on the CloudGuard console. You can select traffic for any of your VPCs, and then filter for specific flow items of interest. CloudGuard extracts this information from the cloud platform, and enriches it with contextual information such as source and target names (if they are labelled).

The displayed information can also be exported to a file.

VPC flows can also be seen from the Clarity view (see Clarity ).

Note: This feature is available for AWS VPCs only.

Benefits

  • console view of all VPC network & flows (on all cloud providers, all accounts, regions)

  • view of flow within network context (in Clarity, for AWS only)

  • variety of filters/search to narrow the scope, look for specific flows of interest

Use-cases

Here are some typical use-cases for viewing VPC flow logs:

  • investigate incidents, using network traffic in the VPC

  • filter traffic for specific network elements

Actions

Your AWS cloud account must be configured for VPC flow logs in order to view them on the CloudGuard console. This is done on the AWS console, in the VPC Dashboard.

  1. Create a VPC flow log on AWS for our VPC. Follow the steps described in https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/ to enable flow logs for a specific VPC. This step must be done for each VPC for which you wish to view flow logs.

    Set the filter on the flow logs to capture all traffic, both Accepted and Rejected.

  2. Enable the IAM policy for the CloudGuard user on AWS(this is relevant for AWS for accounts that were added before Sep-2015). On the AWS console, select the IAM Dashboard.

    1. In the AWS IAM Dashboard, select Roles (on the left), and select the Dome9-Connect role.

    2. Check that the dome9-readonly-policy appears in the Permissions tab for this role. If either the role or the policy do not appear, the AWS account has not been completely onboarded to CloudGuard - check or repeat the procedure in Onboard an AWS Account.

View flows for any of your VPCs, in any of your cloud accounts.

  1. Select the VPC (account, region, assets), and the time period (back from present time, or click the CUSTOM DATE link to select specific date & time).

  2. A list of entries for the selected VPC is shown. Each entry represents a flow.

  3. Hover over an entry for additional details.

    These are the filter options:

    Icon

    Action

    show IP address

    show geolocation, hostname, and network, of the host

    filter for this value

    not this value (i.e., other than)

You can filter the flow list to show entries of interest. The filter options are at the top of the list

Filter options:

  • Select the VPC & instance - this is the primary filter

  • Select specific values for one of the columns (click on the terms, or enter as free text)

  • Add terms to build up the filter. As you add terms, the list of flows is incrementally filtered (the result is the AND of all selections):

  • Filter on specific value(s) of a field: press next to the value to filter for entries with this value

See also

Onboard an AWS Account

Clarity