eG Monitoring
 

Measures reported by AWSFlwLogDestTest

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your (Virtual Private Cloud).

Using flow logs, you can easily troubleshoot why specific traffic is not reaching an instance, which in turn can help diagnose overly restrictive security group rules. You can also use flow logs as a security tool to monitor the traffic that is reaching your instance, to profile your network traffic, and to look for abnormal traffic behaviors. A common use of these flow log records is to watch for abnormal and unexpected denied outbound connection requests, which could be an indication of a misconfigured or compromised EC2 instance.

To provide administrators with quick and useful insights into network traffic on VPCs, and to enable them to promptly identify and take action against abnormal traffic, the eG agent periodically reads flow logs and reports network traffic metrics. For this, the eG agent runs the following Flow Log tests:

  • AWSFlowLogTest

  • AWSFlwLogSourceTest

  • AWSFlwLogDestTest

The AWSFlwLogDestTest test for instance, automatically discovers the network interfaces handling traffic on the VPCs, and reports the following for each discovered interface:

  • The sources that sent traffic to the interface;

  • The traffic that was routed by each destination;

In the event of a network congestion on an interface, these destination-wise statistics can help administrators accurately pinpoint which destination is probably contributing to the congestion.

If the detailed diagnostic capability of the test is enabled, then the eG agent will additionally provide deep-dive insights into the traffic by listing the top-10 flows for a destination in terms of the data transferred to it. If the traffic to a destination is abnormally high, then the detailed diagnostics will reveal:

  • Has the destination been receiving a large amount of data consistently or is it just a momentary spike in traffic?

  • Are transmissions from any particular source significantly higher than the rest? If so, which one?

  • How often have network policies/security groups rejected the data sent to this destination?

For the AWSFlwLogDestTest test to run, the following pre-requisites should be fulfilled:

  • You should first create flow logs. To create a flow log, you specify the resource for which you want to create the flow log (VPC, subnet, or network interface), the type of traffic to capture (accepted traffic, rejected traffic, or all traffic), the name of a log group in CloudWatch Logs to which the flow log will be published, and the ARN of an IAM role that has sufficient permission to publish the flow log to the CloudWatch Logs log group.

  • After the flow logs are created, the flow data will be collected and published to the CloudWatch logs log group that was specified during flow log creation. To enable the eG agent to read these logs, you need to make sure that the flow logs are exported to Amazon S3.

Outputs of the test : One set of results for each destination receiving traffic from every interface of a region.

First-level descriptor: AWS Region

Second-level descriptor: Interface name

Third-level descriptor: Destination IP address

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
Packet_trans Indicates the number of packets transferred to this destination. KB Compare the value of this measure across sources to know which source is generating the maximum traffic.

You can then use the detailed diagnosis of this measure to view the complete details of the top-10 flows for that destination, in terms of the amount of data transferred to it. The details include the Source IP Address, Source Port, Destination IP Address, Destination Port, Packets Transferred, Data transferred, and Log status of each flow. From the Log status, you can quickly figure out whether the traffic handled by the flow was accepted by security groups/network policies or rejected. If many flows to a destination are rejected, you may have to investigate the reasons for the same, so that you do what is necessary to minimize or completely eliminate rejections.

Data_trans Indicates the amount of data transferred to this destination. KB Compare the value of this measure across sources to know which source is generating the maximum traffic.
Traffic_Data Indicates what percentage of the total data handled by this interface was sent to this destination. Percent A value close to 100% for a destination indicates that almost all of the data handled by the interface was sent to that destination. By comparing the value of this measure across destinations, you can identify which destination is hogging the bandwidth resources.