Flow Log Types
ThousandEyes Cloud Insights provides you with critical visibility into your Amazon Web Services (AWS) and Microsoft Azure cloud environments by capturing key network telemetry and inventory data. For AWS, ThousandEyes also collects detailed flow logs from Virtual Private Clouds (VPCs) and from Transit Gateways — enabling comprehensive monitoring of network traffic within and across AWS environments. While both capture network flow information, they offer distinct perspectives crucial for managing different layers of your cloud infrastructure.
When leveraged within the ThousandEyes platform, these flow logs empower you to proactively monitor, efficiently debug, and ensure the robust connectivity of your cloud and hybrid-cloud architectures.
In the remainder of this article, we explain what VPC and Transit Gateway flow logs are, highlight their key differences, outline how you can use them in ThousandEyes, and provide troubleshooting workflow examples demonstrating their value within the platform.
Understanding VPC Flow Logs
An Amazon VPC is a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. A VPC gives you complete control over your virtual networking environment, including your own IP address range, the creation of subnets, and the configuration of route tables and network gateways.
Key components and concepts within a VPC include:
Subnets: Divisions of your VPC's IP address range, allowing you to segment your network.
Route Tables: Control where network traffic from your subnets is directed.
Security Groups: Act as virtual firewalls for Elastic Compute Cloud (EC2) instances to control inbound and outbound traffic at the instance level.
Network Access Control Lists (NACLs): Optional layer of security that acts as a firewall for controlling traffic in and out of one or more subnets.
Internet Gateway: Enables communication between your VPC and the internet.
Virtual Private Gateway: Connects your VPC to your on-premises network over a VPN tunnel.
VPC flow logs in ThousandEyes are a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Through the Cloud Insights flow logs integration, ThousandEyes is able to securely access the following data in your AWS account for analysis:
Generation Points: VPC flow logs can be created and sent to ThousandEyes for an entire VPC, a specific subnet, or an individual Network Interface (ENI). The ENI level provides the most granular view of traffic.
Information Captured: ThousandEyes captures for each flow log record detailed metadata about network traffic, including:
Source and destination IP addresses and ports.
Protocol (TCP, UDP).
Number of bytes and packets transferred.
Start and end time of the flow.
The
ACTIONfield, indicating whether the traffic wasACCEPTed orREJECTed by security groups or NACLs.Traffic direction (ingress or egress).
Purpose: VPC flow logs are ideal for deep-diving into traffic patterns within a single VPC, diagnosing connectivity issues between instances, identifying unauthorized access attempts, and are especially useful for detailed security audits at the instance level. For example, they are critical for identifying issues like misconfigured security groups or NACLs that are REJECTing legitimate traffic, or pinpointing which applications are consuming the most bandwidth within a VPC.
Understanding Transit Gateway Flow Logs
An AWS Transit Gateway acts as a central network transit hub, simplifying the way you connect your VPCs, on-premises networks, and other AWS accounts. Instead of creating numerous peer-to-peer connections, a Transit Gateway allows all your networks to connect to a single gateway, which then routes traffic between them. It functions like a Layer 3 router, forwarding network packets based on routing decisions.
Key components and concepts related to Transit Gateway include:
Router Functionality: The Transit Gateway is the central routing element, connecting various network entities.
Attachment Points: The links that connect different entities to the Transit Gateway are called "attachments" and where the link touches the Transit Gateway is called an “attachment point.” Attachments can include:
VPC Attachments: Connecting individual Amazon VPCs.
VPN Attachments: Connecting your on-premises data centers to the AWS cloud via a Virtual Private Network.
Direct Connect Attachments: Providing a dedicated, private network connection from your premises to AWS.
Peering Attachments: Connecting Transit Gateways across different AWS regions, enabling global network connectivity.
As with VPC flow logs, your Cloud Insights flow logs integration grants you access to the following data in your AWS account:
Generation Points: Transit Gateway flow logs are generated at the above attachment points. They provide detailed information about the network traffic that traverses the Transit Gateway itself.
Information Captured: Each flow log record captures details such as:
Source and destination endpoints (such as EC2 instances).
The specific attachments through which the traffic entered and exited the Transit Gateway.
Traffic volume (bytes and packets).
Crucially, Transit Gateway flow logs identify dropped packets within the Transit Gateway, indicating routing or configuration issues.
Purpose: By centralizing traffic visibility across all connected networks, Transit Gateway flow logs offer a comprehensive, high-level picture of your cloud network's performance and health, particularly for inter-VPC and hybrid cloud traffic.
Transit Gateway flow logs are essential for diagnosing complex routing problems across your multi-VPC or hybrid cloud environment, particularly through their unique ability to detect and categorize dropped packets within the Transit Gateway.
For organizations with extensive cross-region traffic, Transit Gateway flow logs can help monitor data transfer costs associated with peering attachments, allowing for proactive cost optimization and alert configuration.
Choosing the Right Tool
While both types of flow logs provide valuable network insights, they serve distinct purposes and offer different levels of granularity. Understanding these differences is key to effective network monitoring and troubleshooting.
Scope of View
Traffic within a single VPC or between a VPC and an external connection (e.g., Internet Gateway, VPN, Transit Gateway attachment).
Traffic traversing the Transit Gateway, between multiple VPCs, VPNs, Direct Connects, and peered Transit Gateways.
Data Granularity
High volume of data, showing every flow segment within or exiting a VPC, often at the ENI level.
More aggregated view, focusing on traffic between attachments and within the Transit Gateway.
Dropped Packets
Indicates REJECT actions (traffic explicitly denied by security groups or network ACLs). Does not show packets dropped by the routing fabric itself.
Shows DROPPED packets (packets discarded by the Transit Gateway due to routing issues, black holes, or other internal routing failures). This is a unique and critical metric.
Network Path
Typically shows a two-point flow (source to destination within VPC, or VPC to external gateway).
Shows a multi-point flow (source endpoint > attachment A > Transit Gateway > attachment B > destination endpoint).
Primary Use Case
Detailed per-instance or per-interface traffic analysis, security auditing within a VPC, troubleshooting internal VPC connectivity.
High-level network overview, inter-VPC/on-premises connectivity monitoring, and troubleshooting routing issues within the Transit Gateway.
In summary:
Use VPC flow logs when you need granular details about traffic within a specific VPC, to understand how individual instances are communicating, or to debug security group/NACL configurations.
Use Transit Gateway flow logs when you need to understand traffic patterns between different VPCs, between your cloud and on-premises networks, or to diagnose routing issues at the central hub of your cloud network.
Why Choose Both
For a complete picture of your cloud network, many organizations leverage both types of flow logs, using each for its specialized insights. Both VPC and Transit Gateway flow logs contribute to a holistic understanding of your network. VPC flow logs provide the internal details of your virtual networks, while Transit Gateway flow logs offer the overarching view of inter-network communication. Analyzing traffic volumes captured by both types of flow logs also helps in understanding network utilization trends, enabling better capacity planning for future growth and ensuring optimal resource allocation.
Troubleshooting Workflows
ThousandEyes provides a unified platform to leverage both VPC and Transit Gateway flow logs for efficient network troubleshooting. When an issue arises, the first step is to determine its scope. For problems isolated within a single VPC, such as an application failing to connect to a database, you'd typically start by analyzing VPC flow logs in ThousandEyes. Here, you can quickly identify REJECT actions, indicating misconfigured security groups or network ACLs blocking traffic between specific instances, allowing you to pinpoint and rectify internal VPC connectivity issues.
For issues spanning multiple VPCs, hybrid cloud connections, or general inter-network communication, Transit Gateway flow logs are essential. Within ThousandEyes, you can begin with a high-level overview of your Transit Gateway, immediately spotting attachments with unusual traffic patterns or, critically, dropped packets. From there, you can filter by problematic "local" attachments, then drill down to specific source and destination IP addresses to understand which endpoints are involved and why packets are being dropped (for example, due to routing black holes). This top-down approach, leveraging the distinct REJECT and DROP metrics from each flow log type, enables rapid diagnosis and resolution of complex cloud network problems.
Last updated