1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Deploying a Highly Available Solution for Pizza Time

VPC flow logs

Start course
3h 11m

In this group of lectures we run a hands on deployment of the next iteration of the Pizza Time solution. The Pizza Time business has been a success. It needs to support more customers and wants to expand to meet a global market.  

We define our new solution, then walk through a hands on deployment that extends our scalability, availability and fault tolerance. 


Hi and welcome to this lecture.

In this lecture, we'll talk about VPC flow logs. We will have a super fast overview about what flow logs are, and then we will go to the AWS Console and learn how to enable VPC flow logs.

So, VPC flow logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. So, it is a way to log packages that are passing through your VPC. So if you have any request that was denied or accepted for an instance inside your VPC, we will know about that particular request. It is great for troubleshooting and security purposes because you can check, for example, if your security groups or network ACLs are working as expected. You can check if an internal file too is working as expected. And, you can also check that if there is some suspicious or malicious traffic coming to your VPC.

The logs are going to be stored on CloudWatch Logs. For example, AWS CLI, or some other SDK to consume those logs. You park them into an application and do all sorts of stuff with the AWS API. Let's go to the AWS Console and learn how to enable VPC logs.

So here on the AWS Console, let's click on VPC. And here in the VPC Console, we want to select our VPCs. So, I'll click in here and select our Pizza Time VPC. Go on Actions, and select Create Flow Log. And in here, we can create a filter for the packages that we are going to monitor. In this case, I will use All. And, we need to create an IAM Rule. This IAM Rule needs to have access on CloudWatch Logs. Since I don't have any specific role for that, I will click in here, just set up permissions. And, we can create very quickly a new IAM Role. So, I will call it vpc flow logs, role. And, I will click on Allow.

And very fast, we have a new IAM Role configured. So, we can go back in here and select our VPC flow log's role. And in here, we need also to specify a Destination Log Group inside CloudWatch Logs. If you don't have one already, you can specify a name and this Wizard will create a new log group for us. So, I'll call it pizza time vpc logs. And, simply click on Create Flow Log.

Now if you take a look in here, we can see that we have a new VPC flow log configure and active. So, we can start sending requests to the instance, and later on, check the results on CloudWatch Logs. I will stop the video, make a few requests on my EC2 instances, and then I will get back, just to show you the results on the CloudWatch Logs Console.

So, I did a few requests in our Pizza Time application. And now, we can check the results in the CloudWatch Logs Page. We have two ways of checking the logs. We could simply go in here in Services, access the CloudWatch Service, and go in Logs, select the Log Group and see the logs. So, Logs, the pizza time vcp logs. Or, we can simply in here select our VPC, go on Flow Logs, and click on the VPC Flow Logs. It's the same page, so no matter what path you choose, you end up in the same place.

And in here, we have a log stream for each network interface inside our VPC. And if you take a better look inside those log streams, we can see a few requests have been made in here. And, we see the results in here, and we have some other information about the request itself.

About the Author
Eric Magalhães
DevOps Consultant

Eric Magalhães has a strong background as a Systems Engineer for both Windows and Linux systems and, currently, work as a DevOps Consultant for Embratel. Lazy by nature, he is passionate about automation and anything that can make his job painless, thus his interest in topics like coding, configuration management, containers, CI/CD and cloud computing went from a hobby to an obsession. Currently, he holds multiple AWS certifications and, as a DevOps Consultant, helps clients to understand and implement the DevOps culture in their environments, besides that, he play a key role in the company developing pieces of automation using tools such as Ansible, Chef, Packer, Jenkins and Docker.