Tag Archives: flow logs

Some AWS Virtual Private Cloud (VPC) Components to Review for Sol. Arch.

Solutions Architect

Here are some key VPC components I would like you to review for the Solutions Architect – Associate certification (2018 edition).

VPC Endpoint

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

There are two types of VPC endpoints – interface and gateway VPC endpoints. The interface type (powered by AWS PrivateLink) is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service. The gateway type is a target for a specified route in your route table, used for traffic destined to a supported AWS service.

Examples of services supported for the VPN interface endpoint type are:

  • EC2 API
  • EC2 Systems Manager
  • Kinesis Data Streams
  • AWS Key Management Service
  • AWS Service Catalog
  • Elastic Load Balancing API
  • Endpoint services hosted by other AWS accounts

Examples of services supported for the VPN gateway endpoint type are:

  • S3
  • DynamoDB

Keep in mind that by default, IAM users do not have permission to work with endpoints. You can create an IAM user policy that grants users the permissions to create, modify, describe, and delete endpoints.

VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.

Flow logs can help you with a number of tasks; for example, to troubleshoot why specific traffic is not reaching an instance, which in turn helps you diagnose overly restrictive security group rules. You can also use flow logs as a security tool to monitor the traffic that is reaching your instance.

There is no additional charge for using flow logs; however, standard CloudWatch Logs charges apply.