Use Cases |
- Enable to capture information about the traffic going to and from network interfaces in the VPC
- Log data is stored using CloudWatch Logs
- Flow logs can be created at 3 levels: VPC, subnet, network interface
|
Limitations |
- Not possible to enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
- You cannot tag a flow log
- After you've created a flow log, you cannot change its configuration (i.e., you cannot associate a different IAM role with the flow log)
|
Not all traffic is monitored |
- Traffic generated by instances when they contact the Amazon DNS server (DNS traffic is logged if you use your own DNS server)
- Traffic generated by a Windows instance for Amazon Windows license activation
- Traffic to and from 169.254.169.254 for instance metadata
- DHCP traffic
- Traffic to the reserved IP address for the default VPC router
|