Introduction

Amazon Virtual Private Cloud (VPC) is the foundational networking construct used by customers to deploy workloads on AWS. To examine VPC traffic and gain insights into communication patterns, customers collect and analyze VPC Flow Logs, leveraging the capabilities and features AWS has continuously added since 2015. You can get started with Flow Logs by leveraging the default format, which includes the version 2 fields. You also have access to other attributes of your traffic flow through fields introduced in newer versions of Flow Log.

An increasing number of applications are now being deployed using tasks running on Amazon Elastic Container Service (ECS). Visibility into network traffic flows is critical for monitoring, securing, and optimizing modern containerized workloads that leverage managed services like Amazon ECS. In this blog, we are introducing the latest version of VPC Flow Logs, Version 7, which allows you insights into your container workloads running on ECS with 10 new fields.

Understanding VPC Flow Logs for Elastic Container Services

As applications and network architectures evolve on AWS, visibility into traffic flows continues to expand, and VPC Flow Logs supports additional capabilities. Let’s dive into a brief history of the evolution of VPC Flow Logs:

History of Flow Logs

Version 2 (Default)

Version 2 is the default format, as shown in the following image (Figure 1).

Figure 1: VPC Flow Logs – AWS default format

To see a full list of fields available in version 2 refer to the documentation.

Version 3

In 2019, VPC Flow Logs evolved to provide a deeper understanding of how network flows correspond to specific VPCs, subnets, and instances. This resulted in the addition of seven new fields: vpc-id, subnet-id, instance-id, tcp-flags, type, pkt-srcaddr and pkt-dstaddr.

Version 4

Continued advancements VPC Flow Logs in 2020 allowed you to get insight about the traffic’s “location”, understand which Region, Availability Zone (AZ) and sublocation the traffic was coming to and destined for. This resulted in the addition of four new fields: region, az-id, sublocation-type and sublocation-id.

Version 5

And in 2021 further capabilities were introduced in VPC Flow logs providing you the ability to associate traffic flows to AWS specific services, understand flow direction and traffic path with the introduction of four new fields: pkt-src-aws-service, pkt-dst-aws-service, flow-direction and traffic-path.

Version 6

With the addition of AWS Transit Gateway (TGW) in 2018, customers started building transitive network topologies to improve connectivity between VPCs, on-premises and multi-cloud deployments. Version 6 fields allow customers to dive deeper into attributes associated particularly with network flows through TGW. Refer to this blog which dives deeper into leveraging VPC Flow Logs for AWS Transit Gateway and the 18 new fields.

Version 7 (ECS related Fields)

With the latest version of VPC Flow Logs, customers now have access to 10 new fields which give insight into ECS traffic flow and patterns.

Sample Architecture

Let’s consider a typical web application workload deployed on ECS. We have an end-user accessing the workload via an internet facing Application Load Balancer (ALB) which distributes the load to am ECS service using the EC2 Launch Type which then calls another service which is using the Fargate Launch Type. And the NATGW allows any outgoing access to the internet.

Figure 2: Typical ECS workload

Based on the preceding architecture diagram (Figure 2), let’s dive into an example from a flow log entry with the following format:

${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${ecs-task-id} ${ecs-task-arn} ${ecs-task-definition-arn} ${ecs-cluster-name} ${ecs-cluster-arn} ${ecs-container-instance-id} ${ecs-container-instance-arn} ${ecs-container-id} ${ecs-second-container-id} ${ecs-service-name}

For brevity, we only show the output starting from the ${ecs-task-id} field below:

b9ad2f8a90b24f7bbce4b0341034852f arn:aws:ecs:us-east-1:123456789012:task/DEMOGO-ECS/b9ad2f8a90b24f7bbce4b0341034852f arn:aws:ecs:us-east-1:123456789012:task-definition/catsdef:2 DEMOGO-ECS arn:aws:ecs:us-east-1:123456789012:cluster/DEMOGO-ECS 39623aba81594d79b596c0c5f556d47b arn:aws:ecs:us-east-1:123456789012:container-instance/DEMOGO-ECS/39623aba81594d79b596c0c5f556d47b 0c5c6db7540ca5c4dbc692a53c1d7bab0a4e17e9cf44fc9167659c8687fd13df – cats

Navigating to the ECS Clusters (Figure 3) using the AWS Console we can tie the Flow Log details back to the sample web application introduced earlier.

Figure 3: ECS Clusters via AWS Console

In the following images (Figure 4 and Figure 5) you can see how various ECS Flow Log attributes tie back to the ECS Cluster, Service and Task details seen via the AWS Console. The ecs-cluster-name ties into the ECS cluster name (top of the image), the ecs-task-id ties with the task which generated that traffic flow and ecs-container-instance-id is the ID of the container instance for tasks using the EC2 launch type.

Figure 4: VPC Flow Log attributes

In the following image you can see more attributes like ecs-service-name which represents the name of the ECS service and the ecs-container-id representing the ID of the container for the task that generated the traffic flow.

Figure 5: VPC Flow Log attributes

Walkthrough

Let’s guide you through creating a VPC Flow Log with ECS metadata using the Amazon VPC console. The resulting flow log will capture network traffic data from your VPC resources, including ECS traffic data, and publish it to a destination of your choice. Please also refer to our documentation to review the full set of limitations for VPC Flow Logs.

Prerequisites

1. You have created a new VPC in a Region (let’s say us-east-1).
   1. (Optional) You can also choose an existing VPC.
2. You have instances or resources deployed in the VPC that are sending traffic.
   1. Note that no flow logs will be created without traffic flowing.
3. Your account must contain at least one ECS cluster.

Create a VPC Flow Log

You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, then each network interface in that subnet or VPC is monitored. For this example, we will create a flow log for the VPC.

Step 1: Start by creating a flow log

1. Navigate to the Amazon VPC console and create a new flow log
2. Enter a name for the VPC Flow Log.
3. Select the type of traffic to capture in the flow log.
4. Select destination type.

Step 2: Including ECS metadata

Option 1: using AWS default format

ECS metadata can be included by simply checking a box via the VPC Flow Log AWS Console as shown in following image.

Figure 6: VPC Flow Logs subscription with default format

Option 2: Using custom format

Alternative to the default format, you can include specific fields which now include the new ECS attributes as shown in the following image.

Figure 7: VPC Flow Logs subscription with custom format

Step 3: Viewing VPC Flow Logs

After you create a VPC Flow Log, it can take several minutes to begin collecting and publishing data to the destination you chose. Note that VPC Flow logs do not capture real-time log streams for your network interfaces. In the following figure we have shown an example of a flow log enriched with the selected ECS fields sent to Amazon CloudWatch.

Figure 8: VPC Flow Logs in CloudWatch with ECS fields

Clean up

Once you are done you can delete the flow logs. You can also delete the resulting flow log data from the selected destination from Step 1.

Conclusion

With Version 7 of the VPC Flow Logs, you now have 10 new fields to give you further insight into your workloads running on ECS helping you understand traffic flow and patterns. This capability is available today in all AWS Regions with ECS so enable Flow Logs on your ECS clusters to get deeper insights into your traffic flow patterns.

Further Reading

• Monitoring your VPC
• Examples of flow log records
• Querying VPC Flow Logs using Athena