VPC flow log IncomingByte much lower than the TunnelDataIn

0

Hi,

I have a site to site VPN between an AWS VPC and an on-promise router. Our ecs services on Fargate reside in that VPC. I've enabled the VPC flow log. I'm puzzled by 2 things:

  1. For the same period of time, the IncomingBytes from the VPC flow log is much lower than the TunnelDataIn. I saw surge in the TunnelDataIn but couldn't figure out where the traffic came from. Screenshot attached

  2. I couldn't find any traffic from the tunnel's 2 outside ip addresses in the VPC flow log using CloudWatch Insight.

How is the TunnelDataIn and TunnelDataOut calculated? How can I find out the traffic source of the surge in No.1 above.

Thanks, PH

2 Answers
1
Accepted Answer

Look at the documentation here:

IncomingBytes - The volume of log events in uncompressed bytes uploaded to CloudWatch Logs. When used with the LogGroupName dimension, this is the volume of log events in uncompressed bytes uploaded to the log group.

It means that this metric represent the number of bytes that the flow logs themselves consume (not an aggregation of the incoming bytes of the flows within the flow logs). It's the size of the flow log text.

for example if your flow logs contains just a single line:

2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK

the IncomingBytes will be 115 because the text contains 115 characters

echo "2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK" | wc -c
     115

(and not 4249 which is the Bytes went over that flow)

profile pictureAWS
EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
  • I see. So they're not comparable. Thanks!

1

Hello.

Looking at the document below, I think the calculation is based on the amount of data sent and received between the customer gateway and AWS.
https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html

Therefore, I thought that if I could obtain a packet capture on the customer gateway side, I would be able to see what kind of traffic was being sent to AWS.

profile picture
EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
  • Thanks. Unfortunately, I'm unable to get the log from the customer gateway side. Here's the CloudWatch Insight query that I'm using to figure out the ip addresses that contribute the most to the surge. Does it make sense? fields @timestamp, @message | parse @message '* * * * * * * * * * * * * *' as ver, account, interface, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log_status | filter @message like "<replaced with customer gateway ip address>" | stats sum(bytes) as totalBytes by srcaddr, dstaddr | sort totalBytes desc | limit 200

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions