VPC flow logs | Notion

VPC Flow Logs is basically a traffic recorder for your VPC. It captures information about every network request — who sent it, where it went, which port, and whether it was allowed or blocked.

Think of it like a CCTV log for your network — you don't interfere with traffic, you just record it.

What does it capture?

Every log entry records:

version | account-id | interface-id | srcaddr | dstaddr | srcport | dstport | protocol | action

The fields you care about most:

Field	What it tells you
`srcaddr`	Where the traffic came from (source IP)
`dstaddr`	Where it was going (destination IP)
`srcport`	Source port
`dstport`	Destination port
`action`	ACCEPT or REJECT — most important field

Where can you capture logs?

You can enable Flow Logs at 3 levels:

VPC level — captures everything across the entire VPC
Subnet level — captures traffic for a specific subnet
ENI level — captures traffic for a specific network interface (single instance)

Where are logs stored?

S3 — for long term storage and analysis
CloudWatch Logs — for real-time monitoring and alerts
Kinesis Data Firehose — for streaming to other tools

Also works for AWS managed services like ELB, RDS, NAT Gateway — not just EC2.