VPC flow log IncomingByte much lower than the TunnelDataIn
Hi,
I have a site to site VPN between an AWS VPC and an on-promise router. Our ecs services on Fargate reside in that VPC. I've enabled the VPC flow log. I'm puzzled by 2 things:
-
For the same period of time, the IncomingBytes from the VPC flow log is much lower than the TunnelDataIn. I saw surge in the TunnelDataIn but couldn't figure out where the traffic came from.
-
I couldn't find any traffic from the tunnel's 2 outside ip addresses in the VPC flow log using CloudWatch Insight.
How is the TunnelDataIn and TunnelDataOut calculated? How can I find out the traffic source of the surge in No.1 above.
Thanks, PH
- Newest
- Most votes
- Most comments
Look at the documentation here:
IncomingBytes - The volume of log events in uncompressed bytes uploaded to CloudWatch Logs. When used with the LogGroupName dimension, this is the volume of log events in uncompressed bytes uploaded to the log group.
It means that this metric represent the number of bytes that the flow logs themselves consume (not an aggregation of the incoming bytes of the flows within the flow logs). It's the size of the flow log text.
for example if your flow logs contains just a single line:
2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
the IncomingBytes will be 115 because the text contains 115 characters
echo "2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK" | wc -c
115
(and not 4249 which is the Bytes went over that flow)
Hello.
Looking at the document below, I think the calculation is based on the amount of data sent and received between the customer gateway and AWS.
https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html
Therefore, I thought that if I could obtain a packet capture on the customer gateway side, I would be able to see what kind of traffic was being sent to AWS.
Thanks. Unfortunately, I'm unable to get the log from the customer gateway side. Here's the CloudWatch Insight query that I'm using to figure out the ip addresses that contribute the most to the surge. Does it make sense? fields @timestamp, @message | parse @message '* * * * * * * * * * * * * *' as ver, account, interface, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log_status | filter @message like "<replaced with customer gateway ip address>" | stats sum(bytes) as totalBytes by srcaddr, dstaddr | sort totalBytes desc | limit 200
Relevant content
- asked 8 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
I see. So they're not comparable. Thanks!