--- title: "What is VPC flow logging?" page_name: "VPC flow logging" type: "glossary" slug: "vpc-flow-logging" published_at: "2025-02-17" modified_at: "2026-02-13" url: "https://www.sumologic.com/glossary/vpc-flow-logging" canonical: "https://www.sumologic.com/glossary/vpc-flow-logging" markdown_url: "https://www.sumologic.com/glossary/vpc-flow-logging.md" lang: "en" excerpt: "Explore what VPC flow logging is, the uses of VPC logs, how to enable VPC flow logging in AWS, how to view and use the data it collects and its limitations." --- [Glossary](/glossary)# VPC flow logging [A](/glossary#A) [B](/glossary#B) [C](/glossary#C) [D](/glossary#D) [E](/glossary#E) [F](/glossary#F) [G](/glossary#G) [H](/glossary#H) [I](/glossary#I) [J](/glossary#J) [K](/glossary#K) [L](/glossary#L) [M](/glossary#M) [N](/glossary#N) [O](/glossary#O) [P](/glossary#P) [Q](/glossary#Q) [R](/glossary#R) [S](/glossary#S) [T](/glossary#T) [U](/glossary#U) [V](/glossary#V) [W](/glossary#W) [X](/glossary#X) [Y](/glossary#Y) [Z](/glossary#Z) ##### Table of contents ## What is VPC flow logging? Virtual Private Cloud (VPC) Flow logging provides built-in power to monitor information about how your network resources are operating in Amazon Web Services. [VPC](http://www.sumologic.com/glossary/virtual-private-cloud) Flow logging lets you capture and log data about network traffic in your VPC. VPC Flow logging records information about the IP data going to and from designated network interfaces, storing this raw data in [Amazon CloudWatch](https://www.amazonaws.cn/en/cloudwatch/), where it can be retrieved and viewed. Click here to learn more about[ AWS VPC Firewall](http://www.sumologic.com/blog/aws-network-firewall-security). Key takeaways - Amazon VPC flow logs identify latencies and establish performance baselines. - An Amazon VPC flow log supports root cause analysis to detect critical security gaps. - VPC flow logs exclude certain types of traffic. ## Uses for VPC logging Rather than the old days of collecting this critical data through add-on applications and services—which add overhead and use computing power—Amazon has brought native flow[ AWS monitoring](http://www.sumologic.com/glossary/aws-monitoring) to the cloud. It is the equivalent of NetFlow monitoring in the on-premises world. VPC Flow logging is critical for security and compliance in your AWS cloud environment. Use VPC flow logs to identify latencies, establish performance baselines and tweak applications. VPC flow logs can reveal flow duration, latency, and bytes sent, allowing you to identify performance issues and deliver a better user experience quickly. Security. By logging all of the traffic from a given interface or an entire subnet, [root cause analysis](http://www.sumologic.com/glossary/root-cause-analysis) can reveal[ critical gaps in security](http://www.sumologic.com/briefs/aws-security-best-practices) where malicious traffic is moving around your network. Key in on suspicious traffic and tighten security loopholes using VPC flow log data information. A VPC flow logging dashboard from Sumo Logic ## Catch the flow: enable VPC logging By default, you will have to enable VPC. There are two different methods for turning on logging and capturing your network flow logs in Amazon Cloudwatch: Flow logging can also be enabled and configured for more advanced users from the AWS [Command Line Interface](https://aws.amazon.com/cli/) (CLI), a unified scripting tool for managing your AWS services. Use the AWS Management Console to enable and configure VPC Flow logs. Though enabling flow logs for every resource on your network may be tempting, do so judicially. Flow logs can quickly swell into hundreds of gigabytes, and this mountain of data has a capture and storage fee. Work with your DevOps/operations team to determine what flow logs are beneficial and check Amazon Cloudwatch [pricing](https://aws.amazon.com/cloudwatch/pricing/) to plan your budget. Click here to learn more about [AWS Traffic Mirroring](http://www.sumologic.com/blog/amazon-vpc-traffic-mirroring). ## Three kinds of flow logs After enabling VPC Flow logging in AWS, it’s important to understand what you’re monitoring and how the logs compile data. Amazon offers flow logging at three separate levels: **Virtual private cloud** Monitor all the activity within your cloud environment for a bird’s eye view of your operations but note the pricing above. Analysis of VPC logging should reveal popular or vulnerable resources to watch closely moving forward. **Subnet** VPCs are often divided into subnets spanning multiple availability zones in the region. Subnets can be private or public subnet. Private subnets isolate internal resources from public-facing traffic, among other uses. Public subnets require an elastic IP to communicate to the Internet. Create a flow log for a specific subnet where you may want to monitor all activity. In this example, you want to monitor flow logs to ensure no internet traffic goes to the private subnet. **Network Interface** One can monitor specific interfaces on [AWS EC2](http://www.sumologic.com/glossary/aws-ec2) instances and capture flow logs from an interface. Capture full flow logs from critical connection points in your network to stay ahead of issues like latency and malicious intrusions. After choosing what resources you will log, define the logging parameters. These include: - Traffic type: You can filter by all, accepted, or rejected traffic. - Log name and destination: Specify a functional name for the log and where to store it in [CloudWatch](https://aws.amazon.com/cloudwatch/). - Necessary permissions: Ensure the log owner has identity access management (IAM) privileges to publish and work with the flow log. After setting up a flow log for a given resource, scaling is simple. The rules you outline will automatically replicate to additional instances, saving you time and trouble duplicating flow logs. ## Limits to the flow VPC flow logs can’t capture everything. VPC flow logs exclude certain types of traffic. Here are a few instances where you can’t rely on VPC logging: - **DNS traffic** You can log request resolution traffic if you’re running your DNS server. But many users rely on internal AWS DNS servers, and VPC flow logs will not capture activity between the servers and AWS DNS services. - **DHCP** Similarly, dynamic host configuration protocol (DHCP) traffic is not recorded. Depending on the size of your VPC, this can represent a notable amount of traffic. - **Multiple IP Addresses** Sometimes a virtual NIC will pool IP addresses for better performance. Flow logs only display traffic on the primary address. - **Legacy limitations** AWS instances before December 2013 running in the EC2 Classic format are incompatible with VPC Flow logging. Consider[ migrating](https://aws.amazon.com/blogs/apn/how-to-migrate-amazon-ec2-instances-from-ec2-classic-to-amazon-vpc-with-cloudendure/) to the current AWS format. ## Get your VPC flowing with Sumo Logic With VPC Flow logging, Amazon adds a powerful deep analysis tool for your AWS cloud, including in a [DevOps environment](http://www.sumologic.com/glossary/vpc-flow-logging). Knowing how to turn it on, what critical data to collect, and what you can’t find in your VPC logs is a step in the right direction toward mastering [VPC logging](http://www.sumologic.com/app-catalog/vpc-flow). Integrating directly with Google Stackdriver, Sumo Logic provides real-time observability for your GCP-generated log data. With the Sumo Logic [app for Google Cloud VPC](http://www.sumologic.com/app-catalog/google-cloud-vpc), gain real-time insights and analytics into network activity through interactive, customizable dashboards. You can look for unusual traffic patterns and suspicious activity with outlier detection. ### FAQs How can I enhance security within my EC2 instances using Security Groups and Amazon VPC?+1\. **Utilize security groups**: Define security group rules to control inbound and outbound traffic to your EC2 instances based on protocols, ports, and IP addresses. Restrict access to only necessary resources to reduce the attack surface. 2\. **Implement network ACLs**: Set up Network Access Control Lists (ACLs) at the subnet level to filter traffic and provide additional security for your VPC. 3\. **Follow the least privilege principle:** By configuring security group rules, grant only the minimum required permissions to each EC2 instance and avoid unnecessarily opening ports or protocols. 4\. **Regularly review and update rules**: Periodically review and update security group rules and network ACLs to ensure they align with your current security requirements and best practices. 5\. **Use Bastion hosts:** Employ Bastion hosts to securely administer your EC2 instances in private subnets by controlling SSH or RDP access through the Bastion host. 6\. **Monitor and log activities**: Enable [VPC Flow logs](https://www.sumologic.com/glossary/vpc-flow-logging) to capture information about the IP traffic going to and from network interfaces in your VPC for security analysis and troubleshooting. Can Sumo Logic provide end-to-end observability across my technology stack?+Yes, Sumo Logic provides log management, infrastructure monitoring, APM and more as part of our [full-stack observability](https://www.sumologic.com/solutions/application-observability) solution. Any new telemetry collected from across your tech stack (physical or virtual machines, clouds, microservices, etc.) provides additional context and insights that help you gain visibility into your overall environment. How is monitoring different than observability?+There are many discussions in the DevOps world about the difference between [monitoring and observability](https://www.sumologic.com/blog/observability-vs-monitoring). Monitoring, by definition, is the process of collecting, analyzing and using data to track various systems. Meanwhile, observability leverages all the data from logs, metrics and traces to help development teams detect and resolve any issues. [Observability](https://www.sumologic.com/glossary/observability) focuses on understanding the context of all of the metrics and the internal state of your infrastructure. In simple terms, monitoring captures and displays data, and observability is understanding system health through inputs and outputs. [AI Instructions](https://www.sumologic.com/ai-instructions.md)