In AWS how can you see what traffic was blocked or permitted?

In a firewall like Palo Alto Networks you can see what traffic has been allowed or denied by source ip, destination ip, protocol, actions etc. How can I see what's being dropped on a particular VPC?
amigan_99Network EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Most devices produce log files on the machine.

Some devices actually run Linux + their onboard rsyslog can be configured to connect to other machines to deposit logs where they can be reviewed easily.

Refer to the manual for your specific model to see how best this can be achieved.
amigan_99Network EngineerAuthor Commented:
Adding more specificity: How can one view traffic blocked by Security Groups or NACLs in an AWS PVC? Thank you.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Without knowing each one of these, likely each is better asked as a separate question.

The easy way to handle firewall rules is just run iptables on each machine.

This way you can actually test + log how your firewall rules are working.

When many layers of firewalling are piled on, then debugging is difficult, as each device/system has it's own logging specifics.

Then you have to determine if all these devices/systems are interacting with each other.

Using iptables means all this becomes very easy. The rules for iptables may be terse + they're fairly easy to understand.
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

amigan_99Network EngineerAuthor Commented:
Thanks David. But my question is specific to Amazon Web Services. I need to know how to find the data that I would normally find using some of the method you mentioned. But those don't apply here with AWS.
David FavorLinux/LXD/WordPress/Hosting SavantCommented: appears to cover this technology. covers security groups.

You'll have to login to your AWS + VPC account + just start going through docs to discover details of your setup.

And, the starting point appears to be no rules, so you should already know what rules are there, as you would have had to create them.

If this is someone else's account, where you're doing client work, ask whoever setup rules in the beginning to explain their philosophy about what they setup + how exactly they did their setup.

It appears this code sits in front of EC2 instances, so you'll have to understand the VPC rules + then iptables rules (on each EC2 instance) to truly understand how all this works together.

You can always do an iptables -F at the EC2 instance level to clear out most of the iptables rules, so you can debug VPC only rules.
amigan_99Network EngineerAuthor Commented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Justin CAWS Solutions ArchitectCommented:
You need to enable VPC Flow Logs in order to see network traffic and whether it was allowed or denied by an AWS NACL or Security Group.  Flow Logs log all traffic between the VPC router and each Elastic Network Interface (ENI) within the VPC.

Once enabled, Flow Logs will log to Cloudwatch and will create a separate log for each ENI.  Each log entry will show the source/destination IP and port, the protocol, number of packets, number of bytes, flow start and stop times, as well as the status (Accept/Reject).
amigan_99Network EngineerAuthor Commented:
Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.