In AWS how can you see what traffic was blocked or permitted?

In a firewall like Palo Alto Networks you can see what traffic has been allowed or denied by source ip, destination ip, protocol, actions etc. How can I see what's being dropped on a particular VPC?
amigan_99Network EngineerAsked:
Who is Participating?
amigan_99Network EngineerAuthor Commented:
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Most devices produce log files on the machine.

Some devices actually run Linux + their onboard rsyslog can be configured to connect to other machines to deposit logs where they can be reviewed easily.

Refer to the manual for your specific model to see how best this can be achieved.
amigan_99Network EngineerAuthor Commented:
Adding more specificity: How can one view traffic blocked by Security Groups or NACLs in an AWS PVC? Thank you.
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Without knowing each one of these, likely each is better asked as a separate question.

The easy way to handle firewall rules is just run iptables on each machine.

This way you can actually test + log how your firewall rules are working.

When many layers of firewalling are piled on, then debugging is difficult, as each device/system has it's own logging specifics.

Then you have to determine if all these devices/systems are interacting with each other.

Using iptables means all this becomes very easy. The rules for iptables may be terse + they're fairly easy to understand.
amigan_99Network EngineerAuthor Commented:
Thanks David. But my question is specific to Amazon Web Services. I need to know how to find the data that I would normally find using some of the method you mentioned. But those don't apply here with AWS.
David FavorLinux/LXD/WordPress/Hosting SavantCommented: appears to cover this technology. covers security groups.

You'll have to login to your AWS + VPC account + just start going through docs to discover details of your setup.

And, the starting point appears to be no rules, so you should already know what rules are there, as you would have had to create them.

If this is someone else's account, where you're doing client work, ask whoever setup rules in the beginning to explain their philosophy about what they setup + how exactly they did their setup.

It appears this code sits in front of EC2 instances, so you'll have to understand the VPC rules + then iptables rules (on each EC2 instance) to truly understand how all this works together.

You can always do an iptables -F at the EC2 instance level to clear out most of the iptables rules, so you can debug VPC only rules.
Justin CAWS Solutions ArchitectCommented:
You need to enable VPC Flow Logs in order to see network traffic and whether it was allowed or denied by an AWS NACL or Security Group.  Flow Logs log all traffic between the VPC router and each Elastic Network Interface (ENI) within the VPC.

Once enabled, Flow Logs will log to Cloudwatch and will create a separate log for each ENI.  Each log entry will show the source/destination IP and port, the protocol, number of packets, number of bytes, flow start and stop times, as well as the status (Accept/Reject).
amigan_99Network EngineerAuthor Commented:
Thank you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.