Flow log limitations
To use flow logs, you need to be aware of the following limitations:
-
After you create a flow log, you won't see flow log data until there is active traffic for the network interface, subnet, or VPC that you selected.
-
You can't enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account.
-
After you create a flow log, you can't change its configuration or the flow log record format. For example, you can't associate a different IAM role with the flow log, or add or remove fields in the flow log record. Instead, you can delete the flow log and create a new one with the required configuration.
-
If your network interface has multiple IPv4 addresses and traffic is sent to a secondary private IPv4 address, the flow log displays the primary private IPv4 address in the
dstaddr
field. To capture the original destination IP address, create a flow log with thepkt-dstaddr
field. -
If traffic is sent to a network interface and the destination is not any of the network interface's IP addresses, the flow log displays the primary private IPv4 address in the
dstaddr
field. To capture the original destination IP address, create a flow log with thepkt-dstaddr
field. -
If traffic is sent from a network interface and the source is not any of the network interface's IP addresses, the flow log displays the primary private IPv4 address in the
srcaddr
field. To capture the original source IP address, create a flow log with thepkt-srcaddr
field. -
If traffic is sent to or sent from a network interface, the
srcaddr
anddstaddr
fields in the flow log always display the primary private IPv4 address, regardless of the packet source or destination. To capture the packet source or destination, create a flow log with thepkt-srcaddr
andpkt-dstaddr
fields. -
When your network interface is attached to a Nitro-based instance, the aggregation interval is always 1 minute or less, regardless of the specified maximum aggregation interval.
-
For
pkt-srcaddr
andpkt-dstaddr
fields, if the intermediate layer has Client IP address Preservation enabled, this field may show the preserved Client IP instead of the IP address of the intermediate layer. Some flow log records may be skipped during the aggregation interval (see log-status in Available fields). This may be caused by an internal AWS capacity constraint or internal error. If you are using AWS Cost Explorer to view VPC flow log charges and some flow logs are skipped during the flow log aggregation interval, the number of flow logs reported in AWS Cost Explorer will be higher than the number of flow logs published by Amazon VPC.
-
If you are using VPC Block Public Access (BPA):
-
Flow logs for VPC BPA do not include skipped records.
-
Flow logs for VPC BPA do not include bytes even if you include the
bytes
field in your flow log.
-
Flow logs do not capture all IP traffic. The following types of traffic are not logged:
-
Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.
-
Traffic generated by a Windows instance for Amazon Windows license activation.
-
Traffic to and from
169.254.169.254
for instance metadata. -
Traffic to and from
169.254.169.123
for the Amazon Time Sync Service. -
DHCP traffic.
-
Traffic mirrored source traffic. You will see traffic mirrored target traffic only.
-
Traffic to the reserved IP address for the default VPC router.
-
Traffic between an endpoint network interface and a Network Load Balancer network interface.
-
Address Resolution Protocol (ARP) traffic.
Limitations specific to ECS fields available in version 7:
To create flow log subscriptions with ECS fields, your account must contain at least one ECS cluster.
ECS fields are not computed if the underlying ECS tasks are not owned by the owner of the flow log subscription. For example, if you share a subnet (
SubnetA
) with another account (AccountB
), and then you create a flow log subscription forSubnetA
, ifAccountB
launches ECS tasks in the shared subnet, your subscription will receive traffic logs from ECS tasks launched byAccountB
but the ECS fields for these logs will not be computed due to security concerns.If you create flow log subscriptions with ECS fields at the VPC/Subnet resource level, any traffic generated for non-ECS network interfaces will also be delivered for your subscriptions. The values for ECS fields will be '-' for non-ECS IP traffic. For example, you have a subnet (
subnet-000000
) and you create a flow log subscription for this subnet with ECS fields (fl-00000000
). Insubnet-000000
, you launch an EC2 instance (i-0000000
) that is connected to the internet and is actively generating IP traffic. You also launch a running ECS task (ECS-Task-1
) in the same subnet. Since bothi-0000000
andECS-Task-1
are generating IP traffic, your flow log subscriptionfl-00000000
will deliver traffic logs for both entities. However, onlyECS-Task-1
will have actual ECS metadata for the ECS fields you included in your logFormat. Fori-0000000
related traffic, these fields will have a value of '-'.ecs-container-id
andecs-second-container-id
are ordered as the VPC Flow Logs service receives them from the ECS event stream. They are not guaranteed to be in the same order as you see them on ECS console or in the DescribeTask API call. If a container enters a STOPPED status while the task is still running, it may continue to appear in your log.The ECS metadata and IP traffic logs are from two different sources. We start computing your ECS traffic as soon as we obtain all required information from upstream dependencies. After you start a new task, we start computing your ECS fields 1) when we receive IP traffic for the underlying network interface and 2) when we receive the ECS event that contains the metadata for your ECS task to indicate the task is now running. After you stop a task, we stop computing your ECS fields 1) when we no longer receive IP traffic for the underlying network interface or we receive IP traffic that is delayed for more than one day and 2) when we receive the ECS event that contains the metadata for your ECS task to indicate your task is no longer running.
Only ECS tasks launched in
awsvpc
network mode are supported.