Reputation: 409
How to understand AWS VPC Flow Log ports?
I am trying to use AWS VPC Flow Logs to find usage of ports on EC2 instances but cannot make sense of it.
For example these two rows, 10.200.10.30 is the private IP of interface. Security group allows port 443. But as shown here, destination port 33788 is ACCEPT?!
2 123456789123 eni-abc123ab 54.152.158.21 10.200.10.30 443 33788 6 12 6861 1550793782 1550793842 ACCEPT OK 2 123456789123 eni-abc123ab 10.200.10.30 54.152.158.21 33788 443 6 13 2745 1550793782 1550793842 ACCEPT OK
Okay, maybe it's just backwards then but that does not work either because other times source/destination ports are as expected...
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-monitoring.html mentions two entries per connection, but instance above is not a load balancer...
Any pointers?
Upvotes: 2
Views: 1127
Answers (1)
Reputation: 82
Without knowing more about your network, it appears that this is an outbound connection from one EC2 instance to another.
The second line represents the HTTPS request from the source (10.200.10.30:33788) to the destination (54.152.158.21:443), while the first line represents the packages returned for that request.
So, what host on your network has 54.152.158.21? My guess is that it's an ALB.
Upvotes: 1
Related Questions
- What is VPC, Subnet in AWS
- How exactly is a VPC used
- What does TCP control bits 0 mean in VPC Flow Logs?
- aws vpc endpoints - how it works?
- Inbound and outbound ports needs to be same or not
- How can I enable AWS VPC Flow logs by default?
- Aws Vpc flow logs to athena from s3
- Interface Vpc Endpoint - Logs
- How to fetch VPC Flow Logs from external Account
- AWS VPC outbound traffic