Networking & Content Delivery

Introducing VPC Flow Logs for Elastic Container Services

Introduction

Amazon Virtual Private Cloud (VPC) is the foundational networking construct used by customers to deploy workloads on AWS. To examine VPC traffic and gain insights into communication patterns, customers collect and analyze VPC Flow Logs, leveraging the capabilities and features AWS has continuously added since 2015. You can get started with Flow Logs by leveraging the default format, which includes the version 2 fields. You also have access to other attributes of your traffic flow through fields introduced in newer versions of Flow Log.

An increasing number of applications are now being deployed using tasks running on Amazon Elastic Container Service (ECS). Visibility into network traffic flows is critical for monitoring, securing, and optimizing modern containerized workloads that leverage managed services like Amazon ECS. In this blog, we are introducing the latest version of VPC Flow Logs, Version 7, which allows you insights into your container workloads running on ECS with 10 new fields.

Understanding VPC Flow Logs for Elastic Container Services

As applications and network architectures evolve on AWS, visibility into traffic flows continues to expand, and VPC Flow Logs supports additional capabilities. Let’s dive into a brief history of the evolution of VPC Flow Logs:

History of Flow Logs

Version 2 (Default)

Version 2 is the default format, as shown in the following image (Figure 1).

VPC Flow Logs default format

Figure 1: VPC Flow Logs – AWS default format

To see a full list of fields available in version 2 refer to the documentation.

Version 3

In 2019, VPC Flow Logs evolved to provide a deeper understanding of how network flows correspond to specific VPCs, subnets, and instances. This resulted in the addition of seven new fields: vpc-id, subnet-id, instance-id, tcp-flags, type, pkt-srcaddr and pkt-dstaddr.

Version 4

Continued advancements VPC Flow Logs in 2020 allowed you to get insight about the traffic’s “location”, understand which Region, Availability Zone (AZ) and sublocation the traffic was coming to and destined for. This resulted in the addition of four new fields: region, az-id, sublocation-type and sublocation-id.

Version 5

And in 2021 further capabilities were introduced in VPC Flow logs providing you the ability to associate traffic flows to AWS specific services, understand flow direction and traffic path with the introduction of four new fields: pkt-src-aws-service, pkt-dst-aws-service, flow-direction and traffic-path.

Version 6

With the addition of AWS Transit Gateway (TGW) in 2018, customers started building transitive network topologies to improve connectivity between VPCs, on-premises and multi-cloud deployments. Version 6 fields allow customers to dive deeper into attributes associated particularly with network flows through TGW. Refer to this blog which dives deeper into leveraging VPC Flow Logs for AWS Transit Gateway and the 18 new fields.

Version 7 (ECS related Fields)

With the latest version of VPC Flow Logs, customers now have access to 10 new fields which give insight into ECS traffic flow and patterns.

Field Description Example
ecs-cluster-arn

AWS Resource Name (ARN) of the ECS Cluster if the traffic is from a running ECS Task. To include this field in your subscription, you need permission to call ecs:ListClusters.

Parquet data type: STRING

arn:aws:ecs:us-east-1:123456789012:cluster/My-ECS-Cluster
ecs-cluster-name

Name of the ECS Cluster if the traffic is from a running ECS Task. To include this field in your subscription, you need permission to call ecs:ListClusters.

Parquet data type: STRING

My-ECS-Cluster
ecs-container-instance-arn

ARN of the ECS Container Instance if the traffic is from a running ECS Task on an EC2 instance. If the capacity provider is Fargate, this field will be `-`. To include this field in your subscription, you need permission to call ecs:ListClusters and ecs:ListContainerInstances.

Parquet data type: STRING

arn:aws:ecs:us-east-1:123456789012:container-instance/Your-ECS-Cluster/5f56ec359d95404c9b91-67aedaaa04c1
ecs-container-instance-id

ID of the ECS Container Instance if the traffic is from a running ECS Task on an EC2 instance. If the capacity provider is Fargate, this field will be `-`. To include this field in your subscription, you need permission to call ecs:ListClusters and ecs:ListContainerInstances.

Parquet data type: STRING

5f56ec359d95404c9b9167aedaaa04c1
ecs-container-id

Docker runtime ID of the container if the traffic is from a running ECS Task. If there are one or more containers in the ECS Task, this will be the docker runtie ID of the first container. To include this field in your subscription, you need permission to call ecs:ListClusters.

Parquet data type: STRING

9182d01fa1f9778d007be6cca4ff90412d5-47a9e6786bfdb43b0d4d9491f1e57
ecs-second-container-id

Docker runtime ID of the container if the traffic is from a running ECS Task. If there is more than one container in the ECS Task, this will be the docker runtime ID of the second container. To include this field in your subscription, you need permission to call ecs:ListClusters.

Parquet data type: STRING

04ca9131a7c524a1d982e83451bb16ff-dd90dd34e3a2d771cf7e50dc3ddc6e05
ecs-service-name

Name of the ECS Service if the traffic is from a running ECS Task and the ECS Task is started by an ECS Service. If the ECS Task is not started by an ECS Service, this field will be `-`. To include this field in your subscription, you need permission to call ecs:ListClusters and ecs:ListServices.

Parquet data type: STRING

My-ECS-Service
ecs-task-definition-arn

ARN of the ECS Task Definition if the traffic is from a running ECS Task. To include this field in your subscription, you need permission to call ecs:ListClusters and ecs:ListTaskDefinitions

Parquet data type: STRING

arn:aws:ecs:us-east-1:123456789012:task-definition/My-ECS-Task-Definition-Family:1
ecs-task-arn

ARN of the ECS Task if the traffic is from a running ECS Task. To include this field in your subscription, you need permission to call ecs:ListClusters and ecs:ListTasks.

Parquet data type: STRING

arn:aws:ecs:us-east-1:123456789012:task/My-ECS-Cluster/57caaed710be4d309ca16-9f4eb2da8f5
ecs-task-id

ID of the ECS Task if the traffic is from a running ECS Task. To include this field in your subscription, you need permission to call ecs:ListClusters and ecs:ListTasks.

Parquet data type: STRING

57caaed710be4d309ca169f4eb2da8f5

Sample Architecture

Let’s consider a typical web application workload deployed on ECS. We have an end-user accessing the workload via an internet facing Application Load Balancer (ALB) which distributes the load to am ECS service using the EC2 Launch Type which then calls another service which is using the Fargate Launch Type. And the NATGW allows any outgoing access to the internet.

Typical ECS workload
Figure 2: Typical ECS workload

Based on the preceding architecture diagram (Figure 2), let’s dive into an example from a flow log entry with the following format:

${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${ecs-task-id} ${ecs-task-arn} ${ecs-task-definition-arn} ${ecs-cluster-name} ${ecs-cluster-arn} ${ecs-container-instance-id} ${ecs-container-instance-arn} ${ecs-container-id} ${ecs-second-container-id} ${ecs-service-name}

For brevity, we only show the output starting from the ${ecs-task-id} field below:

b9ad2f8a90b24f7bbce4b0341034852f arn:aws:ecs:us-east-1:123456789012:task/DEMOGO-ECS/b9ad2f8a90b24f7bbce4b0341034852f arn:aws:ecs:us-east-1:123456789012:task-definition/catsdef:2 DEMOGO-ECS arn:aws:ecs:us-east-1:123456789012:cluster/DEMOGO-ECS 39623aba81594d79b596c0c5f556d47b arn:aws:ecs:us-east-1:123456789012:container-instance/DEMOGO-ECS/39623aba81594d79b596c0c5f556d47b 0c5c6db7540ca5c4dbc692a53c1d7bab0a4e17e9cf44fc9167659c8687fd13df – cats

Navigating to the ECS Clusters (Figure 3) using the AWS Console we can tie the Flow Log details back to the sample web application introduced earlier.

ECS Clusters AWS console

Figure 3: ECS Clusters via AWS Console

In the following images (Figure 4 and Figure 5) you can see how various ECS Flow Log attributes tie back to the ECS Cluster, Service and Task details seen via the AWS Console. The ecs-cluster-name ties into the ECS cluster name (top of the image), the ecs-task-id ties with the task which generated that traffic flow and ecs-container-instance-id is the ID of the container instance for tasks using the EC2 launch type.

VPC Flow Log attributes

Figure 4: VPC Flow Log attributes

In the following image you can see more attributes like ecs-service-name which represents the name of the ECS service and the ecs-container-id representing the ID of the container for the task that generated the traffic flow.

VPC Flow Log attributes

Figure 5: VPC Flow Log attributes

Walkthrough

Let’s guide you through creating a VPC Flow Log with ECS metadata using the Amazon VPC console. The resulting flow log will capture network traffic data from your VPC resources, including ECS traffic data, and publish it to a destination of your choice. Please also refer to our documentation to review the full set of limitations for VPC Flow Logs.

Prerequisites

  1. You have created a new VPC in a Region (let’s say us-east-1).
    1. (Optional) You can also choose an existing VPC.
  2. You have instances or resources deployed in the VPC that are sending traffic.
    1. Note that no flow logs will be created without traffic flowing.
  3. Your account must contain at least one ECS cluster.

Create a VPC Flow Log

You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, then each network interface in that subnet or VPC is monitored. For this example, we will create a flow log for the VPC.

Step 1: Start by creating a flow log

  1. Navigate to the Amazon VPC console and create a new flow log
  2. Enter a name for the VPC Flow Log.
  3. Select the type of traffic to capture in the flow log.
  4. Select destination type.

Step 2: Including ECS metadata

Option 1: using AWS default format

ECS metadata can be included by simply checking a box via the VPC Flow Log AWS Console as shown in following image.

ECS Flow Log subscription with default format

Figure 6: VPC Flow Logs subscription with default format

Option 2: Using custom format

Alternative to the default format, you can include specific fields which now include the new ECS attributes as shown in the following image.

VPC Flow Logs subscription with custom format

Figure 7: VPC Flow Logs subscription with custom format

Step 3: Viewing VPC Flow Logs

After you create a VPC Flow Log, it can take several minutes to begin collecting and publishing data to the destination you chose. Note that VPC Flow logs do not capture real-time log streams for your network interfaces. In the following figure we have shown an example of a flow log enriched with the selected ECS fields sent to Amazon CloudWatch.

VPC Flow Logs in CloudWatch with ECS fields

Figure 8: VPC Flow Logs in CloudWatch with ECS fields

Clean up

Once you are done you can delete the flow logs. You can also delete the resulting flow log data from the selected destination from Step 1.

Conclusion

With Version 7 of the VPC Flow Logs, you now have 10 new fields to give you further insight into your workloads running on ECS helping you understand traffic flow and patterns. This capability is available today in all AWS Regions with ECS so enable Flow Logs on your ECS clusters to get deeper insights into your traffic flow patterns.

Further Reading

Ruskin Dantra photo

Ruskin Dantra

Ruskin is a Solutions Architect based out of California. He is originally from the Land of the Long White Cloud, New Zealand and is an 18-year veteran in application development with a love for networking. His passion in life is to make complex things simple using AWS.

Yarden Halperin photo

Yarden Halperin

Yarden is a Senior Technical Product Manager in the Amazon VPC team. She is passionate about Network Observability and Network Analytics. Outside work, she is a wine and food lover, loves travel to new places and build communities.