I'm seeing inbound traffic in the VPC Flow Logs for my NAT gateway. Is my NAT gateway accepting inbound traffic from the internet?

Last updated: 2019-07-22

My VPC Flow Logs show Action = ACCEPT for inbound traffic coming from public IPs. However, my understanding of NAT gateways was that they don't accept traffic from the internet. Is my NAT gateway accepting inbound traffic from the internet?

Resolution

NAT gateways managed by AWS don't accept traffic initiated from the internet. However, there are two reasons why information in your VPC Flow Logs might appear to indicate that inbound traffic is accepted from the internet.

Reason #1: Inbound internet traffic is permitted by your security group or network ACLs

VPC Flow Logs show inbound internet traffic as accepted if the traffic is permitted by your security group or network access control lists (ACLs). If network ACLs attached to a NAT gateway don’t explicitly deny traffic from the internet, internet traffic to the NAT gateway appears accepted. However, the actual traffic isn't accepted by the NAT gateway and is dropped. To confirm:

1. Open the Amazon CloudWatch console.

2. In the navigation pane, choose Insights.

3. From the dropdown, select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface.

4. Run the query below.

filter (dstAddr like 'xxx.xxx' and srcAddr like 'public IP')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| limit 10   

Note: You can use just the first two octets in the search filter to analyze all network interfaces in the VPC. In the example above, replace xxx.xxx with the first two octets of your VPC CIDR. Also replace public IP with the public IP you're seeing in the VPC Flow Log entry.

Query results should show traffic on the NAT gateway private IP from the public IP, but no traffic on other private IPs in the VPC. These results confirm that the incoming traffic was unsolicited. However, if you do see traffic on the private instance's IP, follow the steps under Reason #2.

Reason #2: Traffic to the public IP was initiated from a private instance

If there’s an instance using a NAT gateway for internet access, traffic in your VPC Flow Logs might represent response traffic from the public IP. To confirm that traffic to the public IP was initiated from a private instance, run the query below.

Note: Before running the query, be sure to:

  • Select the time frame that corresponds with when you observed traffic in the VPC Flow Logs.
  • If you have multiple log groups in your VPC, select the appropriate one.
filter (dstAddr like 'public IP' and srcAddr like 'xxx.xxx')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| limit 10 

Note: In the example above, replace xxx.xxx with the first two octets of your VPC CIDR. Also replace public IP with the public IP you're seeing in the VPC Flow Log entry. Increase the limit if more than 10 resources in your VPC initiated traffic to the public IP.


VPC Flow Logs

Sample Queries (for CloudWatch Logs Insights)

Did this article help you?

Anything we could improve?


Need more help?