How can I find the top contributors to traffic through the NAT gateway in my VPC?

Last updated: 2019-07-29

I noticed higher than usual costs in my AWS bill for a NAT gateway in my Amazon Virtual Private Cloud (Amazon VPC). How can I find the top contributors to traffic through the NAT gateway in my VPC?

Resolution

Note: In each of the following commands, replace x.x.x.x with the private IP of your NAT gateway. Replace y.y. with the first two octets of the VPC CIDR range.

1.    Confirm that you have VPC Flow Logs enabled on your VPC or NAT gateway elastic network interface. Create a flow log to enable VPC Flow Logs, if necessary.

2.    Open the CloudWatch console.

3.    In the navigation pane, choose Insights.

4.    From the dropdown, select the log group for your NAT gateway.

5.    To find which instances are sending the most traffic through your NAT gateway, run the following query.

filter (dstAddr like 'x.x.x.x' and srcAddr like 'y.y.') 
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10

6.    To find traffic going to and from the instances, run the following query.

filter (dstAddr like 'x.x.x.x' and srcAddr like 'y.y.') or (srcAddr like 'xxx.xx.xx.xx' and dstAddr like 'y.y.')
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10

7.    To find the internet destinations that the instances in your VPC communicate with most often, run the following queries.

For uploads:

filter (srcAddr like 'x.x.x.x' and dstAddr not like 'y.y.') 
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10

For downloads:

filter (dstAddr like 'x.x.x.x' and srcAddr not like 'y.y.') 
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10

Querying Amazon VPC Flow Logs

Sample Queries (for CloudWatch Logs Insights)

Did this article help you?

Anything we could improve?


Need more help?