Lab: Implementing Logging and Monitoring for AWS & Hybrid Networks
Define logging and monitoring requirements across AWS and hybrid networks
Lab: Implementing Logging and Monitoring for AWS & Hybrid Networks
This hands-on lab guides you through configuring essential logging and monitoring services to gain visibility into network traffic and management events. You will implement VPC Flow Logs, CloudWatch Alarms, and explore Reachability Analyzer to ensure network health and security compliance.
Prerequisites
Before starting this lab, ensure you have:
- An AWS Account with administrative access.
- AWS CLI installed and configured with credentials (
aws configure). - Basic knowledge of VPC concepts (subnets, route tables).
- Permissions to create IAM Roles, CloudWatch Log Groups, and VPC Flow Logs.
Learning Objectives
By the end of this lab, you will be able to:
- Create and configure CloudWatch Log Groups for network telemetry.
- Enable VPC Flow Logs to capture IP traffic patterns.
- Implement CloudWatch Alarms based on network metric filters.
- Use VPC Reachability Analyzer to troubleshoot connectivity paths.
Architecture Overview
Traffic Flow & Logging Architecture
Log Processing Visual
\begin{tikzpicture}[node distance=2cm, every node/.style={fill=white, font=\small}, scale=0.8] \draw[thick, blue!50, dashed] (-1,-1) rectangle (8,3); \node at (3.5, 2.7) {\textbf{AWS Cloud}}; \node (src) at (0,1) [draw, rectangle] {VPC Traffic}; \node (log) at (3.5,1) [draw, cylinder, shape border rotate=90] {Flow Logs}; \node (ana) at (7,1) [draw, diamond] {Analysis}; \draw[->, thick] (src) -- (log); \draw[->, thick] (log) -- (ana); \node[below of=log, node distance=1.2cm] {CloudWatch/S3}; \end{tikzpicture}
Step-by-Step Instructions
Step 1: Create a CloudWatch Log Group
We need a destination for our VPC Flow Logs to be stored and indexed.
aws logs create-log-group --log-group-name "/aws/vpc/network-traffic-logs"▶Console alternative
Navigate to
. Click
. Name it
/aws/vpc/network-traffic-logsand click
.
Step 2: Create an IAM Role for Flow Logs
VPC Flow Logs require permission to publish data to CloudWatch.
- Create a trust policy file named
trust-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vpc-flow-logs.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}- Create the role:
aws iam create-role --role-name "VPCFlowLogRole" --assume-role-policy-document file://trust-policy.json- Attach the logging policy:
aws iam put-role-policy --role-name "VPCFlowLogRole" --policy-name "CloudWatchLogsFullAccess" --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents","logs:DescribeLogGroups","logs:DescribeLogStreams"],"Resource":"*"}]}'Step 3: Enable VPC Flow Logs
Now, attach the logging configuration to your target VPC.
# Replace <VPC_ID> and <ROLE_ARN> with your actual values
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids <VPC_ID> \
--traffic-type ALL \
--log-group-name "/aws/vpc/network-traffic-logs" \
--deliver-logs-permission-arn <ROLE_ARN>[!TIP] You can find your VPC ID using:
aws ec2 describe-vpcs --query "Vpcs[0].VpcId" --output text.
Step 4: Test Connectivity with Reachability Analyzer
Use this tool to verify if traffic can flow between two points (e.g., an Instance and an IGW).
aws ec2 create-network-insights-path \
--source <INSTANCE_ID> \
--destination <IGW_ID> \
--protocol tcp \
--destination-port 80▶Console alternative
Navigate to
. Click
. Select your source (Instance) and destination (Internet Gateway). Click
.
Checkpoints
- Log Verification: Run
aws logs describe-log-streams --log-group-name "/aws/vpc/network-traffic-logs". You should see streams appearing after a few minutes. - Reachability Status: Run
aws ec2 describe-network-insights-analyses. TheNetworkInsightsAnalysisStatusshould eventually showsucceededwithNetworkPathFoundas true or false.
Clean-Up / Teardown
[!WARNING] Remember to run these commands to avoid ongoing charges for log storage.
- Delete Flow Logs:
bash
# Get Flow Log ID first ID=$(aws ec2 describe-flow-logs --query "FlowLogs[0].FlowLogId" --output text) aws ec2 delete-flow-logs --flow-log-ids $ID - Delete Log Group:
bash
aws logs delete-log-group --log-group-name "/aws/vpc/network-traffic-logs" - Delete IAM Role:
bash
aws iam delete-role-policy --role-name VPCFlowLogRole --policy-name CloudWatchLogsFullAccess aws iam delete-role --role-name VPCFlowLogRole
Troubleshooting
| Issue | Likely Cause | Fix |
|---|---|---|
| Logs not appearing | IAM Role lacks permissions | Ensure the PutLogEvents action is allowed for the role. |
| Flow Log Creation Fails | Invalid ARN | Verify the IAM Role ARN is correct and the trust policy allows vpc-flow-logs.amazonaws.com. |
| Reachability Analyzer "Unsupported" | Resource type | Ensure you are analyzing supported resources like ENIs, Instances, or Gateways. |
Stretch Challenge
Advanced Filtering: Create a CloudWatch Metric Filter that counts the number of REJECTED packets in your VPC Flow Logs. Then, create a CloudWatch Alarm that triggers an SNS notification if more than 10 packets are rejected in a 1-minute period.
Cost Estimate
| Service | Estimated Cost (Free Tier Eligible) |
|---|---|
| VPC Flow Logs | $0.50 per GB (Ingestion) - First 5GB/month free in some regions. |
| CloudWatch Logs | $0.50 per GB (Ingestion) + $0.03 per GB (Storage). |
| Reachability Analyzer | $0.10 per analysis. |
| Total | <$1.00 for this lab duration. |
Concept Review
| Service | Purpose | Best For... |
|---|---|---|
| VPC Flow Logs | Captures IP traffic (Src, Dst, Port, Action). | Security audits & network troubleshooting. |
| Reachability Analyzer | Static configuration analysis of paths. | Testing if Route Tables/SGs allow traffic. |
| CloudWatch Metrics | Numerical data over time. | Monitoring throughput and error rates. |
| AWS CloudTrail | API Call history. | Identifying who changed a network setting. |