CloudNetworking.io
AWS / VPC Flow Logs
AWS Network Visibility

AWS VPC Flow Logs Explained: How to See the Truth About Network Traffic in Your VPC

When an application suddenly cannot reach a database, when SSH fails even though the instance is running, or when an API seems reachable from one subnet but not another, teams usually start with assumptions. VPC Flow Logs help replace those assumptions with actual network evidence.

Flow Logs do not capture packet content, but they do capture something extremely valuable: metadata about network traffic flowing to and from network interfaces inside your VPC. That makes them one of the most practical tools for troubleshooting, security review, and traffic validation in AWS networking.

This guide explains what VPC Flow Logs are, how the records work, how to interpret ACCEPT and REJECT traffic, where Flow Logs can be published, and how to use them effectively in real troubleshooting and security scenarios.

Start with the basics See CloudWatch guide
Main role Network traffic metadata for troubleshooting and visibility
Destinations CloudWatch Logs, S3, or Data Firehose
Most useful for Connectivity debugging, security analysis, traffic validation
Key mindset Use Flow Logs to prove what the network actually did

Watch this video to understand AWS VPC Flow Logs, traffic analysis, and troubleshooting.

What are AWS VPC Flow Logs?

AWS VPC Flow Logs are a feature that captures information about IP traffic going to and from network interfaces in your VPC. They are not packet captures. Instead, they record traffic metadata such as source and destination IP, source and destination port, protocol, packet count, byte count, and whether the traffic was accepted or rejected.

This makes Flow Logs especially useful for understanding traffic patterns and troubleshooting connectivity issues without needing full packet-level tools.

Simple way to think about it: VPC Flow Logs are the audit trail of what the network allowed, rejected, or recorded at the interface level.
Important limitation: Flow Logs capture metadata, not packet payload. So they are great for visibility and troubleshooting, but not a replacement for packet inspection tools.

Why VPC Flow Logs matter in real AWS environments

Network issues often feel ambiguous. An application says “connection timed out,” but that message alone does not tell you whether the problem is DNS, routing, a security group, a network ACL, a missing route, or an unreachable target.

Flow Logs matter because they help narrow down that uncertainty. They provide evidence about whether traffic reached a network interface, whether it was accepted or rejected, and what addressing and port context was involved.

They are also useful beyond troubleshooting. Security teams use them for traffic analysis, incident review, and visibility into unexpected communication patterns.

Why engineers care Flow Logs help answer questions like “Did the traffic even arrive?” and “Was it rejected by the network?”
Why security teams care Flow Logs help surface suspicious or unexpected connectivity patterns and provide network activity evidence.
Important: one of the biggest values of Flow Logs is replacing guesswork with data when teams are under pressure to restore service quickly.

How VPC Flow Logs work

Flow Logs can be created at different scopes, including the VPC level, subnet level, or individual network interface level. AWS collects the flow log data outside the actual network traffic path, which means enabling them does not affect throughput or latency.

Once created, the records are delivered to a destination you choose: CloudWatch Logs, Amazon S3, or Amazon Data Firehose.

Traffic source or destination | v Elastic Network Interface (ENI) | v Flow log record generation | +----> CloudWatch Logs | +----> Amazon S3 | +----> Amazon Data Firehose

Why ENI scope matters

Flow Logs are fundamentally tied to network interfaces, which is why network interface visibility often gives the clearest troubleshooting signal.

Why scope selection matters

A VPC-wide log gives broad coverage, while subnet or ENI-level logging can reduce noise and focus attention where you need it.

Understanding flow log records

Flow log records are line-based records containing traffic metadata fields. AWS supports both default and custom formats, and the records can include fields such as source address, destination address, source port, destination port, protocol, packets, bytes, start time, end time, action, and log status.

version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status

Example: accepted SSH traffic

2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK

Example: rejected RDP traffic

2 123456789010 eni-1235b8ca123456789 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK

What the key fields mean

Field Meaning Why it matters
srcaddr Source IP address Shows who initiated or sent traffic
dstaddr Destination IP address Shows where traffic was trying to go
srcport / dstport Source and destination ports Useful for understanding protocol behavior and application targeting
protocol Transport protocol number Helps distinguish TCP, UDP, ICMP, and others
action ACCEPT or REJECT Quick signal for what the network ultimately did
log-status Record status such as OK, NODATA, or SKIPDATA Important for interpreting missing or incomplete traffic context

ACCEPT vs REJECT traffic: one of the most useful parts of Flow Logs

The `action` field is often the first thing engineers look at. It tells you whether the traffic was accepted or rejected. This becomes especially useful when you are validating whether a security control is blocking a connection.

However, interpretation still matters. ACCEPT does not necessarily mean the application itself succeeded. It means the traffic was allowed at the network level. Similarly, REJECT indicates the network dropped the flow, but you still need to understand whether that was caused by a security group, a network ACL, or another control path.

Best way to read the action field: ACCEPT means the network allowed the flow. REJECT means the network blocked it. Neither one tells the full application story by itself.
ACCEPT example: 2 123456789010 eni-1235b8ca123456789 203.0.113.10 10.0.1.15 44321 443 6 10 840 167890 167891 ACCEPT OK REJECT example: 2 123456789010 eni-1235b8ca123456789 203.0.113.10 10.0.1.15 44321 22 6 5 420 167890 167891 REJECT OK

Using Flow Logs to understand security groups vs network ACLs

One of the strongest troubleshooting uses of Flow Logs is identifying how stateful and stateless controls behave differently. AWS explicitly documents examples showing this with security groups and network ACLs.

Security groups are stateful. If inbound traffic is allowed, the return traffic is also allowed automatically. Network ACLs are stateless. That means response traffic must be explicitly allowed too.

This is where Flow Logs become extremely practical. You can see one ACCEPT for the incoming request and one REJECT for the response path when a network ACL is too restrictive.

Client sends ping or connection | v Inbound request reaches instance | +----> Security group allows inbound | +----> Network ACL may allow inbound | v Instance sends response | +----> Security group allows response automatically | +----> Network ACL must also allow outbound response | v Flow Logs may show ACCEPT for request and REJECT for response if NACL blocks it
Practical takeaway: if return traffic is failing unexpectedly, Flow Logs can help prove whether a stateless network ACL is the real problem.

CloudWatch Logs, S3, and delivery choices

AWS lets you publish VPC Flow Logs to three destinations: CloudWatch Logs, Amazon S3, and Amazon Data Firehose. Each destination supports a different operational pattern.

Destination Best for Typical use case
CloudWatch Logs Operational troubleshooting and near-real-time analysis Investigating connectivity issues, searching recent traffic, alerts and queries
Amazon S3 Longer-term storage and large-scale analysis Historical review, Athena queries, archival retention
Amazon Data Firehose Stream-based delivery pipelines Sending data into downstream analytics or SIEM pipelines

Why CloudWatch Logs is often the first choice

For day-to-day engineering troubleshooting, CloudWatch Logs is usually the most convenient destination because teams can search and inspect recent records quickly. For deeper analytics and retention strategies, S3 often becomes the better longer-term location.

Cost-aware reminder: publishing Flow Logs has ingestion and storage implications, so destination choice should align with how actively you plan to use the data.

Real-world use cases for VPC Flow Logs

1) Troubleshooting SSH or RDP failures

If remote access is failing, Flow Logs can help answer whether traffic to the ENI was rejected, accepted, or never visible at all.

2) Diagnosing restrictive security groups

AWS explicitly lists this as a Flow Logs use case. The records help confirm whether traffic is being blocked more aggressively than intended.

3) Finding direction of traffic

Flow Logs help identify not only whether traffic exists, but whether it is moving into or out of a network interface as expected.

4) Security investigations

When teams need to review suspicious traffic patterns or validate whether unexpected IP communication occurred, Flow Logs provide valuable metadata.

5) Proving network assumptions during incidents

During outages, teams often debate whether the network is involved. Flow Logs help settle that quickly by showing whether the network allowed or blocked the flow.

Good fit Flow Logs are especially useful when the problem might be routing, security policy, reachability, or unexpected traffic patterns.
What they do not replace Flow Logs do not replace application logs, packet capture tools, or broader observability platforms. They solve a network metadata problem.

Common VPC Flow Logs mistakes

  • Assuming Flow Logs capture packet payload instead of metadata only
  • Looking at ACCEPT and concluding the application is healthy without checking deeper layers
  • Ignoring REJECT records during connectivity debugging
  • Forgetting that stateful and stateless controls behave differently
  • Publishing logs without planning how to search or analyze them later
  • Collecting logs broadly but never using them in an operational workflow
Operational reminder: Flow Logs are only valuable when teams know how to interpret them and connect them to a real troubleshooting or security question.

Best practices for using VPC Flow Logs well

  • Enable Flow Logs for important traffic boundaries and critical workloads
  • Use CloudWatch Logs for operational troubleshooting and fast searchability
  • Use S3 or downstream pipelines when retention or large-scale analysis matters
  • Teach teams how to interpret ACCEPT, REJECT, NODATA, and SKIPDATA properly
  • Use Flow Logs alongside security groups, NACL design, and route table validation
  • Correlate Flow Logs with CloudWatch metrics, application logs, and incident timelines
  • Focus on real operational questions instead of collecting traffic data without purpose
Best long-term mindset: treat VPC Flow Logs as network evidence. When connectivity is in doubt, go to the evidence before arguing from assumptions.

Frequently asked questions

What are AWS VPC Flow Logs?

AWS VPC Flow Logs capture metadata about IP traffic going to and from network interfaces in your VPC. They are useful for monitoring, troubleshooting, and security analysis.

Do VPC Flow Logs capture packet payload?

No. They capture metadata such as IP addresses, ports, protocol, bytes, packets, and accept or reject status, but not the packet contents.

Where can VPC Flow Logs be published?

They can be published to CloudWatch Logs, Amazon S3, or Amazon Data Firehose.

Do Flow Logs impact network performance?

No. AWS documents that the data is collected outside the path of your traffic, so Flow Logs do not affect throughput or latency.

What should I learn after VPC Flow Logs?

CloudWatch, AWS X-Ray, Route Tables, Security Groups, Network ACLs, and Transit Gateway Flow Logs are strong next topics.

Next steps

Continue with related AWS networking and observability topics to understand how traffic visibility fits into a wider troubleshooting model.

Read CloudWatch Read AWS X-Ray Read Security Groups