Find the top contributors to traffic on NAT Gateway using VPC flow logs
VPC Flow Log
- VPC Flow Logs is a feature which is used to capture the information about the IP traffic going to and from network interfaces in the VPC.
- We can configure Flow Logs to capture those information and send it to either Cloud watch Log group or S3 bucket.
- Once the logging is sent to one of the destinations , We can then use that data for further analysis.
Uses of Flow Logs
- Monitoring the traffic that is coming to the AWS resources such as EC2 Instances
- Determining the direction of the traffic to and from the network interfaces.
- Diagnosing overly restrictive security group rules.
Steps to find top contributors to traffic on NAT Gateway
1. Enable VPC Flow Logs for VPC or NAT gateway.
2. Navigate to Cloud Watch console → Insights → from dropdown select log group of NAT Gateway.
3. To find which instances are sending the most traffic through your NAT gateway, run the following query.
filter(dst Addr like ‘x.x.x.x’ and src Addr like ‘y.y.’) | stats sum(bytes) as bytes Transferred by srcAddr, dst Addr | sort bytes Transferred desc | limit 10
Note: replace ‘x.x.x.x’ with private IP of NAT Gateway and ‘y.y.’ with first two octate of VPC CIDR range.
4. To find the internet destinations that the instances in VPC communicate with most often, run the following queries.
For Uploads: filter (srcAddr like ‘x.x.x.x’ and dstAddr not like ‘y.y.’) | stats sum(bytes) as bytes Transferred by src Addr, dst Addr | sort bytes Transferred desc | limit 10
For Downloads: filter(dstAddr like ‘x.x.x.x’ and srcAddr not like ‘y.y.’) | stats sum(bytes) as bytes Transferred by srcAddr, dstAddr | sort bytes Transferred desc | limit 10
Conclusion
- Eliminate Costly Cross Availability Zone Transfer Charges
Find which instance is sending the most traffic through NAT gateway.If that instance and NAT gateway are in different Availability Zones.Then create NAT Gateway on same AZ where that instannce is created.It will reduce data transfer cost in cross AZ.
- Use Interface VPC endpoint
Find the internet destination that the instances in VPC communicate with most often. If most traffic through NAT gateway is to AWS services that
support interface VPC endpoints, then create an interface VPC aendpoint for the service.
- Send Amazon S3 and Dynamo DB Traffic Through Gateway VPC End points
Find the internet destination that the instances in VPC communicate with most often. If most traffic through NAT gateway is to S3 Service or Amazon DynamoDB in the same Region. Then set-up a gateway VPC endpoint. Route traffic to and from the AWS resource through the gateway VPC endpoint, rather than through the NAT gateway.
