Visibility with Flow logs and Traffic Mirroring
Bit the Chipmunk, AWS Expert published on
Hey network adventurers! Bit here, squeaking from the treetops with my acorn of observability. Today we’re going deep on two powerful visibility tools in AWS: Flow Logs and Traffic Mirroring. If you’re preparing for the AWS Advanced Networking exam, you’ll want to know when to use each, what they show, and how they differ—especially when you’re managing hybrid or complex networks.
Let’s jump into the branches of network visibility! 🌿
🌲 1. Why Visibility Tools Matter
When you build global, multi-site, hybrid network architectures, you need more than “it works” — you need visibility into what’s happening: Which traffic is flowing, where are the choke points, is something denied that shouldn’t be, or is something suspicious happening?
Flow Logs and Traffic Mirroring give that visibility. They serve different depths of insight — think macro-view vs packet-level view. And understanding which to pick for your scenario is a key exam skill.
🔍 2. VPC Flow Logs
What are they?
Flow Logs capture metadata about IP traffic flowing to/from ENIs (Elastic Network Interfaces) in a VPC (or subnet or interface) and publish the records to CloudWatch Logs or S3.
What you get
- Source/destination IP, ports, protocol, whether the traffic was accepted or rejected.
- Data delivered in compressed batches (for S3) or streams (CloudWatch).
- Works outside the data path so it doesn’t impact network throughput.
Use-cases (Exam-style)
- Diagnosing overly restrictive Security Group/NACL rules.
- Monitoring unexpected traffic flows (e.g., data exfiltration).
- Tracking who talked to what when — especially in hybrid network audits.
- Using Amazon Athena or CloudWatch Logs Insights to query flow log data.
Key Benefits & Limitations
Benefits:
- Easy to turn on
- Broad coverage
- Low operational overhead.
Limitations:
- Doesn’t show packet payloads (only metadata).
- Doesn’t guarantee real-time visibility (aggregation delay).
- IPv6 coverage and certain internal AWS traffic excluded.
Exam Scenario
“Which service lets you audit IP flows between EC2 instances to detect unexpected traffic or denied flows?” → Flow Logs.
🧬 3. VPC Traffic Mirroring
What is it?
Traffic Mirroring enables you to copy network packets (inbound & outbound) from an ENI and send them to a monitoring appliance (EC2, NLB + appliances) for deep inspection.
How it works
- Define a Mirror Source (ENI) and a Mirror Target (monitoring interface).
- Define a Filter to pick which traffic (protocols/ports) to mirror.
- Traffic session is created; mirrored packets go out-of-band to the target.
Use-cases (Exam-style)
- Deep-packet-inspection for suspicious traffic (IDS/IPS).
- Troubleshooting complex network issues (east-west traffic bottlenecks).
- Compliance monitoring when you need full packet capture (e.g., forensics).
- Hybrid or multi-account architectures: mirror across VPCs/accounts.
Key Benefits & Limitations
Benefits: Real packet data, ability to use partner monitoring tools.
Limitations: Higher network/processor cost (mirrored packets still counted); setup more complex; still some instance-type restrictions.
Exam Clue
“You need to inspect packet payloads from a subset of EC2 instances and forward them to a monitoring tool for forensics” → Traffic Mirroring.
🔄 4. Flow Logs vs Traffic Mirroring – Which to use?
| Feature | Flow Logs | Traffic Mirroring |
|---|---|---|
| Depth of insight | Metadata only (allowed/denied, IPs) | Full packet level |
| Performance impact | Minimal/negligible | Higher (mirrored packets still traverse network) |
| Use case | Broad monitoring, auditing | Deep security/troubleshooting |
| Setup complexity & cost | Low | Higher infrastructure & cost |
| Hybrid/global use | Works well & integrates with S3/CloudWatch across accounts/regions | Works but needs target architecture for collection |
✅ 5. Best Practices & Exam-Traps
Best Practices
- Enable Flow Logs at VPC or subnet level automatically via IaC for uniform coverage.
- For Traffic Mirroring: use filters to limit to relevant traffic, avoid huge volumes.
- Use S3 + Athena for Flow Log analytics at scale.
- For mirrored traffic: send to centralized monitoring VPC or cross-account architecture to keep analytics separated.
- Tag logs and mirroring sessions appropriately for cost tracking.
Exam-Traps
- Don’t assume Flow Logs capture every packet—they only sample/aggregate, don’t show payloads.
- Traffic Mirroring doesn’t automatically come with analytics—you still need tools to consume mirrored packets.
- Flow Logs capture IP traffic metadata, not application-layer payload or encrypted session details.
- Traffic Mirroring still counts as network ingress/egress in pricing—you can get surprised by cost.
- When you see “inspect east–west traffic for performance bottlenecks” → likely Traffic Mirroring. When “audit denied flows” → Flow Logs.
📚 Further Reading
- AWS Documentation: Logging IP traffic using VPC Flow Logs
- AWS Documentation: AWS Transit Gateway Flow Logs
- AWS Documentation: What is Traffic Mirroring?
- AWS Blog: Using VPC Traffic Mirroring to monitor and secure your AWS infrastructure
🐿️ Bit’s Final Nut
Visibility isn’t just about “is it up?” — It’s about who talked to who, what got blocked, and if “traffic looks weird.” With Flow Logs, you get the big picture; with Traffic Mirroring, you get the forensic lens. For the Advanced Networking exam, knowing when to pick one — or both — is part of the game. Stay curious, stay observant, and your network trails will always lead you to the right answer. 🌰