VPC Flow Logs

Audit and debugging.

Overview

VPC Flow Logs capture per-flow network metadata for audit and debugging. Blanket logging produces volume without value; the discipline is targeted capture and structured query against a known schema.

• Audit and debugging. Per-flow metadata captured; produces forensic capability the live network does not retain.
• Per-ENI granularity. Network interface level; matches the AWS network model and the unit operators investigate.
• S3 or CloudWatch destination. S3 for long retention and cost, CloudWatch for short-term operational alerting.
• Athena queries plus custom format. SQL over S3-stored flow logs; per-deployment field selection cuts volume to useful columns.

The approach

The practical approach is S3 for long-term retention, Athena for investigation, custom format for cost control, per-VPC enablement, documented queries. The team’s discipline produces useful flow logs without the bill running away.

• S3 destination. Long-term retention at low cost; the storage class options keep the bill bounded.
• Athena queries. SQL-based investigation; partitioned by date the queries scan only relevant data.
• Custom format. Capture only useful fields; the default format includes columns most queries never reference.
• Per-VPC enablement plus documented queries. Selective enable based on need; investigation queries committed to the runbook.

Why this compounds

Flow log discipline compounds across investigations. Each captured query grows the team’s networking expertise; the next investigation starts from precedent rather than first principles.

• Better security. Flow log analysis catches anomalies; the unusual flow stands out against the baseline.
• Better network investigation. Per-flow data supports root cause; reduces MTTR by replacing speculation with evidence.
• Better cost analysis. Cross-AZ and cross-region traffic visible; the data drives the next round of architecture decisions.
• Institutional knowledge. Each query teaches AWS networking; the team’s investigation muscle grows.

Flow log discipline is an operational discipline that pays off across years. Nova AI Ops integrates with networking telemetry, surfaces patterns, and supports the team’s investigation discipline.