VCN Flow Logs

In OCI, communication between resources depends on the Virtual Cloud Network (VCN) configuration. Because of this, enabling network logging is important for monitoring traffic, debugging connectivity problems, and troubleshooting network issues.

In this article, we discuss the prerequisites and the enablement of VCN Flow Logs. In the next article, we will see how VCN Flow Logs can be used to troubleshoot network problems. VCN Flow Logs show network traffic details inside OCI and help us understand whether traffic was allowed or rejected. VCN Flow Logs are useful for auditing traffic and for troubleshooting security lists and NSGs.

When a connection does not work, we usually look for did information related to traffic status, source IP and Destination IP got involved in the communication. VCN Flow Logs help us answer these questions. Oracle says they record details about traffic that passes through a VCN and can help troubleshoot security lists and NSGs.

We could also consider flow logs as a Network traffic diary.

Flow logs are stored in the Logging service, so we first need a log group.

Create a Log Group

Logically a log group is like a folder that keeps related logs together.  Log group can be invoked from Observability & Management -> Logging -> Log groups.

We can create a log group by clicking “Create log group” button.

After that, the log group will be visible in OCI.

 

The next step is Create a capture fitler. Capture filter is a networking component that defines rules to selectively include or exclude specific traffic for VCN flow logs. It helps control costs and improve security monitoring by filtering traffic based on protocols, IP addresses, or ports before it is logged or mirrored.

Capture filter can be invoked from Networking -> Network command center -> Capture filters.

The capture filters support:

·        a sampling rate - Helps to control how much network traffic is captured in the flow logs.

·        include rules - Allow to capture only the traffic that matches specific conditions.

·        exclude rules - Helps ignore traffic that we do not want to capture in the flow logs.

·        filters based on CIDR, protocol, and traffic direction - Helps to narrow the captured traffic by source or destination network, type of protocol, and whether the traffic is incoming or outgoing.

 

 

Enable the Flow Log

In the OCI Console, we open Networking and then go to Network Command Center. From there, we open Flow logs.

In the Flow logs page, Click Enable Flow logs button.

Now we review the settings and enable the flow log.

The Flow creation requires a name, destination which is Log group and Filter to customize the logging and then the Enablement Points which is source for the Flow log.

The Enablement point cloud be VCN or Subnet or particular resource like targeting instances, load balancers, or network load balancers.  

VCN – It will enable flow logs to all VNIC registered with the VCN.

Subnet – It enables flow logs to VNIC which are registered with specific subnet.

Resources – We could specifically choose particular Instance, load balancer or Network load balancer.

For our exercise, lets go with subnet option. First let us choose a subnet which is not enabled with flow logging.

Now add enablement points as subnet and Enable the flow logs.

We could see the flow logs has been created for chosen subnet.

The same has been reflected in the subnet page (Subnet deails -> Monitoring)

At this stage the Subnet has been enabled with logging.  We will discuss about Troubleshooting the subnet traffic in the next article.