Powered by Zoomin Software. For more details please contactZoomin

Flowmon Virtual Appliances

Table of Contents

Amazon VPC Flow Logs

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 27, 2026
  • 4 minute read
    • Flowmon Products
    • Flowmon
    • Documentation

Overview

The Amazon Web Services (AWS) FlowLog Converter module in Flowmon Monitoring Center (FMC) lets you:

The system collects flow logs from Amazon CloudWatch, converts them to IPFIX format, and sends them to a specified UDP port on the Flowmon Collector. The collector processes this data like any other flow data.

Before you begin

Set up VPC flow logs in your cloud environment and configure forwarding to CloudWatch. Follow the AWS Flow Logs setup guide.

Note:

Each flow log stream must contain data from only one interface.

Configuration steps

Set up AWS access

  1. Go to Configuration Center > Monitoring Center > Flow Logs > Amazon Web Services
  2. Enter your AWS credentials:
    • Access key ID (required)
    • Access key secret (required)
  3. Configure a dedicated UDP port that is used only for AWS VPC Flow Logs.
Configure AWS access credentials and port settings
Configure AWS access credentials and port settings

Add regions

  1. Click Add Region
  2. Enter the region name where your flow logs are stored:
    • Use region codes like eu-central-1
    • Do not use display names like EU (Frankfurt)
    • Optionally add a region description
  3. Find available regions in AWS Regions and Availability Zones.

Add log groups

  1. Click Add group
  2. Enter the name of your log group
  3. All flow log streams in the provided group will be processed and shown as unique interfaces in the Monitoring Center
Add group
Add group

Verify configuration

  • Click Verify to check the FMC connection to the specified log groups using the provided AWS credentials
  • The configuration is automatically verified every time the Save button is clicked
Verification
Verification

Save configuration

  • Click Save to start retrieving flow logs
  • To stop retrieving, disable the configuration and click Save

Flowmon Configuration

It can take up to 20 minutes (see Known limitations) before first flow logs can be visualized.

Every log group has internally assigned a unique IP address (from subnet 127.128.0.0/16) and is treated as a unique flow source.

All sources can be found in Monitoring Center > Sources.

Click Create Profile to see traffic of the individual streams.

Select all available streams and click Save.

Sources
Sources

Switch to: Monitoring Center > Profiles > Sources > Your Log Group.

You can view and analyze flows from flow logs as if they were flows from regular data sources.

Flow Log Visualization
Flow Log Visualization

Limitations

There are some limitations that stem from the flow logs themselves that must be taken into account:

  • If your network interface has multiple IPv4 addresses and traffic is sent to a secondary private IPv4 address, the flow log displays the primary private IPv4 address in the destination IP address field.
  • If traffic is sent to an Elastic Network Interface (ENI) and the destination is not any of the ENI IP addresses, the flow log displays the primary private IPv4 address in the destination IP address field.
  • If traffic is sent from an ENI and the source is not any of the ENI IP addresses, the flow log displays the primary private IPv4 address in the source IP address field.
  • If traffic is sent to (or sent by) a network interface, the flow log always displays the primary private IPv4 address (regardless of the packet source or destination) in the interface IP address field.

Flow logs do not capture all IP traffic. The following types of traffic are not logged:

  • Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic heading to that DNS server is logged.
  • Traffic generated by a Windows instance for activation of the Amazon Windows license.
  • Traffic to and from 169.254.169.254 for the instance metadata.
  • Traffic to and from 169.254.169.123 for the Amazon Time Sync service.
  • DHCP traffic.
  • Traffic to the reserved IP address for the default VPC router. For more information about VPC and Subnet Sizing, refer to the Amazon Virtual Private Cloud Documentation.
  • Traffic between an endpoint network interface and a Network Load Balancer network interface. For more information about VPC Endpoint Services (AWS PrivateLink), refer to the Amazon Virtual Private Cloud Documentation.
  • Some flow log records might get skipped during the capture window. This may be because of an internal capacity constraint, or an internal error.

The delay between the time when the traffic actually occurred and the time it can be seen in the Monitoring Center can reach up to 20 minutes in the worst case scenario. However, the delay will get smaller with a higher amount of traffic volume present in the monitored cloud. This is caused by the 10-15 minutes capture window in which the packets are aggregated to the flow logs before being published, and by the subsequent 5-minute delay before the Flowmon Collector closes the current profile and shows the traffic in the User Interface (UI).

The Flowmon Collector stores incoming flows to a currently opened profile. Therefore, we advise that you select multiple adjacent profiles when searching for flows in a particular time.

TitleResults for “How to create a CRG?”Also Available inAlert