This solution brings new monitoring and cyber defense capabilities to customers who run mission-critical applications across all regions and accounts on cloud platforms like AWS, Microsoft Azure, and Google Cloud Platform, as well as hybrid cloud infrastructures.
Monitor your end-to-end infrastructure to avoid service degradation or outages. Gain complete visibility into your cloud or hybrid environment for improving your cloud application security posture, efficient troubleshooting and planning.
Amazon Virtual Private Cloud (VPC) Flow Logs logs your VPCs IP network traffic, enabling you to monitor and troubleshoot traffic and security issues.
NetFlow Optimizer™ (NFO) release 2.7+ and NetFlow Analytics for Splunk App leverages this data to provide real-time visibility and analysis of your AWS environment. One NFO instance is capable of supporting many AWS accounts, VPCs, and AWS regions.
The core of this solution is NetFlow Optimizer™ (NFO) and AWS VPC Flow Logs Module.
Key features include:
Ability to read VPC Flow Logs from Kinesis, CloudWatch, or S3
Using EC2 API to collect information about VPCs and EC2 instances. Enrich flow records with VPC name, EC2 instance name, DNS name, and AWS region
Support Kinesis stream Enhanced Fan-Out and multiple shards for increased performance when receiving VPC Flow Logs
Consolidation of unidirectional flows with the same 7-tuple (vpc_id, source IP, source port, destination IP, destination port, protocol, action)
Top Traffic – ability to report only top bandwidth consumers by specifying Top N or Percent. For example, Top N = 100 means that only top 100 consolidated flows are reported for each exporter (VPC ID) per every data collection interval. Percent = 98 means that all flows up to 98% of total is reported for each exporter (VPC ID) per every data collection time interval
You can publish your VPC Flow logs to CloudWatch Logs (CWL) or S3 buckets.
When VPC Flow logs are published in CWL, NFO/EDFN can ingest them with CWL API or Kinesis. Choose Kinesis in your production environment environment as it provides buffering and logs will not be lost when NFO/EDFN is restarted. However, this option more expensive (due to the CloudWatch and Kinesis cost).
Alternatively, you can publish your VPC Flow logs to S3 buckets. NFO/EDFN use AWS Simple Queue Service (SQS) to read flow logs from S3, thus this option is reliable and less expensive.
Azure flow logs are generated by Network Security Group (NSG). NSG can be assigned to a Virtual Network subnet or to an interface. Flow logs are stored within a storage account blob container: insights-logs-networksecuritygroupflowevent.
There are two versions of NSG flow logs. We recommend using flow logs version 2, because it contains bytes and packets. If you use version 1, but bytes and packets information will be missing.