Introduction

This solution brings new monitoring and cyber defense capabilities to customers who run mission-critical applications across all regions and accounts on cloud platforms like AWS, Microsoft Azure, and Google Cloud Platform, as well as hybrid cloud infrastructures.

Monitor your end-to-end infrastructure to avoid service degradation or outages. Gain complete visibility into your cloud or hybrid environment for improving your cloud application security posture, efficient troubleshooting and planning.

Amazon AWS

Amazon Virtual Private Cloud (VPC) Flow Logs logs your VPCs IP network traffic, enabling you to monitor and troubleshoot traffic and security issues.

NetFlow Optimizer™ (NFO) release 2.7 and NetFlow Analytics for Splunk App leverages this data to provide real-time visibility and analysis of your AWS environment. One NFO instance is capable of supporting many AWS accounts, VPCs, and AWS regions.

For more information on Amazon VPC Flow Logs, visit https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

The core of this solution is NetFlow Optimizer™ (NFO) and AWS VPC Flow Logs Module.

Key features include:

  • Ability to read VPC Flow Logs from Kinesis, CloudWatch, or S3

  • Using EC2 API to collect information about VPCs and EC2 instances. Enrich flow records with VPC name, EC2 instance name, DNS name, and AWS region

  • Support Kinesis stream Enhanced Fan-Out and multiple shards for increased performance when receiving VPC Flow Logs

  • Consolidation of unidirectional flows with the same 7-tuple (vpc_id, source IP, source port, destination IP, destination port, protocol, action)

  • Top Traffic – ability to report only top bandwidth consumers by specifying Top N or Percent. For example, Top N = 100 means that only top 100 consolidated flows are reported for each exporter (VPC ID) per every data collection interval. Percent = 98 means that all flows up to 98% of total is reported for each exporter (VPC ID) per every data collection time interval

Recommendation

You can publish your VPC Flow logs to CloudWatch Logs (CWL), and have NFO ingesting them with CWL API or Kinesis. Choose this option if you’d like to get your VPC Flow logs with the shortest latency, and it is appropriate for security use cases, but it is more expensive (due to the CloudWatch cost). Alternatively, you can publish your VPC Flow logs to S3 buckets. Choose this option if your use cases are bandwidth utilization, capacity planning, cost analysis of AWS traffic across availability zones (regions), etc.

Microsoft Azure

Azure flow logs are generated by Network Security Group (NSG). NSG can be assigned to a Virtual Network subnet or to an interface. Flow logs are stored within a storage account blob container: insights-logs-networksecuritygroupflowevent.

There are two versions of NSG flow logs. We recommend using flow logs version 2, because it contains bytes and packets. If you use version 1, but bytes and packets information will be missing.

For more information on NSG Flow Logs, visit https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview.

Google GCP

GCP is able to generate VPC Flow logs for each subnetwork, providing observability needed to monitor and troubleshoot traffic and security issues.

NetFlow Optimizer™ (NFO) release 2.7.1 and NetFlow Analytics for Splunk App leverages this data to provide real-time visibility and analysis of your GCP environment.

For more information on GCP VPC Flow Logs, visit https://cloud.google.com/vpc/docs/using-flow-logs.