Besa Program - Week 08 : Network Observability

Linet KendiLinet Kendi
4 min read

🌟 Excited to Share Insights from Besa Session Week 08 : Network Observability 🌟

First lets start with "Watchmen" [a comic book and movie series], I haven't watched but I have added it to my list. Probably you could share your views on it before I start it off.

The role play takes the day, with the Besa team (Ashish and Parna) really putting the concepts and products into perspective. Additional Session on AWS SAA practice exams was really nice.

The concept of observability in networking, focuses on understanding why issues occur and how to prevent them in the future. Observability is a proactive approach to network management, while monitoring is reactive. Observability helps organizations scale their networks, segment them, and replace them with high-speed networks when necessary. In Cloud, there is no one-size-fits-all solution, but multiple tools will be presented to help solve most problems.

Why Observe your Network?

  1. Troubleshoot network connectivity and performance

  2. Understand and Optimize costs

  3. Govern network security

  4. Identify anomalous traffic patterns

  5. Architect for availability and scale

Network Observability can be summarized into 3 actions (Collect [Logs & Metrics], Monitor[Alarms] and Analyze [remediation Action])

It never a one-size fits all but different tools combined together to form a solution according to the clients needs.

  • 📊 VPC Flow logs capture header information about IP traffic in a network, providing visibility into network traffic.

    • 🚀Flow logs can help you with a number of tasks, such as:

      • Diagnosing overly restrictive security group rules

      • Monitoring the traffic that is reaching your instance

      • Determining the direction of the traffic to and from the network interfaces

    • 🚀 VPC Flow logs can be enabled at the VPC, subnet, or instance level[ENI] and sent to destinations like CloudWatch Logs, Amazon S3, or Kinesis Firehose.

    • 💡 VPC Flow logs are near real-time and don’t impact network performance.

    • 📝 VPC Flow logs can be customized to capture specific metadata and analyzed using AWS services or third-party solutions.

    • 🎥VPC Flow Logs have the defaults but their is flexibility to add or omit specific fields based on customer needs.

    • Using Amazon CloudWatch logs to monitor network traffic. CloudWatch's live tail feature, which continuously displays the last entries in a log group. CloudWatch Insights, which automatically provides insights based on collected logs.

    • You get 1,800 minutes of Cloud Watch Live Tail session usage per month with the AWS Free Tier, after which you pay $0.01 per minute.

    • VPC Flow logs contain information about network traffic, including source and destination IP addresses, ports, protocols, and timestamps.

    • Flow logs do not capture all IP traffic. The following types of traffic are not logged:

      • Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.

      • Traffic generated by a Windows instance for Amazon Windows license activation.

      • Traffic to and from 169.254.169.254 for instance metadata.

      • Traffic to and from 169.254.169.123 for the Amazon Time Sync Service.

      • DHCP traffic.

      • Mirrored traffic.

      • Traffic to the reserved IP address for the default VPC router.

      • Traffic between an endpoint network interface and a Network Load Balancer network interface.

    • ⏳ Retention periods for flow logs are important, and enabling anomaly detection is an option.

    • Data ingestion and archival charges for vended logs apply when you publish flow logs to CloudWatch Logs/ Amazon S3

  • 📡 Traffic Mirroring allows capturing and analyzing network traffic in real-time. Traffic mirroring replicates network traffic to out-of-band security and monitoring appliances, allowing selective traffic capture and filtering. Mainly used to copy network from an elastic network Interface (ENI)

    • 💡The benefits of traffic mirroring, include the ability to run multiple sessions in parallel and the preservation of captured data even after a session is deleted.

    • VPC Traffic Mirroring -use Cases

    • Mirrored traffic is encapsulated with a VXLAN header. Virtual Extensible LAN (VXLAN) is a network virtualization technology that attempts to address the scalability problems associated with large cloud computingdeployments.

    • If you choose to enable traffic mirroring on Elastic Network Interface (ENI) of Amazon EC2 instances, ENI owner will be charged hourly for each ENI that is enabled with traffic mirroring. If you no longer wish to be charged for traffic mirroring, simply disable traffic mirroring on EC2 instance ENIs using the Amazon Web Services Management Console, command line interface, or API.

💡New concept of inline policies and inline VPC flow logs policies in AWS. Inline policies are policies embedded within a role itself.

Kudos to the Besa team for curating yet another insightful and impactful session!💪 #Besa #NetworkObservability #AWS #Technology #Innovation #ContinuousLearning

0
Subscribe to my newsletter

Read articles from Linet Kendi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#CloudWatchAWSAWS Certified Solutions Architect AssociateAWS VPC FLOWLOGS

Written by

Linet Kendi
Linet Kendi

Cloud and Cyber Security enthusiast. I love collaborating on tech projects. Outside tech, I love hiking and swimming.