What are VPC flow logs?
13395
Created On 01/11/19 20:11 PM - Last Modified 12/13/19 22:40 PM
Question
What are VPC flow logs?
Environment
Prisma Cloud
Answer
VPC flow logs provide a unidirectional record of network traffic. They will tell you packets flowed from A to B, and in a separate record packets flowed from B to A, but they will not tell you which endpoint initiated a conversation. They provide no direct insight into which endpoint is the server in any conversation.
You could look at which flow record has a lower timestamp and assume that the source in that record is the client but in the case of VPC flow logs, log collection is aggregated over several minute windows which removes the precision required to make this a reliable indicator. Additionally, long-lived connections and connections that appear on the boundaries of batches of logs will defeat this heuristic.
There are other factors we can consider, such as source port vs the destination port. We can also compare the count of distinct peers for a given endpoint IP and port.
Prisma Cloud evaluates all these conditions, plus others, with a weight given to each measure and a historical bias. But in the end, the measures are heuristics and are not perfect.