Network Flow Reports

For any network-enabled resource, Network Flow Reports provide visibility by source and destination to the flows within your network that are driving costs. You can filter these reports to identify resources that are accruing network costs, generate detailed views of the sources and destinations of the network traffic, and investigate metadata on specific resources in the flow. This feature makes it possible to correlate data transfer charges with both external services, such as Datadog, and internal applications.

note

At this time, only AWS is supported. Additional support for providers with flow log functionality, such as Azure and Google Cloud, is planned for the future.

Set Up VPC Flow Log Integration

Network Flow Reports require an existing AWS provider integration. The Vantage AWS account-specific IAM role needs to be granted access to the S3 buckets where you publish your VPC Flow Logs. Vantage can automatically detect any existing S3 buckets that contain VPC Flow Logs. You need to configure this integration for each AWS account that has an S3 bucket with VPC Flow Logs.

note

The Vantage configuration does not work with Amazon CloudWatch because of the high cost of querying CloudWatch. Logs need to be published to S3 for the Vantage integration to work.

Prerequisites

Ensure you have at least the following fields in your VPC Flow Log format to increase the discoverability of network-related costs. If you do not have these fields enabled, Vantage may be unable to properly correlate your network flows to estimated costs.

${action} ${bytes} ${dstaddr} ${start} ${end} ${flow-direction} ${log-status} ${region} ${srcaddr} ${account-id} ${instance-id} ${interface-id} ${subnet-id} ${vpc-id} ${az-id}

See the AWS documentation for information on how to set up VPC Flow Logs that publish to S3. Vantage can ingest both Text and Parquet log file formats.

Cost to Enable VPC Flow Logs in AWS

When you enable VPC Flow Logs, you incur both S3 storage costs and CloudWatch data ingestion costs on your AWS bill. These charges are represented in the costs for the S3 bucket where your flow logs are written to as well as an S3-Egress fee from CloudWatch. Unfortunately, there is no way around these costs being incurred. Vantage has contacted various AWS platform teams to attempt to remove this cost, but this is likely a limitation that AWS is unwilling to change or remove.

info

For more information about VPC Flow Logs pricing, see this Cloud Cost Handbook article.

Enable the Integration

1. From the top navigation bar, click Active Resources.
2. From the side navigation bar, select Network Flow Reports.
3. Click Configure VPC Flow Logs.
4. All existing S3 buckets that contain flow logs are displayed in the left panel of the onboarding workflow. Click the checkbox next to any listed S3 bucket to select all log files within that bucket.
   tip

   You can also click the down arrow to the right of any bucket name and select or deselect specific log files within that bucket.

   Click to view example image

   
5. When you select the checkbox for a bucket, the Sync All toggle is automatically enabled. After the initial onboarding process, any new VPC Flow Logs added to that bucket will also be automatically synced each night. You can disable this option if you do not want the files to automatically sync.
6. The right panel contains instructions on how to get set up using the AWS CLI, AWS Management Console, or the Vantage Terraform provider. Select the tab for your preferred option. If you have multiple connected accounts with VPC Flow Logs, instructions or code samples are provided for each account.
7. After you run the code in the AWS CLI, deploy your Terraform configuration, or complete the steps in the AWS Management Console, click Check Permissions. A message is displayed that indicates whether the bucket permissions were successfully set up or if they are missing. A red X is displayed next to any buckets in the left panel that do not have sufficient permissions. Some log files may also be unsupported. See the section below for details.
   Click to view example image

   
8. Once permissions are successfully set up, click Connect. A message is displayed that indicates your flow logs are being imported. Click Check Import Status to review the status of your integration. A Processing… status is displayed until the import is complete.
   Click to view example image

   

Data is usually available within 24 hours of initially enabling the integration. You will receive an email once the data import is complete. Vantage ingests your logs nightly.

Unsupported Logs

When a particular log cannot be imported, Vantage displays either an UNSUPPORTED TRAFFIC, UNSUPPORTED DESTINATION, or UNSUPPORTED LOG FORMAT label next to the log name in the Manage VPC Flow Logs window. Hover your mouse over this label to see additional information about the issue.

Issue	Description
UNSUPPORTED TRAFFIC	Vantage does not import any REJECT flows, nor any flows that do not generate corresponding costs.
UNSUPPORTED DESTINATION	This message is displayed if a log is going to any destination other than S3. Logs need to be published to S3 to be imported by Vantage.
UNSUPPORTED LOG FORMAT	Unsupported log format means that your log may be missing some required columns. Hover over the UNSUPPORTED LOG FORMAT label to see a list of missing columns. Ensure your logs contain the columns noted in the Prerequisites section.

Manage Existing Integrations

You can view your integration status and add additional flow logs from the VPC Flow Logs integration page. At the top of the Manage Connected VPC Flow Logs panel, click Manage. The Manage Flow Logs pop-up window is displayed. After the initial import, you can perform the following actions from this window:

• Select additional S3 buckets and logs to sync
• Deselect an S3 bucket or log files to remove the bucket from syncing

note

If you add additional fields to your VPC Flow Log format in AWS, and you already sync these logs to Vantage, this new data will be imported to Vantage on the next nightly import.

Create a New Network Flow Report

Follow the steps below to create a new Network Flow Report:

1. From the top navigation, click Active Resources.

2. From the side navigation, click Network Flow Reports. All your existing Network Flow Reports are displayed, along with who created the report and the date it was created.

   tip

   Three reports are provided, by default, on this page: All Network Flow Logs, Cross-AZ Traffic, and Public Traffic Destinations. See the Network Flow Report Examples section below for tips on how to get started with these reports.

3. To create a new report, click New Network Flow Report.

4. A new Network Flow Report is displayed.

   • At the top of the report, a Sankey diagram is provided. This diagram shows different network flows, based on your selected filters and grouping criteria. For example, in the image below, the nodes on the left side of the diagram show the sources of network traffic. Links, or network flows, flow from the nodes to their traffic destination (in this example, cross-AZ or public). The width of each flow corresponds with the volume of traffic, and the color corresponds with the source of the node (e.g., yellow for public in the example below).
     
   • In the table below the diagram, the network flow information is displayed along with the volume of traffic (in bytes). The table is sorted in descending order by the Estimated Cost column. Click any column header to change the sort order. Each flow shows the estimated cost associated with that specific traffic route, helping you identify the most expensive data transfers. (See the section below for details on how the Estimated Cost column is calculated.)
   • For each listed resource, a link to the Active Resources screen is provided. Click this link to view additional metadata about the resource. From the Active Resources screen, click the Relationships tab to view any associated resources, such as a corresponding IGW for a VPC resource.
     Click to view example image

5. You can update the criteria displayed in the Sankey diagram with the following options:

   • By default, both egress and ingress traffic are displayed. Expand the Flow Direction menu above the diagram to change the flow to only Egress or Ingress.
   • From the top right of the diagram, update the date range that’s displayed. Click the calendar icon and select an option, such as Last 7 Days, This Month, etc.
     note

     By default, Vantage ingests 7 days of network flows into your account and keeps the data available for 31 days. For Enterprise customers, this retention period can be adjusted. Contact support@vantage.sh if you need a longer retention period.

   • You can move the columns in the table at the bottom to visualize different flows. The diagram is also updated to depict the new order in the table.
     Click to view example image
   • You can also filter and group/add more columns to the report. See the next section for details.

6. To save the report, from the top right of the screen, click Save as New. Enter a report name, then click Save. (To edit this name, click the pencil icon in the breadcrumbs above the chart, next to the report's name.)

Filter and Group a Network Flow Report

By default, a Network Flow Report is grouped by the following fields:

• Source Resource UUID
• Peer Resource UUID
• Traffic Category

You can filter and group by multiple criteria in Network Flow Reports. Expand the box below to see all available filter and grouping criteria with a description of each option.

Click to view all fields

Vantage Field	Description	Example
Account ID	AWS account ID of the source network	production, 123456789012
Availability Zone ID	ID of the source Availability Zone	us-east-1a
Destination Address	Specific IP address that identifies the location of where the traffic is being sent	An IP, like 1.23.456.90
Destination Hostname	Domain name that corresponds with the IP address of the destination (see note below table)	01234.broadband.com OR Datadog
Flow Direction	Movement of network traffic relative to a specific network interface	Ingress or egress
Interface ID	Source ENI ID	eni-001d78b2agh4caa05
Instance ID	Source instance ID	i-0b22a22eec53b9321
Peer Resource UUID	Destination resource ARN or tag (if available)	eni-c123ab7f9c55af9a6d OR example-tag
Peer Account ID	Destination account ID	production, 123456789012
Peer VPC ID	Destination VPC ID	vpc-12a34567b8g8a03ef
Peer Region ID	AWS Region of destination	us-west-2
Peer Availability Zone ID	ID of the Availability Zone for the destination	us-east-1b
Peer Subnet ID	Destination subnet ID	subnet-123ab7f9c55af9a6d
Peer Interface ID	Destination ENI ID	eni-001d78b2agh4caa12
Peer Instance ID	Destination instance ID	i-0b22a22eec53b9321
Region	AWS Region of the source	us-east-1
Resource UUID	Source resource ARN or tag (if available)	eni-c123ab7f9c55af9a6d OR example-tag
Source Address	Specific IP address from which the network traffic originates	An IP, like 1.23.456.90
Source Hostname	Domain name that corresponds with the IP address of the source (see note below table)	100.123.456.789.bc.googleusercontent.com OR Datadog
Subnet ID	ID of the source subnet	subnet-123ab7f9c55af9a6d
Traffic Category	The type of traffic	public, cross-AZ, cross-region, unknown The unknown value means Vantage is unable to categorize the type of traffic based on the available metadata.
Traffic Path	Path traffic takes to reach the destination, such as through a virtual private gateway	In VPC Internet Gateway or Gateway VPC Endpoint Virtual Private Gateway Intra-Region VPC Peering Inter-Region VPC Peering Local Gateway Gateway VPC Endpoint (Nitro-based instances) Internet Gateway (Nitro-based instances)
VPC ID	ID of the source VPC	vpc-12a34567b8g8a03ef

note

To derive the hostname, Vantage checks against some hardcoded IP ranges, and then falls back to reverse DNS lookup for the IPs. If you have services with known IP ranges you want added, contact support@vantage.sh.

Apply Filter Criteria

You can add additional fields via grouping and filtering criteria. To add a new filter:

1. Click the Filters button on the top left of the diagram.
   • The AWS costs where... tile is displayed. Click + New Rule.
   • From the filter dropdown menu, select an option, like Account ID, Instance ID, etc.
   • Two additional dropdown menus are displayed. Select is, is not, contains, or does not contain based on your desired filter criteria, then select one or more values from the second dropdown menu. For contains or does not contain, enter any text criteria to filter by.
     note

     If you are unable to see any values for a filter, this means that you are not capturing this information in your VPC Flow Logs format, and therefore, Vantage is unable to import this data.

   • Click Add.
     Click to view example image
2. You can optionally edit your existing rule or add additional filter criteria.
   • To edit the rule you just created, select the rule, make your changes, and click Add.
   • If you want to add a rule to filter multiple criteria, such as filter by certain Regions and another rule to filter by certain Destination Hostnames, click + New Rule. Add the additional criteria and click Add.
   • To add a separate rule set, above the filter set, click + New Filter. This rule set will be displayed as Or AWS costs where... on the new tile.
   • To delete a rule set, click the trashcan icon on the top right of the rule set.
     Click to view example image
3. Above the rule set(s), click Apply. The diagram will update with your existing filter criteria.

Apply Grouping Criteria

To add additional columns to the table and diagram, expand the Group By menu. Select or deselect grouping criteria. As you add grouping criteria, additional nodes and flows are displayed on the diagram. Additional columns are also added to the table for any new grouping criteria.

View Flow Log Metadata

For certain grouping criteria, you can view additional details about specific resources. Vantage provides this information when it can fetch provider resource metadata. If Vantage can resolve the IP address for the Source Address and Destination Address grouping criteria, it will also provide metadata for these groupings.

1. Expand the Group By menu and add one or more of the following options to your grouping criteria:
   • Interface ID/Peer Interface ID
   • Subnet ID/Peer Subnet ID
   • VPC ID/Peer VPC ID
   • UUID/Peer UUID
2. In the table, select the row for any resource. The Flow Log Metadata panel is displayed on the right side of the screen. Data is provided for the Peer and Peer Resource. In this panel, click the link for any listed resource to see a provider resource report displayed.

Estimated Cost Calculation for Network Flows

The estimated cost for each flow is calculated by applying your blended data transfer rates to the flow of traffic. For example, if a flow is moving between one subnet to another and those subnets are in different Availability Zones, Vantage applies your cross-AZ data transfer rate to those bytes.

note

Because data transfer rates can be tiered, and the metadata associated with the destination may change, this calculation is a best-effort calculation; however, it does help to identify cost hotspots within your network.

The flow logs cost calculation is based on the following formula:

$$Estimated\ Cost=\sum_{i=1}^{N} (Rate_{i} \times Volume_{i})$$

• $N$ is the total number of data flows.
• $R_i$ is the rate (cost per unit of data) for the $i$-th flow.
• $V_i$ is the volume of data transferred for the $i$-th flow.

Vantage first identifies the different flows of data within your network. It uses information provided within the AWS Cost and Usage Reports (CUR) to determine the specific rate (cost per unit of data) that applies to each type of data flow (e.g., cross-AZ, public). Each rate for each data flow is multiplied by the amount of data transferred in that flow. The estimated cost is then determined by the sum of these products.

Network Costs on Cost Reports

On Cost Reports, for resources that generate network traffic costs (e.g., NAT Gateways), a Network Costs button is displayed in the Cost Report list. Click this button to view a Network Flow Report that is filtered to flows coming from that specific resource.

The below Cost Report is grouped by Service and Resource.

Network Flow Report Examples

The following examples demonstrate common scenarios for using Network Flow Reports. These examples are based on the three reports that Vantage provides by default: All Network Flow Logs, Cross-AZ Traffic, and Public Traffic Destinations.

Example 1: View All Network Traffic

The All Network Flow Logs report shows all your network flows. The flow’s Resource UUID and Peer Resource UUID are provided as well as the traffic category (e.g., public). Review this report to get a high-level view of all your traffic flows.

Example 2: Identify Cross-AZ Traffic

Cross-AZ data transfer within AWS incurs higher costs compared to intra-AZ data transfer. According to AWS, “For data transferred between a Local Zone and an Availability Zone within the same AWS Region, "in" to and "out" from Amazon EC2 in the Local Zone” data is charged at $0.01/GB for both transfer in and transfer out. Transferring data between AZs requires more network bandwidth compared to transferring data within the same AZ. This additional bandwidth consumption contributes to higher costs.

In the provided cross-AZ report, you can view all cross-AZ traffic along with flow size and estimated cost. The Destination Address column shows exactly where the traffic is flowing.

Review the highest-costing flows and consider the following tips:

• Try to place dependent resources within the same AZ to minimize cross-AZ data transfer.
• Use VPC endpoints to route traffic internally within AWS, reducing the need for cross-AZ traffic. This can help in minimizing data transfer costs and enhance security by keeping everything in the same VPC.

Example 3: Examine Public Traffic

When monitoring network costs, analyzing public traffic can reveal significant insights about where your traffic is going when it reaches the public internet. By analyzing destination details, you can ensure that traffic is taking the correct path or is going only to trusted and necessary endpoints. In this report, the Destination Hostname grouping/column provides a human-readable format of the destination, helping you quickly identify known destination services or endpoints.

Vantage identifies hostnames using a reverse DNS lookup, or when vendors publish static IP address ranges, such as Datadog, Vantage can associate these IP addresses with the name of the service. The Destination Address provides the exact IP address, which is useful for detailed analysis to ensure traffic is reaching the intended destinations.

Examine this report to understand which resources are generating public traffic and where that traffic is going. Consider whether you might use alternative services, like AWS Direct Connect, CloudFront, or PrivateLink, to optimize data transfer and reduce costs.