I'm curious about how VPC Flow Logs record information when dealing with TCP sessions. The documentation states that there are only two action states: 'accept' and 'reject'. Here's my scenario: if I have a TCP session with 30 packets, and for some reason, 15 of those packets are accepted while the other 15 are rejected (potentially due to a Network Access Control List or similar issue), how would that be reflected in the logs? Would I see two lines with the same source and destination IPs, ports, and protocol, both timestamped the same—one line indicating 'accept' and the other 'reject'? Is there any official documentation that explains this behavior? I read something about the VPC public access feature, but it seems that would be applied after checking Security Groups and NACLs.
3 Answers
It’s important to remember that once a flow is allowed by a NACL, subsequent packets are typically allowed. However, in some cases, if a new NACL rule is added midway through a session or if packets are late or retransmitted due to a closed TCP session, those packets might get dropped. So, while you mainly see 'ACCEPT' or 'REJECT' for the overall session, specific circumstances could alter normal logging behavior.
VPC Flow Logs indeed show separate entries for accepted and rejected actions. According to AWS documentation on VPC Flow Logs, each unique flow gets a single log entry that indicates whether it's accepted or rejected. If you see both an 'ACCEPT' and 'REJECT' related to the same session, it generally indicates they are separate flows—like an inbound connection is accepted while its outbound response gets rejected. You can check the documentation for more detailed examples.
You won't find two log entries with conflicting accept/reject actions for the same flow. A flow log captures a single summary for that 5-tuple, categorizing it as either 'ACCEPT' or 'REJECT'. If you see both, they refer to different flows—like a distinct inbound request and its outbound response. It's worth checking the AWS documentation for more on the nuances of these logs, especially examples related to flows.
Can you clarify that? Considering a flow consists of multiple packets, a stateless control like a NACL should be able to drop individual packets. Wouldn't that mean there are two similar 5-tuple entries with differing packet counts, one for 'ACCEPT' and another for 'REJECT'?
That makes sense, but what happens in rare cases where part of a TCP flow is blocked by a NACL or security group? Wouldn't it lead to multiple entries for the same 5-tuple?