One of the benefits of using a virtualized infrastructure is that you can get a level of introspection that is difficult or costly with physical hardware. Being able to quickly switch on logging at a network-device level is an extremely useful feature, especially when getting used to the interactions between VPCs, subnets, NACLs, routing, and security groups. A common use case would be figuring out why a specific user is not able to connect to an EC2 instance inside one of your VPCs.

In this recipe, we will turn on logging for our network resources by using VPC Flow Logs. You could do this all the time to give yourself another layer for monitoring and auditing, or you could selectively enable it during troubleshooting, saving yourself any additional data storage charges. VPC Flow Logs allow you to capture and analyze information (but not individual packets) about traffic that is flowing to and from network interfaces within your account.