Set up Flow Logs in Your CSP Environments

This topic provides an overview of setting up flow logs for use by Illumio CloudSecure.

CloudSecure uses flow logs to display the flows. Granting access to flow logs allows CloudSecure to use these flow logs. For instructions on how to enable flow logs after setting up flow logs, see Grant Flow Log Access to Your CSPs.

AWS

You can set up flow logs in AWS using the console, a CloudFormation template, or the command line. You must do this before you Grant Flow Log Access to Your CSPs.

Using the Console

To configure flow logs for a VPC in the AWS console:

  1. Go to the VPC console at https://console.aws.amazon.com/vpc/ and select the region to which the VPC belongs.
  2. Select the VPC for which flow logs are to be enabled.
  3. Under the VPC details page, select the Flow logs page and click the Create flow log button.
  4. Provide the following details in the flow log configuration page:
    • Name for the flow log config
    • Type of traffic to be filtered. For more insights, select All.
    • The time interval can be set to 10 minutes
  1. Select Send to an Amazon S3 bucket and paste the ARN of the S3 bucket. It also provides the option to create a new S3 bucket from there.
  2. For log record format, select any value. For more details, select Custom format and select all attributes. Use defaults for all other values.
  1. After entering the required information click Create flow log.

Using the CloudFormation Template

To enabled flowlogs for a VPC using the CloudFormation template:

  1. Go to the VPC console page at https://console.aws.amazon.com/vpc/, select the VPC for which the flow logs are to be enabled, and copy the VPC ID.
  1. Go to the S3 console page at https://console.aws.amazon.com/s3/ and select the bucket in which the flow logs are to be stored. Under the Properties tab, copy the name.
  1. Save the following CloudFormation Template to a file named enabling-vpc-flowlogs.yaml.

AWSTemplateFormatVersion: "2010-09-09"

Description: "Enable Flow logs for a vpc"

Parameters:

VpcId:

Type: String

Description: VPC Id for which flow logs are to be enabled

BucketName:

Type: String

Description: Name of the bucket in which flow logs are to be stored.

Resources:

FlowLog:

Type: AWS::EC2::FlowLog

Properties:

ResourceId: !Ref VpcId

ResourceType: "VPC"

TrafficType: "ALL"

LogDestination: !Join

- ""

- ["arn:aws:s3:::", !Ref BucketName]

LogDestinationType: "s3"

LogFormat: "${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}"

MaxAggregationInterval: 600

Tags:

- Key: "Name"

Value: "FlowLogsForIllumioCloudSecure"

- Key: "Purpose"

Value: "Alltrafficvizualizationmap"

Outputs:

FlowLogArn:

Description: The ARN of the created flow log

Value: !Ref FlowLog

For more information, see the vendor documentation:

https://docs.aws.amazon.com/vpc/latest/userguide/working-with-flow-logs.html

Running the CloudFormation Template

  1. Go to AWS CloudFormation service and use the template file to create a new stack with new resources (standard).

  2. Select Template is Ready and then Upload a template file. Upload the enabling-vpc-flowlogs.yaml file.

  3. In the next page, enter a desired stack name followed by the bucket name and VPC ID you copied before.

  4. Click Next and leave default values in the successive pages. In the final page click Create stack.

After the stack creation is complete, go to the VPC console and verify the flow logs being created.

NOTE:
The template must be run in the same region in which the VPC belongs. Choose the appropriate region on top right before running CloudFormation template.

Using the Command Line

See the vendor documentation:

https://docs.aws.amazon.com/cli/latest/reference/ec2/create-flow-logs.html

What's Next

Now you can you Grant Flow Log Access to Your CSPs.

Azure

Using the Console

You must do this before you Grant Flow Log Access to Your CSPs. See the Azure documentation.

What's Next

Now you can you Grant Flow Log Access to Your CSPs.

OCI

You can set up flow logs in the console. You must do this before you Grant Flow Log Access to Your CSPs.

Enabling VCN Flow Logs and Storing Logs in Object Storage in OCI

This guide provides a concise step-by-step process for you to enable Virtual Cloud Network (VCN) flow logs in Oracle Cloud Infrastructure (OCI) and create a service connector to store these logs in an Object Storage bucket.

Prerequisites

  • OCI Access: Ensure that you have the necessary permissions to manage Networking, Logging, Service Connector Hub, and Object Storage services.
  • Existing VCN: Identify the VCN for which you want to enable flow logs.
  • Bucket: Create a bucket to store flow logs.

Enable VCN Flow Logs

  1. Browse to Networking > Virtual Cloud Networks.
  2. Select the compartment and choose your VCN.
  3. Browse to Networking > Resources > Flow Logs on the OCI console.
  4. Configure the Flow Log with the following:
  • Name: Enter a name for the flow log.
  • Compartment: Select the appropriate compartment.
  • Enablement Point: Select VCN.

  • Flow logs that need to be enabled: Select the appropriate VCN for which flow logs need to be enabled.

  • Flow Log Type: Choose All Traffic with 100% sampling rate.
  • Log Group: Select an existing log group or create a new one.
  • Log: Provide a name for the log.
  1. Click Create Flow Log.

Store Logs

  1. If an object storage bucket is not already available, browse to Storage > Buckets.
  2. Click Create Bucket, provide a name, and set the desired configurations.
  3. Navigate to Analytics and AI > Messaging > Service Connectors.
  4. Configure the Service Connector with the following:
  • Name: Enter a name for the connector.
  • Source:
    • Select Logs.
    • Configure the source to use the Log Group and Log from your flow log.
  • Target:

    • Select Object Storage.
    • Choose the bucket you created.
    • (Optional) Set the Object Name Prefix, Batch Rollover Size, and Batch Time Interval.

  1. Click Create Service Connector.
  2. Navigate to your Object Storage Bucket and confirm that log files are being generated and stored. This usually takes some time to show up, as connector will start streaming from the logging service.

What's Next

Now you can you Grant Flow Log Access to Your CSPs.