Recent Posts

Archive

Tags

No tags yet.

How To Diagnose and fix Network failures in the Flow Logs Viewer

Our Flow Logs Viewer is designed to help you work with your VPC Flow Logs and your security groups. To do this, the instance needs access to AWS' public API endpoints.

The endpoints needed are:

https://logs.<region>.amazonaws.com

https://ec2.<region>.amazonaws.com

https://sts.<region>.amazonaws.com

where <region> is the equivalent of 'us-east-1' or the region you are operating in.

Example: https://logs.us-east-1.amazonaws.com

If you encounter an error such as:

We're sorry, but something went wrong. Some customers see this error when their instance cannot access AWS' API Endpoints. Please check if your security groups have blocked Outbound access to the AWS API Endpoints for your region.

Please see these fixes:

1. If your instance is in a private Subnet with an IGW or NAT gateway, you need to add an Elastic IP to the host

Documentation: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html

Since the AWS API endpoints are outside of your subnet, traffic to and from those endpoints will route over an IGW or NAT Gateway, and to the "public" internet.

2. If your instance is in a private subnet without an IGW or NAT Gateway, you need another way to route to the internet

The Flow Logs viewer must be able to access the API endpoints listed above. Your own VPN tunnel or network bridge device. This is an advanced network configuration.

3. Security Groups or Network ACLs are blocking access to the API endpoints

The pre-configured security groups in the PiaSoft Flow Logs Viewer CloudFormation template allow egress network access to 0.0.0.0/0 from the instance. If the group has removed this egress security group rule, you will need to add in a rule to permit access to the AWS endpoints.

Please contact us for support if you need help modifying the security groups, or if this article did not help.

#securitygroups #gettingstarted #howto