1

I have the VPC with two subnets within it:

  1. Public subnet with Nat instance
    No incoming connections from the Internet are allowed.
  2. Private subnet with the Application server
    Route table for the private subnet uses eni of Nat instance for 0.0.0.0/0 destination, so my application server can send a request to some external server through the Nat instance.

VPC Flow log format is below:

enter image description here

So, in the flow log of Application server I saw:

enter image description here

Seems, that external host 31.220.24.x is trying to connect my private instance 172.30.4.205, isn't it? But, according to this document, 18 as a tcp-flag, means SYN-ACK, so it's a response from the external host for my SYN packet from an internal host. I was confused about getting SYN-ACK without the previous SYN packet, so I tried to simulate this case and recording all packets by tcpdump. I sent some data to the 31.220.24.x from 172.30.4.205 and got the same logs in the CloudWatch, but all three packets in the WireShark - SYN, SYN-ACK, ACK:

enter image description here

So, the question is why don't I see the first SYN packet in my CloudWatch logs of Application Server. Thanks in advance!

kolyaiks
  • 157
  • 1
  • 12
  • It looks like you're using a custom flow log configuration, so you should include this configuration in your question. However, I _suspect_ what's happening is that individual packets are being aggregated to produce the flow log, and as the doc indicates, the TCP flags will be OR'd together. So the SYN would not be reported separately from the SYN-ACK. – Parsifal Aug 04 '20 at 15:51
  • @Parsifal, thanks for the answer! I've added the screenshot you mentioned. In case of using NAT gateway we are able to see all the steps according to this example: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-nat. So why don't we see it in case of NAT instance? – kolyaiks Aug 04 '20 at 20:02
  • Sorry, can't answer that question. I thought it was due to an aggregation, but looking at your flow log config the SYNs should be aggregated separately from the SYN-ACKs. If it's a concern, maybe talk to AWS Support? – Parsifal Aug 07 '20 at 13:17

0 Answers0