Configure flow logs
The information and assistance available in this category make it easier for you to work with flow logs using the Data Center Designer (DCD). For the time being, you have the option of doing either of the following.

Creating a flow log

You can create flow logs for your network interfaces as well as the public interfaces of the Network Load Balancer and Network Address Translation (NAT) Gateway. Flow logs can publish data to your buckets in the IONOS Cloud S3 Object Storage
After you have created and configured your bucket in the IONOS S3 Object Storage, you can create flow logs for your network interfaces.

Prerequisites

Before you create a flow log, make sure that you meet the following prerequisites:

Procedure

Select the appropriate tab for the instance or interface for which you want to activate flow logs in the workspace.
Server & Cubes
NAT Gateway & Network Load Balancer
  1. 1.
    In the Inspector pane, open the Network tab
  2. 2.
    Open the properties of the network interface controller (NIC).
Accessing flow logs
Activate flow logs
Configure flow logs
Open the Flow Log drop-down and fill in the following fields:
  1. 1.
    For Name, enter a name for the flow log rule. The name will also be the first part of the objects’ name prefix.
  2. 2.
    For Direction, choose Ingress to create flow logs for incoming traffic, Egress for outgoing traffic, or Bidirectional to create flow logs for all traffic.
  3. 3.
    For Action, choose Rejected to capture only traffic blocked by the firewall, Accepted to capture only traffic allowed by the firewall, or Any for all traffic.
  4. 4.
    For Target S3 bucket, enter a valid existing S3 Object Storage bucket name and an optional object name prefix where flow log records should be written.
  5. 5.
    Select Add flow log to complete the configuration of the flow log. It becomes applied once you provision your changes.
  • Characters ‘/’ (slash) and ‘%2F’ are not supported as object prefix characters.
  • You cannot edit/modify changes to the fields of a flow log rule after activating it.
  • There is a limit of one flow log created per NIC, NAT Gateway, and Network Load Balancer.
Result: An activated flow log rule is visualized by a green light on the NIC properties. The green light indicates that the configuration has been validated and is valid for provisioning.
valid flow log rule
A summary of the flow logs rule can be seen by opening the drop-down of the flow log and selecting the name of the flow log rule.
flow log summary
At this point, you may make further changes to your data center (optional).
When ready, select Provision changes. After provisioning is complete, the network interface's flow logs are activated.
Flow logs can be provisioned on both new and previously provisioned instances.
Deleting a flow log
Prerequisites
Before you delete a flow log, make sure that you meet the following prerequisites:
Procedure
  1. 1.
    Select the relevant VM of the interface for which you want to delete the flow logs in the Workspace.
  2. 2.
    In the Inspector pane, open the Network tab
  3. 3.
    Open the properties of the network interface controller (NIC)
  4. 4.
    Open the Flow Log drop-down
  5. 5.
    Select the trash bin icon to delete the flow log
delete a flow log
6. In the confirmation message, select OK
7. Select Provision changes. After provisioning is complete, the network interface's flow logs are deleted and no longer captured.
Deleting a flow log does not delete the existing log streams from your bucket. Existing flow log data must be deleted using the respective service's console. In addition, deleting a flow log that publishes to S3 Object Storage does not remove the bucket policies and log file access control lists (ACLs).
  1. 1.
    In the Inspector pane, open the Settings tab
To activate flow logs, open the Flow Log drop-down and fill in the following fields:
  1. 1.
    For Name, enter a name for the flow log rule. The name will also be the first part of the objects’ name prefix.
  2. 2.
    For Direction, choose Ingress to create flow logs for incoming traffic, Egress for outgoing traffic, or Bidirectional to create flow logs for all traffic.
  3. 3.
    For Action, choose Rejected to capture only traffic blocked by the firewall, Accepted to capture only traffic allowed by the firewall, or Any for all traffic.
  4. 4.
    For Target S3 bucket, enter a valid existing S3 Object Storage bucket name and an optional object name prefix where flow log records should be written.
  5. 5.
    Select Add flow log to complete the configuration of the flow log. It becomes applied once you provision your changes.
Export as PDF
Copy link
On this page
Creating a flow log