Use the Flow logs feature to capture data that is related to IPv4 and IPv6 network traffic flows. Flow logs can be enabled for each network interface of a Virtual Machine (VM) instance, as well as the public interfaces of the Network Load Balancer (NLB) and Network Address Translation (NAT) Gateway.
Flow logs can help you with a number of tasks such as:
Debugging connectivity and security issues
Monitoring network throughput and performance
Logging data to ensure that firewall rules are working as expected
Flow logs are stored in a customer’s IONOS S3 Object Storage bucket, which you configure when you create a flow log collector.
A network traffic flow is a sequence of packets sent from a specific source to a specific unicast, anycast, or multicast destination. A flow could be made up of all packets in a specific transport connection or a media stream. However, a flow is not always mapped to a transport connection one-to-one.
A flow consists of the following network information:
Source IP address
Destination IP address
Source port
Destination port
Internet protocol
Number of packets
Bytes
Capture start time
Capture end time
Flow log data for a monitored network interface is stored as flow log records, which are log events containing fields that describe the traffic flow. For more information, see Flow Log Record.
Flow log records are written to flow logs, which are then stored in a user-defined IONOS S3 Object Storage bucket from where they can be accessed.
You can export, process, analyze, and visualize flow logs using tools, such as Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), Cyberduck, Logstash, etc.
Traffic flows in your network are captured in accordance with the defined rules.
Flow logs are collected at a 10-minute rotation interval and have no impact on customer resources or network performance. Statistics about a traffic flow are collected and aggregated during this time period to create a flow log record.
No flow log file will be created if no flows for a particular bucket are received during the log rotation interval. This prevents empty objects from being uploaded to the IONOS S3 Object Storage.
The flow log file's name is prefixed with an optional object prefix, followed by a Unix timestamp and the file extension .log.gz
, for example, flowlogs/webserver01-1629810635.log.gz.
Flow logs are retained in the IONOS S3 Object Storage bucket until they are manually deleted. Alternatively, you can configure objects to be deleted automatically after a predefined time period using a Lifecycle Policy for an object in the IONOS S3 Object Storage.
The IONOS S3 Object Storage owner of the object is an IONOS internal technical user named flowlogs@cloud.ionos.com (Canonical ID 31721881|65b95d54-8b1b-459c-9d46-364296d9beaf).
Never delete the IONOS Cloud internal technical user from your bucket as this disables the flow log service. The bucket owner also receives full permissions to the flow log objects per default.
To use flow logs, you need to be aware of the following limitations:
You can't change the configuration of a flow log or the flow log record format after it's been created. In the flow log record, for example, you can't add or remove fields. Instead, delete the flow log and create a new one with the necessary settings.
There is a limit of one flow log created per NIC, NAT Gateway, and Network Load Balancer.
DCD helps you connect the elements of your infrastructure and build a network to set up a functional virtual data center. Without a connected internet access element, your network is private.
The quickest way to connect elements is to drag them from the Palette directly onto elements that are already in the Workspace. The DCD will then show you whether and how the elements can be connected automatically.
1. Drag the elements from the Palette into the Workspace and connect them through their NICs.
2. In the Workspace, select the required VM; the Inspector will show its properties on the right.
3. From the Inspector pane, open the Network tab. Now you can access NIC properties.
4. Set NIC properties according to the following rules:
MAC: The MAC address will be assigned automatically upon provisioning.
Primary IP: The primary IP address is automatically assigned by the IONOS DHCP server. You can, however, enter an IP address for manual assignment by selecting one of the reserved IPs from the drop-down menu. Private IP addresses (according to RFC 1918) must be entered manually. The NIC has to be connected to the Internet.
Failover: If you have an HA setup including a failover configuration on your VMs, you can create and manage IP failover groups that support your HA setup.
Firewall: Configure a firewall.
DHCP: It is often necessary to run a DHCP server in your virtual data center (e.g. PXE boot for fast rollout of VMs). If you use your own DHCP server, clear this check box so that your IPs are not reassigned by the IONOS DHCP server.
Additional IPs: In order to use "floating" or virtual IPs, you can assign additional IPs to a NIC by selecting them from the drop-down menu.
When ready, provision your changes. The VDC will create a private network according to set properties.
1. To split a LAN, select the required LAN in the Workspace.
2. In the Inspector, open the Actions menu and select Split LAN.
3. Confirm by clicking Split LAN.
4. Make further changes to your data center and provision your changes when ready.
The selected LAN is split and new IPs are assigned to the NICs in the new LAN.
1. To merge a LAN, select the required LAN in the Workspace.
2. To integrate this LAN into another LAN.
3. In the Inspector, open the Actions menu and select Merge LAN with another LAN.
4. In the dialog that appears, select the LANs to be merged with the selected LAN.
5. Select the checkboxes of the LANs you wish to keep separate.
6. Confirm by clicking Merge LANs.
(Optional) Make further changes to your data center.
7. Provision your changes
The selected LANs are merged and new IPs are assigned to the NICs in the newly integrated LAN.
A private LAN that is integrated into a public LAN also becomes a public LAN.
Servers with internet access are assigned an IP automatically by the IONOS DHCP server. Please note that multiple servers sharing the same internet interface also share the same subnet. With required permissions, you can add as many internet access elements as you wish.
Users who do not have the permissions to add a new internet access element, can connect to an existing element in their VDC, provided they have the permissions to edit it.
1. To add internet access, drag the Internet element from the Palette onto the Workspace.
2. Connect this element with Servers.
3. Set further properties of the connection at the respective NIC.
To make sure that high-availability (HA) or failover setups on your Virtual Machines are effective in case of events such as a physical server failure, you should set up "IP failover groups".
They are essential to all HA or fail-over setups irrespective of the mechanism or protocol used.
Please ensure that the high-availability setup is fully installed on your VMs. Creating an IP failover group in the DCD alone is not enough to set up a failover scenario.
A failover group is characterized by the following components:
Members: The same (reserved, public) IP address is assigned to all members of an IP failover group so that communication within this group can continue in the event of a failure. You can set up multiple IP failover groups. A Dedicated Core Server can be a member of multiple IP failover groups. Dedicated Core Servers should be spread over different Availability Zones. The rules for managing the traffic between your VMs in event of a failure are specified at the operating system level using the options and features for setting up high-availability or fail-over configurations. Users must have access rights for the IPs they wish to use.
Master: During the initial provisioning, the master of an IP failover group in the DCD represents the master of the HA setup on your virtual machines. If you change the master later, you won't have to change the master of the IP failover group in the DCD.
Primary IP address: The IP address of the IP failover group can be provisioned as the primary or additional IP address. We recommend that you provide the IP address used for the IP failover group as the primary IP address, as it is used to calculate the gateway IP, which is advantageous for some backup solutions. Please note that this will replace the previously provisioned primary IP address. When there are multiple IP failover groups in a LAN, a NIC involved in multiple of these groups can only be used once for the primary IP address. The DCD will alert you accordingly.
For technical reasons this feature can only be used subject to the following limitations:
In public LANs that do not contain load balancers.
With reserved public IP addresses only - DHCP-generated IP addresses cannot be used.
Virtual MAC addresses are not supported.
IP failover must be configured for all HA setups.
Prerequisites: Please make sure that you have the privileges to Reserve IPs. You should have access to the required IP address. The LAN for which you wish to create an IP failover group should be public (connected to the Internet), and should not contain a load balancer.
1. In the Workspace, select the required LAN.
2. In the Inspector, open the IP Failover tab.
3. Click Create Group. In the dialog box that appears, select the IP address from the IP drop-down menu.
Select the NICs that you wish to include in the IP failover group by selecting their respective checkboxes.
Select the Primary IP checkboxes for all NICs for which the selected address is to be the primary IP address.
The primary IP address previously assigned to a NIC in another IP failover group is replaced.
Select the master of the group by clicking the respective radio button.
4. Click Create.
5. Provision your changes.
The IP failover group is now available.
1. Click the IP address of the required IP failover group.
2. The properties of the selected group are displayed.
3. To change the IP address, click Change.
4. In the dialog box that appears, select a new IP address.
(Optional) If no IP address is available, reserve a new one by clicking +.
5. Specify the primary IP address by selecting the respective check box.
6. Confirm your changes by clicking Change IP.
7. To Change Master, select the new Master by clicking the respective radio button.
8. To add or remove members Click Manage.
9. Select or clear the checkboxes of the required NICs.
10. Confirm your changes by clicking Update Group.
1. Click the IP address of the required failover group.
2. The properties of the selected IP failover group are displayed.
3. Click Remove. Confirm your action by clicking OK.
4. Provision your changes
The IP failover group is no longer available. The DCD no longer maps your HA setup.
Prerequisites: Make sure you have the appropriate privileges. Only contract owners, administrators, or users with the Create Data Center privilege can set up a VDC. Other user types have read-only access and can't provision changes.
Activate and configure a Firewall for each Network Interface Card (NIC) to better protect your servers from attacks. IONOS Cloud Firewalls can filter incoming (ingress), outgoing (egress), or bidirectional traffic. When configuring firewalls, define appropriate rules to filter traffic accordingly.
To activate a Firewall, follow these steps:
1. In the Workspace, select a Virtual Machine with a NIC.
2. From the Inspector pane, open the Network tab.
3. Open the properties of the NIC for which you want to set up a Firewall.
4. Choose either Ingress, Egress, or Bidirectional traffic flow type for which the Firewall needs to be activated.
Warning: Activating the Firewall without additional rules will block all incoming traffic. Make sure you set the Firewall rules by using Manage Rules.
Result: The Firewall is activated for the selected NIC.
To create a Firewall rule, follow these steps:
1. In the Workspace, select a VM with a NIC.
2. From the Inspector pane, open the Network tab.
3. Open the properties of the NIC for which you wish to manages Firewall Rules.
4. Click Manage Rules.
5. Click Create Firewall Rule and choose from the following type of Firewall rules to add from the drop-down list:
Transmission Control Protocol (TCP) Rule
User Datagram Protocol (UDP) Rule
Internet Control Message Protocol (ICMP) Rule
ICMPv6 Rule
Any Protocol
6. Enter values for the following in a Firewall rule:
Name: Enter a name for the rule.
Direction Choose the traffic direction between Ingress and Egress.
Source MAC: Enter the Media Access Control (MAC) address to be passed through by the firewall.
Source IP/CIDR: Enter the IP address to be passed through by the Firewall.
Destination IP/CIDR: If you use virtual IP addresses on the same network interface, you can enter them here to allow access.
Port Range Start: Set the first port of an entire port range.
Port Range End: Set the last port of a port range or enter the port from Port Range Start if you only want this port to be allowed.
ICMP Type: Enter the ICMP Type to be allowed. Example: 0 or 8 for echo requests (ping) or 30 for traceroutes.
ICMP Code: Enter the ICMP Code to be allowed. Example: 0 for echo requests.
IP Version: Select a version from the drop-down list. By default, it is Auto.
7. (Optional) You can add Firewall rules from an existing template by using Rules from Template. The Generic Webserver, Mailserver, Remote Access Linux, and Remote Access Windows are the types of Firewall rules you can add from the existing rules template.
8. Alternatively, you may import an existing rule set from the Clone Rules from other NIC.
9. Click Save to confirm creating a Firewall rule.
Result: A Firewall Rule is created with the configured values.
A flow log record is a record of a network flow in your virtual data center (). By default, each record captures a network internet protocol (IP) traffic flow, groups it, and is enhanced with the following information:
Account ID of the resource
Unique identifier of the network interface
The flow's status, indicating whether it was accepted or rejected by the software-defined networking (SDN) layer
The flow log record is in the following format:
The following table describes all of the available fields for a flow log record.
Field | Type | Description | Example Value |
---|
In this example, traffic to the network interface 7ffd6527-ce80-4e57-a949-f9a45824ebe2
for the account 12345678
was accepted.
In this example, traffic to the network interface 7ffd6527-ce80-4e57-a949-f9a45824ebe2
for the account 12345678
was rejected.
The following are examples of flow log records that capture specific traffic flows. For information on how to create flow logs, see
Reserve and return IPv4 addresses for network use.
Create a private network and add internet access.
Activate a multidirectional firewall and add rules.
Ensure that HA setups are available on your VMs.
Capture data related to IPv4 network traffic flows.
Configure IPv6 addresses for a LAN.
| string | The flow log version. Version 2 is the default. | 2 |
| string | The IONOS Cloud account ID of the owner of the resource containing the interface for which flow logs are collected. | 12345678 |
| string | The interface unique identifier (UUID) for which flow logs are collected. | 7ffd6527-ce80-4e57-a949-f9a45824ebe2 |
| string | The source address for incoming traffic, or the IPv4 address of the network interface for outgoing traffic. | 172.17.1.100 |
| string | The destination address for outgoing traffic, or the IPv4 address of the network interface for incoming traffic. | 172.17.1.101 |
| uint16 | The source port from which the network flow originated. | 59113 |
| uint16 | The destination port for the network flow. | 20756 |
| uin8 | 6 |
| uint64 | The number of packets transferred during the network flow capture window. | 17 |
| uint64 | The number of bytes transferred during the network flow capture window. | 1325 |
| string | The timestamp, in UNIX EPOCH format, of when the first packet of the flow was received within the grouping interval. | 1587983051 |
| string | The timestamp, in UNIX EPOCH format, of when the last packet of the flow was received within the grouping interval. | 1587983052 |
| string | The action associated with the traffic: ACCEPT: traffic accepted by the firewall REJECT: traffic rejected by the firewall | ACCEPT |
| string | The flow log logging status: OK: normal flow logging SKIPDATA: Some flow log records were skipped during the grouping interval | OK |
If you want to build a network using static , IONOS Cloud offers you the option to reserve IPv4 addresses for a fee. You can reserve one or more addresses in an IP block using the IP Manager.
Note: It is not possible to reserve a specific IPv4 address; you are assigned a random address by IONOS Cloud.
An IP address can only be used in the data center from the region where it was reserved. Therefore, if you need an IP address for your virtual data center in Karlsruhe, you should reserve the IP address there. Each IP address can only be used once, but different IP addresses from a block can be used in different networks, provided these networks are provisioned in the same region where the IP block is located.
Reserving and using IPv4 addresses is restricted to authorized users only. Contract owners and administrators may grant privileges to reserve IP addresses.
Prerequisites: Make sure you have the appropriate permissions. Only contract owners, administrators, or users with the Reserve IP privilege can reserve IP addresses. Other user types have read-only access and can't provision changes.
In the DCD, go to the Menu > Management > IP Management.
In the IP Manager, select + Reserve IPs.
Enter the following IP block information:
Name: Enter a name for the IP block.
Number of IPs: Enter the number of IPv4 addresses you want to reserve.
Region: Enter the location of the IONOS data center where you want your IPs to be available.
Confirm your entries by selecting Reserve IPs.
The number of IPs you have reserved are available as an IP block. The IP block details should now be visible on the right.
IP addresses cannot be returned individually, but only as a block and only when they are not in use.
Note: If you return a static IP address, you cannot reserve it again afterwards.
In the DCD, go to Menu > Management > IP Management.
Ensure the IPs you want to release are not in use.
Select the required IP block.
Select Delete to return the IP block to the pool.
Confirm your action by selecting OK.
The IP block and all IP addresses contained are released and removed from your IONOS Cloud account.
The information and assistance available in this category make it easier for you to work with flow logs using the (DCD). For the time being, you have the option of doing either of the following.
You can create flow logs for your network interfaces as well as the public interfaces of the Network Load Balancer and Network Address Translation () Gateway. Flow logs can publish data to your buckets in the .
After you have created and configured your bucket in the IONOS S3 Object Storage, you can create flow logs for your network interfaces.
Before you create a flow log, make sure that you meet the following prerequisites:
You are logged on to the .
You are the .
You have to edit the required data center.
You have the privilege.
You are the owner or have write access to permissions of an .
You have an IONOS S3 Object Storage instance with a bucket that exists for your flow logs. To create an IONOS S3 Object Storage bucket, see .
Select the appropriate tab for the instance or interface for which you want to activate flow logs in the workspace.
In the Inspector pane, open the Network tab.
Open the properties of the Network Interface Controller (NIC).
Activate flow logs
Open the Flow Log drop-down and fill in the following fields:
For Name, enter a name for the flow log rule. The name will also be the first part of the objects’ name prefix.
For Direction, choose Ingress to create flow logs for incoming traffic, Egress for outgoing traffic, or Bidirectional to create flow logs for all traffic.
For Action, choose Rejected to capture only traffic blocked by the firewall, Accepted to capture only traffic allowed by the firewall, or Any for all traffic.
For Target S3 bucket, enter a valid existing IONOS S3 Object Storage bucket name and an optional object name prefix where flow log records should be written.
Select Add flow log to complete the configuration of the flow log. It becomes applied once you provision your changes.
Characters / (slash) and %2F are not supported as object prefix characters.
You cannot edit/modify changes to the fields of a flow log rule after activating it.
There is a limit of one flow log created per NIC, NAT Gateway, and Network Load Balancer (NLB).
Result: An activated flow log rule is visualized by a green light on the NIC properties. The green light indicates that the configuration has been validated and is valid for provisioning.
A summary of the flow logs rule can be seen by opening the drop-down of the flow log and selecting the name of the flow log rule.
At this point, you may make further changes to your data center (optional).
When ready, select Provision changes. After provisioning is complete, the network interface's flow logs are activated.
Flow logs can be provisioned on both new and previously provisioned instances.
Prerequisites
Before you delete a flow log, make sure that you meet the following prerequisites:
Procedure
Select the relevant VM of the interface for which you want to delete the flow logs in the Workspace.
In the Inspector pane, open the Network tab.
Open the properties of the NIC.
Open the Flow Log drop-down.
Select the trash bin icon to delete the flow log.
6. In the confirmation message, select OK
7. Select Provision changes. After provisioning is complete, the network interface's flow logs are deleted and no longer captured.
Deleting a flow log does not delete the existing log streams from your bucket. Existing flow log data must be deleted using the respective service's console. In addition, deleting a flow log that publishes to IONOS S3 Object Storage does not remove the bucket policies and log file access control lists (ACLs).
In the Inspector pane, open the Settings tab.
To activate flow logs, open the Flow Log drop-down and fill in the following fields:
For Name, enter a name for the flow log rule. The name will also be the first part of the objects’ name prefix.
For Direction, choose Ingress to create flow logs for incoming traffic, Egress for outgoing traffic, or Bidirectional to create flow logs for all traffic.
For Action, choose Rejected to capture only traffic blocked by the firewall, Accepted to capture only traffic allowed by the firewall, or Any for all traffic.
For Target S3 bucket, enter a valid existing IONOS S3 Object Storage bucket name and an optional object name prefix where flow log records should be written.
Select Add flow log to complete the configuration of the flow log. It becomes applied once you provision your changes.
The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. For more information, see
You are logged on to the .
You are the
You have to edit the required data center.
You have the privilege.
You are the owner or have write access to permissions of an .