Amazon VPC Monitoring – Prerequisites and Troubleshooting Guide
This document outlines the prerequisites, required AWS IAM permissions, and configuration steps needed to enable Amazon VPC monitoring using VPC Flow Logs, Amazon Athena, and AWS Glue in Applications Manager.
It also provides troubleshooting guidance for common configuration and data collection issues.
Note:
- The VPC Monitor collects network traffic and performance metrics only when VPC Flow Logs are enabled at the VPC level.
- Flow Logs must be delivered to an Amazon S3 bucket.
- Flow Logs delivered to CloudWatch Logs are not supported for VPC monitoring.
Data Collection Configuration (DCC):
- Default data collection interval: 15 minutes
- Minimum supported interval: 10 minutes
Prerequisites:
- A valid AWS Account with access to EC2 (VPC), S3, Athena, and Glue services.
- VPC Flow Logs must be enabled for the target VPC and delivered to an S3 bucket.
- An IAM User or Role with the required permissions (detailed below).
- A dedicated S3 bucket for storing VPC Flow Logs and Athena query outputs.
- Athena and Glue must be enabled in the same AWS region as the VPC Flow Logs.
Note: VPC Flow Logs are the primary data source for traffic analysis.
Without valid flow logs in S3, monitoring data will not be available.
How to Enable VPC Flow Logs (Required Configuration)
- Sign in to the AWS Management Console.
- Navigate to VPC → Your VPCs.
- Select the target VPC for which monitoring needs to be enabled.
- Open the Flow Logs tab and click Create flow log.
- For Resource type, ensure VPC is selected.
- Select the required Traffic type:
- Accept – Records accepted traffic only
- Reject – Records rejected traffic only
- All – Records both accepted and rejected traffic (recommended)
- For Destination, select Send to an Amazon S3 bucket.
Do not select CloudWatch Logs. - Specify the ARN of the S3 bucket where VPC Flow Logs should be delivered.
- Choose or create an IAM role with permissions to write Flow Logs to the S3 bucket.
- Under Log format:
- Ensure the log file format is plain text.
- Use the following custom log format exactly as shown (mandatory):
${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} \
${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}
- Ensure log delivery is partitioned by time.
- Logs are expected to be partitioned every 24 hours (default AWS behavior).
- Each partition corresponds to a unique year/month/day directory.
s3://<bucket-name>/AWSLogs/<account-id>/vpcflowlogs/<region>/<year>/<month>/<day>/ - Click Create flow log to complete the configuration.
Important: Any deviation in the log format, file type, or partitioning structure may prevent
performance metrics from being collected successfully.
Best Practice: Enable Flow Logs at the VPC level instead of the subnet or ENI level
to ensure complete traffic visibility for monitoring.
Required AWS IAM Permissions and Policies
The following IAM policy provides the minimum required permissions to:
- Discover VPC resources
- Read flow log data
- Query traffic metrics using Athena
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeFlowLogs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<VPC_FLOW_LOG_BUCKET>",
"arn:aws:s3:::<VPC_FLOW_LOG_BUCKET>/*"
]
},
{
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:CreateDatabase",
"glue:GetTable",
"glue:CreateTable",
"glue:GetPartitions"
],
"Resource": "*"
}
]
}
Why are these permissions required?
- EC2 permissions – Discover VPCs, subnets, ENIs, and validate Flow Log configuration.
- S3 permissions – Verify Flow Log delivery and read log files for analysis.
- Glue permissions – Create and manage databases, tables, and partitions for Athena.
- Athena permissions – Execute SQL queries and retrieve traffic analytics.
Database, Table, and Storage Structure
| Component | Format / Naming Convention |
|---|---|
| Glue Database | meapm_vpc_<vpc-id-without-prefix> |
| Glue Table | meapm_vpc_tb_<vpc-id-without-prefix> |
| VPC Flow Logs Location | s3://<bucket-name>/AWSLogs/<account-id>/vpcflowlogs/<region>/ |
| Athena Query Output | s3://<bucket-name>/AWSLogs/<account-id>/vpcflowlogs/<region>/outputs/ |
| Partition Path | s3://<bucket-name>/AWSLogs/<account-id>/vpcflowlogs/<region>/<year>/<month>/<day>/ |
Data Retention and Query Execution Details
S3 Data Retention and Lifecycle Management
- The VPC Monitor does not delete, modify, or manage any objects stored in your S3 bucket.
- All VPC Flow Log data and Athena query results remain in S3 until explicitly removed by the customer.
- To control storage costs, customers are strongly advised to configure S3 Lifecycle policies.
Recommendation:
Configure S3 object lifecycle rules based on the data collection interval (DCC) set for performance metric collection.
Example:
- 10–15 minutes DCC → Retain Flow Logs for 2 hours to 1 day.
- More than 24 hours → Retain Flow Logs for 2 days
Athena Query Execution Behavior
- Performance metric collection is executed per Elastic Network Interface (ENI) in the VPC.
- For VPCs with a large number of ENIs, multiple Athena queries may be triggered during each data collection cycle.
Managing Athena Limits and Scaling Safely
- Large VPCs with high ENI counts may approach Athena query concurrency or execution limits.
- Queries are retried automatically (default: 3 retries with 5-second wait intervals).
Best Practices:
- Increase the data collection interval for very large VPCs.
- Limit excessive ENI churn by reviewing unused or stale ENIs.
- Monitor Athena query limits and request service quota increases if required.
Related Articles
- Frequently asked questions on adding a VPC monitor, supported metrics, troubleshooting data collection issues, and Athena / Glue configuration tips.
New to ADSelfService Plus?
Related Articles
Amazon VPC Monitoring – Frequently Asked Questions
Amazon VPC Monitoring – Frequently Asked Questions This Knowledge Base article answers frequently asked questions about configuring and monitoring Amazon VPC using Applications Manager. It covers prerequisites, data collection issues, VPC Flow Log ...Real User Monitor (RUM) - Troubleshooting guide
If the monitor has not polled data for a long time, follow the below steps for troubleshooting. Step 1: Check the RUM Agent configuration Real User Monitor requires the RUM Agent to be installed and mapped to the Applications Manager. Refer this help ...Amazon Elastic Kubernetes Service (EKS) - Utility Installation Troubleshooting steps
Amazon Elastic Kubernetes Service (EKS) - Utility Installation Troubleshooting Steps This article provides troubleshooting steps to resolve AWS Kubernetes (EKS) monitoring failures that occur when data collection stops due to missing or inaccessible ...Amazon monitoring bandwidth usage
This knowledge base provides details about the bandwidth usage of the Amazon monitor and its child monitors. Both ingress (download) and egress (upload) bandwidth are listed for each operation. Note: The bandwidth values mentioned below are sample ...Prerequisites for monitoring apache server metrics
The Apache mod_status module enables users to view detailed performance metrics of the Apache web server. You must enable and configure the mod_status correctly in the Apache configuration file to get performance metrics from Apache and view the data ...