X

Announcing VCN flow logs general availability for Oracle Cloud Infrastructure

Paul Cainkar
Principal Solution Architect

We’re pleased to announce the general availability of VCN flow logs for Oracle Cloud Infrastructure (OCI). With this service, you can view connection information for traffic within and to and from your virtual cloud network (VCN).

We’re announcing this release as a joint general availability with our Oracle Cloud Infrastructure Logging service.

Overview

VCN flow logs keep detailed metadata records of every flow that passes through your VCN and presents this data for analysis in the Oracle Cloud Infrastructure Logging service. This data includes information about the source and destination of the traffic, along with the volume of traffic and the accept or reject policy action taken, based on your network security rules. You can use this information for network monitoring, troubleshooting, and compliance. Through native cloud integration with the Logging service, you can view, search, export, and stream log files to your on-premise SIEM.

ACCEPT TCP 172.21.2.185 Port 43360 → 129.146.13.236 Port 443 Bytes 10515 Packets 19
ACCEPT TCP 129.146.13.236 Port 443 → 172.21.2.185 Port 43360 Bytes 5548 Packets 14

VCN flow logs support all resources in your subnet. The resources include not only Compute instances, but service private endpoints, LBaaS, PaaS services, and other future items in your VCN.

Integration options

With this product, we’re also excited to introduce data export and streaming options for ingestion of your flow logs. Through Logging service connectors, you can archive logs to object storage to meet compliance and data retention needs or stream in under 10 minutes to your SIEM or log management platform. We also support alarming on event data to meet your alerting needs, in addition to the built-in log search capabilities of the Console.

A structured JSON format powers everything for data interchange, which allows easy integration with both existing log management platforms and other Oracle Cloud Infrastructure services.

a graphic depicting the architecture using VCN Flow Logs.

Use cases

Use VCN flow logs in the following use cases.

Troubleshooting and Monitoring

You can use flows logs for troubleshooting and monitoring. Flow logs show attempts to connect to your database from your on-premises environment, as shown in the following figure. Logs also show whether security rules allow or deny the traffic. You can use this information to make quick, informed decisions about managing your network resources, such as capacity-planning and network security response.

A graphic depicting how Oracle Cloud VCN connects to your on-premises.

Regulatory and Compliance

You can now achieve regulatory, compliance, and other governance requirements previously only achievable through third-party network virtual appliances or host-based agents. Through the visibility afforded by VCN flow logs and flexible data-retention options provided by the Logging export, you can meet requirements in financial, healthcare, and other regulated industries.

Getting started with VCN flow logs

Through the Logging service, you can enable, view, and manage your flow log configuration.

Enable flow logs

  1. In the navigation menu in the Console, go to Logging and click Log Management.

  2. Create a log group to store your Flow Logs configuration.

    On the Log Groups tab, click Create Log Group. Enter a name and a description, and then click Create.

    A screenshot of the Create Log Group window with the name and description outlined in gray

  3. Enable flow logs on your subnet.

    On the Logs tab, click Enable Log. Select the Flow Logs service, and select your subnet as the resource. Enter a name for the log, and click Enable Log.

    A screenshot of the Enable Resource Log window with the device, resource, log category, and log name outlined in gray.

That’s it! Within minutes, your logs should become available.

Alternatively, we’ve also enabled the ability to enable flow logs through the Logging tab on your subnet, which redirects you to the same workflow.

A screenshot of the Subnet Details page, showing the logs enabled.

View logs

You can access your logs from the Oracle Cloud Logging Search experience. You can also set up advanced scenarios to export to Object Storage or stream through the Streaming service to your Apache Kafka compatible endpoint.

The export and stream solutions are covered in deeper detail in the documentation. We go over the Console search experience, which is all you need to get started!

Logging Console viewer

You can view and search VCN flow logs directly within the Logging service’s Console-based viewer. This view provides an easy-to-use, indexed repository of your recent logs. To access the Logging viewer, navigate to Logging and then Log Search in the Console.

A screenshot of the Search window in the Console.

Search filtering and visualization

You can also filter and visualize your data. You can use attributes such as security rule action, IP address, port, and more to create relevant queries and multiple visualization options exist.

In this example, I type “data” into the filter box and receive the following options:

A screenshot of the filter by field or text search window, with data.destinationAddress= filled into the search field.

To simulate an unauthorized internet user trying to reach your instance, I wrote a query showing all rejected connection attempts to my server at address 10.0.0.3 through a filter and visualized the results based on source IP.

A screenshot of the search filter, showing rejected connection attempts

Object Storage

With the Logging Service Connector feature, you can export flow logs to Object Storage. Take advantage of low-cost archives of your logs with retention based on life-cycle policies for your bucket by following these instructions. You can retrieve the files for later analysis or retain them indefinitely.

A screenshot of the Objects screen, showing an uploaded log file.

Partnerships and other integrations

As part of the Splunk Technical Alliance Partnership, we’ve published integrations to allow customers to stream VCN flow logs to their on-premises or Splunk Cloud platform. We have a tech note detailing the setup process and an overview blog on this integration.

Want to integrate into your own SIEM or logging management solution? We have you covered. You can stream flow logs to any Oracle Cloud Infrastructure Streaming or Apache Kafka compliant endpoint. You can even send it to an Autonomous Database.

Conclusion

Thank you for your interest in VCN flow logs. On behalf of the Virtual Networking product team, we encourage you to share any product feedback that you have in the comments.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.