AWS Flow Logs vs. Gigamon Application Metadata Intelligence

AWS Virtual Private Cloud (VPC) Flow Logs and Gigamon Application Metadata Intelligence (AMI) solve similar yet different network performance monitoring problems. This blog will examine the differences between those solutions to help users decide which product meets their needs. 

AWS VPC Flow Logs

VPC Flow Logs is a feature that many would consider to be classic network logging. It allows an organization to log 5-tuple (a set of five values that specify the source, destination, and protocol) IP traffic going to and from elastic network interfaces (ENI) in their VPC. A number of AWS-specific fields can also be captured in the log, such as account-id, interface-id, vpc-is, instance-id, region, and az-id (vpc-id, not vpc-is). A comprehensive list of Amazon attributes can be found in the Amazon Virtual Private Cloud User Guide.

Once logging has been configured, the logs need to be written to a location. Supported locations are Amazon CloudWatch Logs, Amazon S3, and Amazon Kinesis Data Firehose.

VPC Flow Logs can help with several tasks for which logging is usually used, such as:

• Diagnosing restrictive security group rules/IP access lists
• Traffic that is reaching your instance
• Source/destination IP of communication streams

Gigamon Application Metadata Intelligence

Gigamon AMI not only offers classic logging but also captures the 5-tuple log information and adds context, through metadata, to the stream. AMI has close to 6,000 applications and protocol attributes that can be added to logs to enhance observability tools, SIEMs, and custom tools. This allows for application-level visibility that is not available in VPC Flow Logs. AMI allows for logs to be enriched in several ways to help identify a range of activity, including: 

• Weak ciphers
• Untrusted/expired TLS certificates
• Unusual and suspicious DNS traffic
• Rogue activity such as crypto mining
• Applications such as SSH 

All these applications and more can be detected on non-standard ports. For more details on AMI starter packs and use cases, read the Gigamon AMI tech brief.

With AMI instrumentation, it is possible to differentiate between slow network and application performance. Sometimes network delivery is fast, but the service/application that rides on top of it is slow. Conversely, the network can be slow and the application fast, which results in the appearance of the app being slow. It can be difficult to tell the difference, which is a crucial challenge for CloudOps and NetOps.

Key Differences: VPC Flow Logs vs. Gigamon AMI

The key difference between VPC Flow Logs and Gigamon AMI is the location where the traffic logging takes place. VPC mirroring logs traffic from ENI to ENI, whereas Gigamon AMI logs the traffic in the workload before it hits the ENI. This allows for some unique visibility. AMI, in conjunction with GigaVUE^® Universal Cloud Tap (UCT), can see and classify traffic before it is encrypted, offering a powerful window into applications and data in motion, including containers.

Gigamon AMI does not capture AWS proprietary information such as instance-id, region, and other Amazon fields.

A major strength of Gigamon AMI becomes clear in hybrid cloud environments. VPC Flow Logs stop recording at the AWS boundary, whereas Gigamon AMI can track and log applications and protocols as those streams traverse from on prem to cloud and across clouds.

Capturing data from the workload instead of the ENI can give insight into additional traffic that is not available in VPC mirroring.* AMI captures 169.254.x.x traffic, including:

• Instance metadata
• AWS reserved IP traffic
• AWS DNS traffic

Learn More About AMI

Gigamon Application Metadata Intelligence works out of the box with New Relic, Splunk, QRadar, Dynatrace, Sumo Logic, Datadog, LogRhythm, and other SIEM and observability tools. In fact, any security tool can benefit from AMI as long as it has an adapter to parse CEF, IPFIX, or JSON. With AMI, reports and accompanying dashboards are fully customizable.

Additionally, organizations can get access to AMI Starter Packs comprising pre-defined tool templates and plugins designed to help export the relevant metadata attributes from the Gigamon device. These plugins help visualize a variety of use cases in our partner ecosystem tools. Visit the Application Metadata Intelligence web page or download the tech brief and data sheet.