AWS announced new additional metadata fields for Amazon VPC Flow Logs. The most useful part for day-to-day troubleshooting is that flow log records can now include tag values from related resources, such as EC2 instances, network interfaces, and Auto Scaling groups. They can also include next-hop metadata, which helps explain how traffic leaves or moves through the VPC.
That means a query no longer has to start from an IP address or ENI ID. You can filter traffic by names and routing context that humans actually recognize.
When enabling the flow log, I also had to fill in Tag field specifications. For this example, the important entry is the EC2 instance tag key Name; that is what lets the instance-tag field resolve to the instance name in each flow log record.
In this small demo I used one EC2 instance in a private subnet with private IP 172.31.100.178 and a Name: bob tag. That tag value is what appears in the flow log metadata.
The instance reaches the internet through a NAT Gateway. I configured the flow log format to include the instance tag and next-hop interface type metadata. In the VPC Flow Logs record format these fields are instance-tag and next-hop-interface-type.
To show only internet traffic originated by bob, without filtering on IP addresses or ENI IDs:
fields @timestamp, srcAddr, srcPort, dstAddr, dstPort, protocol, action, instanceTag, nextHopInterfaceType
| filter instanceTag = 'bob' and nextHopInterfaceType = 'nat_gateway'
Example output:
The first row is ICMP traffic to 1.1.1.1. The next two rows are UDP traffic to port 123, which is easy to recognize as NTP. In each case, the query ties the traffic back to the bob instance and confirms that the next hop is a NAT Gateway.
This is a small feature, but it removes a common lookup step during incident review and network debugging. For environments where instances, ENIs, Auto Scaling groups, and network paths are already tagged or modeled consistently, Flow Logs become much easier to search and explain.
Sources: