Skip to content

Latest commit

 

History

History
199 lines (147 loc) · 8.41 KB

fl-ordering.md

File metadata and controls

199 lines (147 loc) · 8.41 KB
Raw
copyright lastupdated keywords subcollection
years
2020
2020-07-23
flow logs, ordering, getting started
vpc

{:shortdesc: .shortdesc} {:new_window: target="_blank"} {:codeblock: .codeblock} {:pre: .pre} {:screen: .screen} {:term: .term} {:note: .note} {:tip: .tip} {:important: .important} {:external: target="blank" .external} {:generic: data-hd-programlang="generic"} {:download: .download} {:DomainName: data-hd-keyref="DomainName"} {:help: data-hd-content-type='help'} {:support: data-reuse='support'}

Creating a flow log collector

{: #ordering-flow-log-collector} {: help} {: support}

You can order and provision a flow log collector for a specific Virtual Private Cloud (VPC), subnet, instance, or interface. Before you begin, make sure that you review the use cases listed in About flow logs and satisfy the following prerequisites.

When provisioning a flow log collector, keep in mind that the finest granularity wins. {: tip}

Prerequisites

{: #fl-before-you-begin}

Prior to creating a flow log collector, ensure that you have met the following prerequisites:

  1. Make sure that at least one VPC, a subnet, and a virtual server instance exist. For instructions, see Creating a VPC and subnet and Creating a virtual server instance.

  2. Make sure that a COS instance with a bucket exists for your flow logs. To create a COS bucket, see the Cloud Object Storage ordering page.

    The COS bucket must be a single-region bucket in the same region as the target resource. Additionally, it is recommended that you secure the bucket via IAM access groups and audit logging. {: important}

  3. Authorize resources of type Flow Logs for VPC to use the COS instance created in Step 2.

    To do so, follow these steps:

    • In the IBM Cloud console, click Manage > Access (IAM), then select Authorizations from the navigation pane.

    • Click Create and complete the following information:

      • For Source service, select Infrastructure Service in Account.
      • For Resource type, select Flow Logs for VPC.
      • For Source resource instance, select All resource instances.
      • For Target service, select Cloud Object Storage in Account.
      • For Target service instance, select string equals for All instances.
      • For Service access, select the Writer role to assign access to the source service that accesses the target service.

    • Click Authorize.

      Grant a service authorization

    For more information, see Using authorizations to grant access between services. {: note}

Using the UI

{: #fl-ordering-ui}

To create a flow log collector by using the IBM Cloud console, follow these steps:

  1. Log in to your IBM Cloud account and go to the {{site.data.keyword.cloud_notm}} console{:external}. Select the Menu icon Menu icon on the upper left of the page, then select VPC Infrastructure > Flow Logs. The Flow logs for VPC dashboard appears.

Flow log collector dashboard

  1. Click Create flow log collector to go to the flow logs provisioning page.
  2. Enter values for the following fields:
  • Name - Type a unique name for your flow log collector.
  • Resource group - Select a resource group for your flow log collector. You can use the default group for this flow log, or choose from the list (if defined). For more information, see Best practices for organizing resources in a resource group.
  1. From the Attach the flow log connector to menu, choose a target type for the flow log. Depending on your selection, additional fields might be required.
  • VPC - Select a VPC. All network traffic within the selected VPC is logged.
  • Subnet - Select a VPC and a subnet within the selected VPC. All traffic within the selected subnet is logged.
  • Instance - Select a VPC and a VSI that exists within the selected VPC. All traffic for the VSI is logged.
  • Interface - Select a VPC, a VSI within the selected VPC, and a specific network interface for the selected VSI. All traffic for the selected network interface is logged.

For example:

Example Network Subnet Target

  1. Specify where the logs are written. Flow logs are written to a COS bucket, which must be created as a single-region bucket in the same region as the target resource.
  • Cloud Object Storage Instance - The COS instance that the wanted bucket resides in.
  • Location - This input is unavailable because it is directly tied to the region the target resource resides in.
  • Bucket - The wanted Cloud Object Storage (COS) bucket that the flow log collector service writes to.

Using the CLI

{: #fl-ordering-cli}

To create a flow log collector by using the CLI, run the following command:

ibmcloud is flow-log-create \
  --bucket STORAGE_BUCKET_NAME \
  --target TARGET_ID [--name NAME] \
  --active ACTIVE \
  [--resource-group-id RESOURCE_GROUP_ID | --resource-group-name RESOURCE_GROUP_NAME] \
  [--json]

Where:

  • --bucket is the name of the COS bucket.
  • --target is the target for the flow log.
  • --name is the new name for the flow log.
  • --active indicates whether this collector is active.
  • --resource-group-id is the ID of the resource group. This option is mutually exclusive with --resource-group-name.
  • --resource-group-name is the name of the resource group. This option is mutually exclusive with --resource-group-id.
  • --json formats the output in JSON.

Using the API

{: #fl-ordering-api}

To create a flow log collector by using the API, follow these steps:

  1. Set up your API environment with the right variables.

  2. Store the following variables to be used in the API commands:

    • ResourceGroupId - First, get your resource group and then populate the variable:
    export ResourceGroupId=<your_resourcegroup_id>

    {: pre}

    • VpcId - Find by using the list vpc command (with the preceding variables) and then populate the variable based on the provided ID:
    export VpcId=<your_VPC_id>

    {: pre}

    • COSbucket - The name of the COS bucket.
    export COSbucket=<your_COS_bucket_name>

    {: pre}

  3. When all variables are initiated, provision a flow log collector for the specific VPC:

    curl -X POST
  -sH "Authorization:${iam_token}"
  "$vpc_api_endpoint/v1/flow_log_collectors?version=$api_version&generation=2" \
  -d  '{ \
       "name": "flow-logs-1", \
       "resource_group": { "id": "'$ResourceGroupId'"  }, \
       "storage_bucket": { "name": "'$COSbucket'" }, \
       "target": { "id": "'$VpcId'" } \
       }' | jq

    {: pre}

  4. To provision a collector that targets a subnet, VSI, or VNIC, you must provide a subnet ID, VSI ID, or VNIC ID as a collector target. For example, the following request creates a collector that targets a VSI ID:

    export VsiId=<your_vsi_id>

    {: pre}

    curl -X POST \
  -sH "Authorization:${iam_token}" \
  "$vpc_api_endpoint/v1/flow_log_collectors?version=$api_version&generation=2" \
  -d '{ \
   	 "name": "flow-logs-1", \
      "resource_group": { "id": "'$ResourceGroupId'"  }, \
      "storage_bucket": { "name": "'$COSbucket'" }, \
      "target": { "id": "'$VsiId'" } \
      }' | jq

    {: pre}

Next steps