1. Answers
  2. Centralized logging with VPC Endpoint for CloudWatch Logs

How do I set up centralized logging with a VPC Endpoint for CloudWatch Logs?

This guide demonstrates how to set up centralized logging with a VPC Endpoint for AWS CloudWatch Logs using Pulumi. By utilizing a VPC Endpoint, we can securely connect to CloudWatch Logs from within a VPC without traversing the public internet.

Key Points:

  • Create a VPC (Virtual Private Cloud).
  • Set up subnets and an internet gateway.
  • Create a VPC endpoint for CloudWatch Logs.
  • Configure IAM roles and policies.
  • Create CloudWatch Log Groups and Log Streams.
  • Centralize logs using the VPC Endpoint.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create a VPC
const vpc = new aws.ec2.Vpc("myVpc", {
    cidrBlock: "10.0.0.0/16",
    enableDnsSupport: true,
    enableDnsHostnames: true,
});

// Create subnets
const subnet = new aws.ec2.Subnet("mySubnet", {
    vpcId: vpc.id,
    cidrBlock: "10.0.1.0/24",
    availabilityZone: "us-west-2a",
});

// Create an Internet Gateway
const internetGateway = new aws.ec2.InternetGateway("myInternetGateway", {
    vpcId: vpc.id,
});

// Create a route table
const routeTable = new aws.ec2.RouteTable("myRouteTable", {
    vpcId: vpc.id,
    routes: [{
        cidrBlock: "0.0.0.0/0",
        gatewayId: internetGateway.id,
    }],
});

// Associate route table with subnet
new aws.ec2.RouteTableAssociation("myRouteTableAssociation", {
    subnetId: subnet.id,
    routeTableId: routeTable.id,
});

// Create a VPC Endpoint for CloudWatch Logs
const vpcEndpoint = new aws.ec2.VpcEndpoint("myVpcEndpoint", {
    vpcId: vpc.id,
    serviceName: `com.amazonaws.${aws.config.region}.logs`,
    subnetIds: [subnet.id],
    securityGroupIds: [],
    vpcEndpointType: "Interface",
});

// Create an IAM Role for CloudWatch Logs
const logRole = new aws.iam.Role("logRole", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "logs.amazonaws.com" }),
});

// Attach a policy to the IAM Role
const logPolicy = new aws.iam.RolePolicy("logPolicy", {
    role: logRole.id,
    policy: pulumi.output({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: "logs:*",
            Resource: "*",
        }],
    }),
});

// Create a CloudWatch Log Group
const logGroup = new aws.cloudwatch.LogGroup("myLogGroup", {
    retentionInDays: 7,
});

// Create a Log Stream within the Log Group
const logStream = new aws.cloudwatch.LogStream("myLogStream", {
    logGroupName: logGroup.name,
});

// Export the VPC Endpoint DNS name
export const vpcEndpointDnsName = vpcEndpoint.dnsEntries.apply(entries => entries[0].dnsName);

Summary:

In this guide, we created a VPC with subnets and an internet gateway, and set up a VPC Endpoint for CloudWatch Logs. We configured IAM roles and policies to allow CloudWatch Logs to use the VPC Endpoint. Finally, we created a CloudWatch Log Group and Log Stream to centralize logs using the VPC Endpoint. This setup ensures secure and efficient logging within the VPC without traversing the public internet.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up