Architecture: Where Each Product Sits

AWS Shield operates at two tiers. Shield Standard is automatically enabled on every AWS account at no additional cost. It provides always-on network flow monitoring and inline mitigation for common L3/L4 attacks targeting CloudFront distributions, Application Load Balancers, Route 53 hosted zones, and Elastic IPs. Shield Advanced adds additional protections: enhanced detection for EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources, plus access to the AWS DDoS Response Team (DRT) and cost protection.

Both tiers operate at the AWS network edge and VPC boundary. They analyze traffic flows and apply mitigation rules at the infrastructure level before traffic reaches your EC2 instances. This is effective for large volumetric attacks but has inherent visibility limitations at the instance level.

Flowtriq operates on the EC2 instance itself. The agent monitors the network interface directly, seeing every packet that arrives at the instance, classifying attack vectors in real time, and capturing PCAP evidence for forensic analysis.

Internet Traffic
    |
    v
AWS Edge (Shield Standard/Advanced)
    |-- Volumetric L3/L4 absorption
    |-- SYN flood mitigation
    |-- UDP reflection attack filtering
    |
    v
VPC / Security Groups / NACLs
    |
    v
EC2 Instance
    |-- Flowtriq agent (per-instance monitoring)
    |-- Per-second PPS/BPS detection
    |-- Attack classification + confidence scoring
    |-- PCAP capture on detection
    |-- Alerts: Discord, Slack, PagerDuty, etc.
    |
    v
Application Stack

Shield handles mitigation at the AWS network boundary. Flowtriq handles detection and forensics on each instance. The two products complement each other because they operate at different layers with different capabilities.

What Flowtriq Adds to AWS Shield

AWS Shield is a strong first layer of defense. But it was designed for infrastructure-level protection, not per-instance observability. Here is what Flowtriq gives you that Shield does not.

Per-Instance Visibility

Shield Standard provides aggregate metrics at the resource level (ALB, CloudFront distribution, Elastic IP). Shield Advanced adds more detailed metrics but still operates at the AWS resource level, not the application level. If you have 20 EC2 instances behind an ALB, Shield tells you the ALB is under attack. It does not tell you which instances are receiving the most attack traffic, how the traffic distributes across instances, or what traffic patterns look like on each specific server.

Flowtriq gives you per-instance, per-second PPS and BPS metrics. You can see exactly what each instance is receiving, compare traffic patterns across your fleet, and identify whether an attack is targeting all instances equally or focusing on a specific server.

Attack Classification

Shield Standard provides basic detection and mitigation without detailed classification. Shield Advanced provides attack vector information but reports it through CloudWatch metrics and the Shield console, typically with multi-minute granularity.

Flowtriq classifies attacks within its 2-second detection window. It identifies specific attack types — SYN flood, UDP amplification (DNS, NTP, CLDAP, memcached), HTTP flood, slowloris, and dozens more — with confidence scores. This classification happens on-instance in real time, so you know exactly what you are dealing with before you even open the AWS console.

PCAP Forensics

This is perhaps the most significant gap. AWS Shield does not provide packet-level capture data. When an attack is detected, Shield mitigates it at the network level, but you get no raw packet data for forensic analysis. If your incident response process requires packet evidence, if you need to communicate attack details to upstream providers, or if compliance requirements mandate forensic data retention, Shield alone cannot satisfy those requirements.

Flowtriq automatically captures PCAP data when it detects an incident. The capture includes source IPs, protocol details, payload samples, and timing information. This data is available for download from the Flowtriq dashboard and can be analyzed in Wireshark or any other packet analysis tool.

Modern Multi-Channel Alerting

Shield Advanced sends notifications through CloudWatch Alarms and SNS topics. This works for teams that have built alerting pipelines around AWS services, but it requires configuration of CloudWatch metrics, alarm thresholds, SNS topics, and downstream integrations.

Flowtriq sends alerts directly to Discord, Slack, PagerDuty, OpsGenie, email, SMS, and custom webhooks. Configuration takes minutes, not hours. If your incident response team lives in Discord or Slack, alerts arrive there with full incident context — no AWS pipeline assembly required.

Shield absorbs the punch. Flowtriq tells you exactly where the punch landed, what kind of punch it was, captures video evidence, and pages your security team. Both are important, but they serve different functions.

Step 1: Install the Flowtriq Agent on EC2

Install the Flowtriq agent on each EC2 instance you want to monitor. The agent is a lightweight Python package that runs as a systemd service.

# Install the Flowtriq agent
pip install ftagent --break-system-packages

# Run the setup wizard
sudo ftagent --setup

The installer will prompt for your Flowtriq API key, which you can find in your Flowtriq dashboard under Settings. Once installed, the agent starts monitoring immediately and appears in your dashboard within seconds.

For EC2 instances launched from an AMI or managed by Auto Scaling groups, include the agent installation in your user data script:

#!/bin/bash
# EC2 User Data script — install Flowtriq agent on launch
pip install ftagent

# Write configuration
mkdir -p /etc/ftagent
cat > /etc/ftagent/config.yaml <<EOF
api_key: "ft_your_api_key_here"
server: "https://flowtriq.com/api/v1"
interface: "eth0"

detection:
  pps_threshold: auto
  bps_threshold: auto
  sensitivity: medium
  detection_window: 2s

pcap:
  enabled: true
  max_size: 100MB
  capture_duration: 30s

tags:
  role: "web-server"
  provider: "aws"
  region: "$(curl -s http://169.254.169.254/latest/meta-data/placement/region)"
  instance_id: "$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"
  instance_type: "$(curl -s http://169.254.169.254/latest/meta-data/instance-type)"
EOF

# Enable and start the agent
systemctl enable ftagent
systemctl start ftagent

Note the use of EC2 instance metadata to automatically tag each node with its region, instance ID, and instance type. This makes it easy to identify instances in your Flowtriq dashboard and correlate with AWS console data.

Step 2: Security Group Configuration

The Flowtriq agent communicates outbound to flowtriq.com/api/v1 on port 443 (HTTPS). Most EC2 security groups allow all outbound traffic by default, so no changes are typically needed. If you have restrictive outbound rules, add an outbound rule allowing HTTPS (443) to 0.0.0.0/0 or specifically to Flowtriq's API endpoints.

No inbound security group rules are required for Flowtriq. The agent initiates all connections outbound.

# Verify outbound connectivity to Flowtriq API
curl -s https://flowtriq.com/api/health
# Should return: {"status": "ok"}

IAM roles and policies are not required. The Flowtriq agent does not interact with AWS APIs. It monitors the network interface on the instance and communicates with Flowtriq's API. There are no AWS permissions to configure.

Step 3: Configure Detection and Alerting

With the agent running, configure your detection settings and alert channels in the Flowtriq dashboard.

Detection Settings

The default auto threshold mode uses dynamic baseline detection, which learns your instance's normal traffic pattern and alerts when traffic deviates significantly. This is recommended for most deployments because EC2 traffic patterns vary widely based on workload.

If you know your expected traffic profile, you can set static thresholds:

# /etc/ftagent/config.yaml — static thresholds
detection:
  pps_threshold: 50000       # Alert above 50K packets per second
  bps_threshold: 500000000   # Alert above 500 Mbps
  sensitivity: high
  detection_window: 2s

Alert Channels

Configure at least one alert channel in the Flowtriq dashboard under Channels. Recommended configurations for AWS environments:

# Discord webhook for real-time team alerts
Channel: Discord
Webhook URL: https://discord.com/api/webhooks/...
Severity: All incidents

# PagerDuty for on-call escalation
Channel: PagerDuty
Integration Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Severity: Critical only

# Slack for security operations channel
Channel: Slack
Webhook URL: https://hooks.slack.com/services/...
Severity: Medium and above

Add per-instance visibility to your AWS stack

Deploy Flowtriq on your EC2 instances in minutes. Per-second detection, PCAP forensics, and instant alerts through Discord, Slack, PagerDuty, and more. No IAM configuration required.

Start your free 7-day trial →

How the Layers Work Together

Here is a practical example of how Shield and Flowtriq complement each other during an attack.

Scenario: Multi-Vector Attack on an ALB-Backed Application

  1. Volumetric layer — The attacker launches a 15 Gbps UDP reflection attack using CLDAP amplification. Shield Standard detects the volumetric anomaly at the AWS network edge and mitigates it inline. The bulk of the attack traffic never reaches your VPC. Shield's CloudWatch metrics show the attack was detected and mitigated.
  2. Application layer — Simultaneously, the attacker launches a low-rate HTTP slowloris attack targeting your ALB endpoints. This traffic is well below Shield's volumetric thresholds and uses valid HTTP connections, so it passes through Shield and reaches your EC2 instances.
  3. Flowtriq detects — The Flowtriq agent on each EC2 instance detects the abnormal connection pattern within 2 seconds. It classifies the attack as a slowloris/slow-read attack with high confidence and begins PCAP capture.
  4. Alerts fire — Flowtriq sends alerts to Discord and PagerDuty with full incident details: attack type, confidence score, affected instances, source IP distribution, and PPS/BPS metrics.
  5. Response — The on-call engineer reviews the Flowtriq dashboard, downloads the PCAP for analysis, and configures ALB connection timeouts and WAF rules to block the slowloris pattern.

In this scenario, Shield handled the volumetric layer effectively. But without Flowtriq, the application-layer attack would have gone undetected until users reported timeouts. No CloudWatch alarm fired because the PPS was below volumetric thresholds. No Shield event was logged because the traffic appeared legitimate at the network level.

Deployment Patterns on AWS

ALB + EC2 Fleet

The most common pattern. Install the Flowtriq agent on each EC2 instance behind the ALB. Shield protects the ALB at the network edge. Flowtriq monitors what arrives at each instance. Use instance tags to organize nodes by service, role, and environment in the Flowtriq dashboard.

Direct EC2 with Elastic IP

For instances with public Elastic IPs not behind a load balancer (game servers, DNS resolvers, VPN endpoints), Shield Standard still provides basic L3/L4 protection. But these instances are more exposed because traffic reaches them directly. Flowtriq is particularly valuable here because there is no ALB or CloudFront layer to filter application-level attacks.

EC2 Instances in Private Subnets

Instances in private subnets that receive traffic only through a NAT Gateway or VPC endpoint are less exposed to direct DDoS, but not immune. Attacks can arrive through compromised internal services, lateral movement, or traffic that enters through public-facing resources. Flowtriq monitors the instance regardless of its network position in the VPC.

Mixed Infrastructure

Many AWS environments include EC2 instances alongside containers (ECS/EKS), Lambda functions, and managed services. Install the Flowtriq agent on EC2 instances and ECS/EKS worker nodes. The agent is not applicable to serverless services like Lambda or Fargate, but these services have different DDoS exposure profiles and are protected by Shield at the API Gateway or ALB level.

Comparing the Data You Get

Here is a concrete comparison of the data each product provides for the same attack event:

AWS Shield Standard:

  • Detection at the network edge with automatic mitigation
  • Basic CloudWatch metrics (DDoSDetected, DDoSAttackBitsPerSecond)
  • No attack classification or vector identification
  • No PCAP data
  • No source IP analysis
  • Alerts via CloudWatch Alarms and SNS (requires configuration)

AWS Shield Advanced (additional):

  • Enhanced detection with attack vector classification
  • Shield Response Team (SRT) engagement for large attacks
  • Cost protection for scaling events caused by DDoS
  • Detailed metrics in the Shield console
  • Still no PCAP data or per-instance packet analysis
  • $3,000/month base cost + data transfer fees

Flowtriq (per instance):

  • 2-second detection window with per-second PPS/BPS metrics
  • Detailed attack classification with confidence scores
  • Automatic PCAP capture with source IP analysis
  • Per-instance traffic visibility across your entire fleet
  • Multi-channel alerting: Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks
  • $9.99/node/month ($7.99 annual)

For context: Shield Advanced costs $3,000/month as a base subscription. Flowtriq costs $9.99/node/month. A 20-node deployment with Flowtriq ($199.80/month) provides per-instance detection depth, PCAP forensics, and modern alerting at a fraction of Shield Advanced's cost — while Shield Standard provides free volumetric protection at the AWS edge.

What Shield Catches That Flowtriq Cannot

This guide is about layered defense, so it is important to be clear about what Shield provides that Flowtriq does not.

Shield absorbs volumetric attacks at the AWS network edge before they reach your instances. A 100 Gbps UDP flood targeting your Elastic IP is mitigated by Shield before it saturates your VPC's bandwidth. No per-instance agent can absorb that kind of traffic volume — your instance's network interface would be overwhelmed before the agent could even report the attack.

This is why layered defense matters. Shield is the mitigation layer — it absorbs attacks that would overwhelm your infrastructure. Flowtriq is the detection and forensics layer — it sees what reaches your instances, classifies it, captures evidence, and alerts your team. Each layer does something the other cannot.

Deployment Checklist

  • Flowtriq agent installed on each EC2 instance (manually or via user data script)
  • Security groups verified — outbound HTTPS (443) allowed for Flowtriq API communication
  • Instance metadata tags configured in config.yaml for dashboard organization
  • Detection sensitivity tuned for your workload (auto baseline recommended for initial deployment)
  • Alert channels configured — at minimum, one real-time channel (Discord, Slack, or PagerDuty)
  • PCAP capture enabled for forensic evidence on detection
  • Auto Scaling integration — agent installation included in launch template user data if applicable
  • Shield Standard confirmed active — enabled by default on all AWS accounts, verify in the Shield console
  • Test alert sent — trigger a test alert in Flowtriq to verify end-to-end notification flow

Add detection depth to your AWS DDoS stack

Deploy Flowtriq on your EC2 instances for per-second detection, PCAP forensics, and real-time multi-channel alerting. Works alongside Shield Standard and Advanced. $9.99/node/month with a 7-day free trial.

Start your free 7-day trial →
Back to Blog

Related Articles

Integrations

How to Use Cloudflare with Flowtriq: complete integration guide

Configure Flowtriq alongside Cloudflare for origin-level detection and automated WAF rule creation.
Comparisons

Flowtriq vs AWS Shield: comparing DDoS logs and detection data

What AWS Shield Standard, Shield Advanced, and Flowtriq each give you for the same attack.
Comparisons

Cloud DDoS protection comparison: AWS, Cloudflare, and beyond

How the major cloud providers' DDoS protection stacks compare on coverage, data, and cost.