Usage of additional metadata fields like vpc-id, subnet-id, Transmission Control Protocol (TCP) bitmask reduce the number of computations and look-ups required to extract meaningful information from the log data. For example, you can use TCP bitmask to identify the resource initiating at TCP connection. Similarly, you can use the packet source and destination IP fields to identify the source resource and the intended target of a connection passing through a network interface attached to NAT Gateway or an AWS Transit Gateway. To learn more about these new metadata fields refer our blog here.
You can deliver Amazon VPC flow logs to Amazon Simple Storage Service (S3) using the AWS Command Line Interface or Management Console. There is no extra cost to capture these additional metadata fields. For more information about VPC flow logs, please refer to the documentation here.