This topic describes the flow log feature of Virtual Private Cloud (VPC) network. You can use flow logs to capture information about inbound and outbound traffic transmitted through Elastic Network Interfaces (ENIs) over your VPC network. Based on the information captured in flow logs, you can verify access control rules, monitor network traffic, and troubleshoot network faults.
- The flow log feature is not covered by the terms of service level agreement (SLA) during the public preview.
- During the public preview period, the flow log feature is applicable in China (Hohhot), China (Shenzhen), Malaysia (Kuala Lumpur), Indonesia (Jakarta), UK (London), and India (Mumbai).
Features
You can capture the information about network traffic of a specified ENI, VPC network, or VSwitch. After you enable the flow log feature for a VPC network or a VSwitch, information about the traffic of ENIs in the VPC network or VSwitch is captured. The information also includes the ENIs that are created after the flow log feature is enabled.
The traffic information captured by the flow log feature is written to flow log records in Log Service. Each flow log record includes a five-tuple of a traffic flow captured within the specified capture window. The maximum capture window is approximately 10 minutes. During the capture window, statistics about a traffic flow are captured and aggregated into a flow log record.
| Field | Description |
|---|---|
| version | The version of the flow log. |
| vswitch-id | The ID of the VSwitch to which the ENI belongs. |
| vm-id | The ID of the ECS instance to which the ENI is bound. |
| vpc-id | The ID of the VPC network to which the ENI belongs. |
| account-id | The ID of the account. |
| eni-id | The ID of the ENI. |
| srcaddr | The source IP address. |
| srcport | The source port. |
| dstaddr | The destination IP address. |
| dstport | The destination port. |
| protocol | The Internet Assigned Numbers Authority (IANA) protocol number of the traffic flow.
For more information, see Internet protocol numbers. |
| direction | The direction of the traffic flow. Valid values:
|
| packets | The number of data packets. |
| bytes | The size of data packets. |
| start | The start time of the capture window. |
| end | The end time of the capture window. |
| log-status | The status of the flow log. Valid values:
|
| action | Actions associated with the traffic flow:
|
Billing method
- Log collection fee
The log collection fee is charged based on the amount of the collected logs.Note No log collection fee is charged during the public preview.
- The fee of Log Service
The logs generated by the flow log feature are stored in Log Service. You can view and analyze the logs in Log Service. You are charged for log storage and retrieval when you use Log Service.
Limits
The limits of flow logs are listed in the following table.
| Item | Limit | Quota increase supported |
|---|---|---|
| The maximum number of flow logs that can be created in a region | 10 | Submit a ticket. |
| VPCs that do not support flow logs | VPCs that contain instances of the following instance families:
ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4. |
Upgrade or release an Elastic Compute Service (ECS) instance that does not support
advanced network features.
Note If the VPC network to which a specified VSwitch or ENI belongs contains instances
of the specified instance families, and the flow logs feature is enabled, you must
upgrade or release the instance for flow logs to work properly. For more information,
see VPC advanced features overview.
|
| VSwitches that do not support flow logs | VPCs to which VSwitches belong contain instances of the following instance families:
ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4. |
|
| ENIs that do not support flow logs | The VPC network to which ENIs belong contains instances of the following instance
families:
ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4. |
Procedure
- Activate Log Service
The traffic data captured by the flow log feature is stored in Alibaba Cloud Log Service. Therefore, you must activate Log Service before you create a flow log.
- Optional. Create an AccessKey pair
If you want to write data through the API or SDK, you must create an AccessKey pair. If you want to collect logs by using Logtail, you do not need to create an AccessKey pair.
- Create a project
You must create a project in Log Service. For more information, see Create a project.
- Create a Logstore
A Logstore is a set of resources created for a project. All data in a Logstore is retrieved from the same source. After you create a project, you must create a Logstore. For more information, see Create a Logstore.
- Create a resource to capture logs
Before you create a flow log, you must create a resource for which logs are captured. You can capture logs of a specified ENI, VPC network, or VSwitch. For more information, see Create an ENI, Create a VPC network, and Create a VSwitch.
- Create a flow log
After you create a flow log, the flow log can capture the traffic data among instances in different regions of the specified Cloud Enterprise Network (CEN). For more information, see Create a flow log.
- View flow logs
After you create a flow log, you can view the flow log. You can use the captured traffic data to analyze cross-region data transmission, optimize costs, and troubleshoot network faults. For more information, see View a flow log.