All Products
Search
Document Center

Virtual Private Cloud:Overview of flow logs

Last Updated:Mar 04, 2024

Virtual Private Cloud (VPC) provides the flow log feature to record information about inbound and outbound traffic of an elastic network interface (ENI). You can use the flow log feature to check access control list (ACL) rules, monitor network traffic, and troubleshoot network errors.

Feature release and supported regions

If you use the flow log feature for the first time, you need to click Activate Now in the VPC console.

Note

If you have created flow logs, the flow logs are displayed after you click Activate Now.

The following table describes the regions that support the flow log feature.

Area

Supported region

Asia Pacific

China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and India (Mumbai)

Europe & Americas

Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

Middle East

UAE (Dubai) and SAU (Riyadh)

Description

Flow logs can capture information about network traffic of a specified ENI, VPC, or vSwitch. After you enable the flow log feature for a VPC or a vSwitch, traffic information about ENIs in the VPC or vSwitch is captured. Flow logs also capture traffic information about ENIs that are created after the flow log feature is enabled.

Note

The flow logs created in the Simple Log Service console are displayed in the flow log list in the VPC console. However, you cannot modify, start, stop, or delete the flow logs in the VPC console.

The traffic information captured by the flow log feature is written to Simple Log Service as flow log entries. Each flow log entry includes a 5-tuple of a traffic flow captured within the capture window. The capture window is approximately 10 minutes. During the capture window, traffic information is captured and aggregated into a flow log entry.

The following table describes the fields of a flow log entry.

Field

Description

version

The version of the flow log.

vswitch-id

The ID of the vSwitch to which the ENI belongs.

vm-id

The ID of the Elastic Compute Service (ECS) instance with which the ENI is associated.

vpc-id

The ID of the VPC to which the ENI belongs.

account-id

The account ID.

eni-id

The elastic network interface (ENI) ID.

srcaddr

The source IP address.

srcport

The source port.

dstaddr

The destination IP address.

dstport

The destination port.

protocol

The Internet Assigned Numbers Authority (IANA) protocol number of the traffic.

For more information, see Protocol Numbers.

direction

The traffic direction. Valid values:

  • in: inbound

  • out: outbound

packets

The number of data packets.

bytes

The size of data packets.

start

The time when the capture starts.

tcp-flags

The following section describes some TCP flags and corresponding masks:

  • SYN: 2

  • SYN,ACK: 18

  • RST: 4

  • PSH: 8

  • URG: 32

  • FIN: 1

For more information about TCP flags, see RFC: 793.

end

The time when the capture ends.

log-status

The logging status of the flow log. Valid values:

  • OK: Data is recorded.

  • NODATA: No inbound or outbound traffic was transmitted through the ENI during the capture window.

  • SKIPDATA: Some flow log records were skipped during the capture window.

action

The action that was performed on the traffic flow. Valid values:

  • ACCEPT: The traffic flow was allowed by security groups or ACLs.

  • REJECT: The traffic flow was rejected by security groups or ACLs.

Billing and pricing

For more information, see Billing of flow logs.

Limits on use

Procedure

配置流程

  1. Activate Simple Log Service

    The traffic information captured by the flow log feature is stored in Simple Log Service. You must activate Simple Log Service before you create a flow log.

  2. Optional. Create an AccessKey pair

    If you want to write data by using an API or SDK, you must create an AccessKey pair. If you want to collect logs by using Logtail, you do not need to create an AccessKey pair.

  3. Create a project

    You must create a project in Simple Log Service. For more information, see Create a project.

  4. Create a Logstore

    A Logstore is a collection of resources in a project. All data in a Logstore is retrieved from the same source. After you create a project, you must create a Logstore. For more information, see Create a Logstore.

  5. Specify a resource from which traffic information is captured

    Before you create a flow log, you must specify the resource from which traffic information is captured. You can capture traffic information from an ENI, VPC, or vSwitch. For more information, see Create a secondary ENI, Create and manage a VPC, and Create and manage a vSwitch.

  6. Create a flow log

    You can create a flow log to capture information about inbound and outbound traffic of ENIs in a VPC. For more information, see Create and manage flow logs.

  7. View flow logs

    After you create a flow log, you can view the flow log. You can analyze cross-region data transmission, control data transfer costs, and troubleshoot network issues based on the captured traffic information.