Flow log overview - Flow logs| Alibaba Cloud Documentation Center

Flow log overview

Edit in GitHub

Last Updated: Apr 22, 2020 Edit in GitHub

This topic provides an overview of the flow log function of Virtual Private Cloud (VPC). By using this function, you can capture the inbound and outbound traffic over the Elastic Network Interface (ENI) in your VPC. With flow logs, you can check access control rules, monitor network traffic, and troubleshoot network faults.

Note The flow log function is only supported in China (Hohhot), Malaysia (Kuala Lumpur), Indonesia (Jakarta), UK (London), and India (Mumbai).

Features

You can capture the traffic of an ENI, a VPC, or a VSwitch. After you create a flow log for a VPC or a VSwitch, you can capture the traffic of all ENIs in the VPC or VSwitch, including the ENIs created after the flow log function is enabled.

The captured traffic data is stored in Log Service. You can view and analyze traffic data in Log Service. During the beta testing phase of the flow log function, you are only charged for the storage and retrieval of traffic data in Log Service.

The traffic data captured by flow logs is written to Log Service as flow log records. Each flow log record includes specified quintuple network streams in a capture window. A network traffic data capture window is at a maximum of 10 minutes, traffic data is aggregated and then released to the flow log record. Therefore, users can view the network traffic data in their Log Service accordingly.

The following table describes the fields of a flow log record.


Field	Description
version	The version of the flow log.
vswitch-id	The ID of the VSwitch to which the ENI belongs.
vm-id	The ID of the ECS instance with which the ENI is associated.
vpc-id	The ID of the VPC instance to which the ENI belongs.
account-id	The ID of the account.
eni-id	The ID of the ENI.
srcaddr	The source IP address.
srcport	The source port.
dstaddr	The destination IP address.
dstport	The destination port.
protocol	The IANA protocol number of the traffic. For more information, see Internet Protocol Numbers.
direction	The direction of the traffic. Valid values: in: Inbound traffic. out: Outbound traffic.
packets	The number of data packets.
bytes	The size of data packets.
start	The start time of the capture window.
end	The end time of the capture window.
log-status	The status of the recorded flow log. Valid values: OK: The data is recorded. NODATA: No inbound or outbound traffic is transmitted over the ENI during the capture window. SKIPDATA: Some flow log records are skipped during the capture window.
action	The action associated with the traffic. ACCEPT: The traffic that security groups allow to record. REJECT: The traffic that security groups do not allow to record.

Limits

The following table lists the limits of flow logs.


Item	Limit	Quota increase supported?
The maximum number of flow logs that can be created in a region	10	Yes. Open a ticket.
VPCs that do not support flow logs	VPCs that contain any instance of the following instance type families: ecs.c1、ecs.c2、ecs.c4、ecs.c5、ecs.ce4、ecs.cm4、ecs.d1、ecs.e3、ecs.e4、ecs.ga1、ecs.gn4、ecs.gn5、ecs.i1、ecs.m1、ecs.m2、ecs.mn4、ecs.n1、ecs.n2、ecs.n4、ecs.s1、ecs.s2、ecs.s3、ecs.se1、ecs.sn1、ecs.sn2、ecs.t1、ecs.xn4.	Yes. You can upgrade the instance type. For more information, see Instance families that support instance type changes. Note If your VPC, the VPC to which the VSwitch belongs, or the VPC to which the ENI belongs, contains any instance of the instance type families listed in the limit field, and you have created a flow log, to ensure the normal use of the flow log function, you must upgrade the instance type.
VSwitches that do not support flow logs	VPCs to which the VSwitches belong contain any instance of the following instance type families: ecs.c1、ecs.c2、ecs.c4、ecs.c5、ecs.ce4、ecs.cm4、ecs.d1、ecs.e3、ecs.e4、ecs.ga1、ecs.gn4、ecs.gn5、ecs.i1、ecs.m1、ecs.m2、ecs.mn4、ecs.n1、ecs.n2、ecs.n4、ecs.s1、ecs.s2、ecs.s3、ecs.se1、ecs.sn1、ecs.sn2、ecs.t1、ecs.xn4.
ENIs that do not support flow logs	VPCs to which the ENIs belong contain any instance of the following instance type families: ecs.c1、ecs.c2、ecs.c4、ecs.c5、ecs.ce4、ecs.cm4、ecs.d1、ecs.e3、ecs.e4、ecs.ga1、ecs.gn4、ecs.gn5、ecs.i1、ecs.m1、ecs.m2、ecs.mn4、ecs.n1、ecs.n2、ecs.n4、ecs.s1、ecs.s2、ecs.s3、ecs.se1、ecs.sn1、ecs.sn2、ecs.t1、ecs.xn4.

Procedure

The following figure shows the procedure for configuring a flow log.

Activate Log Service.
The traffic data captured by the flow log function is stored in Alibaba Cloud Log Service. Therefore, you must activate Log Service before you create a flow log.
Optional. Create an Access Key.
If you want to write data through APIs or SDKs, you must create an Access Key (AK). If you want to collect logs by using Logtail, you do not need to create an AK.
Create a Project.
You must create a Project in Log Service. For more information, see Create a project.
Create a Logstore.
A Logstore is a collection of resources created in a Project. All data in a Logstore is from the same data source. After you create a Project, you must create a Logstore. For more information, see Create a Logstore.
Create a capture resource.
Before you create a flow log, you must create a resource whose logs you want to capture. You can capture logs of a specified ENI, VPC, or VSwitch. For more information, see Create an ENI, Create a VPC, and Create a VSwitch.
Create a flow log.
After you create a flow log, you can capture the traffic data among instances in different regions of the specified CEN. For more information, see Create a flow log.
View the flow log
After you create a flow log, you can view the flow log. You can use the captured traffic data to analyze cross-region traffic, optimize traffic costs, and troubleshoot network faults. For more information, see View a flow log.