This topic provides an overview of the flow log function of Virtual Private Cloud (VPC). By using this function, you can capture the inbound and outbound traffic over the Elastic Network Interface (ENI) in your VPC. With flow logs, you can check access control rules, monitor network traffic, and troubleshoot network faults.
You can capture the traffic of an ENI, a VPC, or a VSwitch. After you create a flow log for a VPC or a VSwitch, you can capture the traffic of all ENIs in the VPC or VSwitch, including the ENIs created after the flow log function is enabled.
The captured traffic data is stored in Log Service. You can view and analyze traffic data in Log Service. During the beta testing phase of the flow log function, you are only charged for the storage and retrieval of traffic data in Log Service.
The traffic data captured by flow logs is written to Log Service as flow log records. Each flow log record includes specified quintuple network streams in a capture window. A network traffic data capture window is at a maximum of 10 minutes, traffic data is aggregated and then released to the flow log record. Therefore, users can view the network traffic data in their Log Service accordingly.
|version||The version of the flow log.|
|vswitch-id||The ID of the VSwitch to which the ENI belongs.|
|vm-id||The ID of the ECS instance with which the ENI is associated.|
|vpc-id||The ID of the VPC instance to which the ENI belongs.|
|account-id||The ID of the account.|
|eni-id||The ID of the ENI.|
|srcaddr||The source IP address.|
|srcport||The source port.|
|dstaddr||The destination IP address.|
|dstport||The destination port.|
|protocol||The IANA protocol number of the traffic.
For more information, see Internet Protocol Numbers.
|direction|| The direction of the traffic. Valid values:
|packets||The number of data packets.|
|bytes||The size of data packets.|
|start||The start time of the capture window.|
|end||The end time of the capture window.|
|log-status||The status of the recorded flow log. Valid values:
|action|| The action associated with the traffic.
The following table lists the limits of flow logs.
|Item||Limit||Quota increase supported?|
|The maximum number of flow logs that can be created in a region||10||Yes. Open a ticket.|
|VPCs that do not support flow logs||VPCs that contain any instance of the following instance type families:
|Yes. You can upgrade the instance type. For more information, see Instance families that support instance type changes.
Note If your VPC, the VPC to which the VSwitch belongs, or the VPC to which the ENI belongs, contains any instance of the instance type families listed in the limit field, and you have created a flow log, to ensure the normal use of the flow log function, you must upgrade the instance type.
|VSwitches that do not support flow logs||VPCs to which the VSwitches belong contain any instance of the following instance
|ENIs that do not support flow logs||VPCs to which the ENIs belong contain any instance of the following instance type
- Activate Log Service.
The traffic data captured by the flow log function is stored in Alibaba Cloud Log Service. Therefore, you must activate Log Service before you create a flow log.
- Optional. Create an Access Key.
If you want to write data through APIs or SDKs, you must create an Access Key (AK). If you want to collect logs by using Logtail, you do not need to create an AK.
- Create a Project.
You must create a Project in Log Service. For more information, see Create a project.
- Create a Logstore.
A Logstore is a collection of resources created in a Project. All data in a Logstore is from the same data source. After you create a Project, you must create a Logstore. For more information, see Create a Logstore.
- Create a capture resource.
Before you create a flow log, you must create a resource whose logs you want to capture. You can capture logs of a specified ENI, VPC, or VSwitch. For more information, see Create an ENI, Create a VPC, and Create a VSwitch.
- Create a flow log.
After you create a flow log, you can capture the traffic data among instances in different regions of the specified CEN. For more information, see Create a flow log.
- View the flow log
After you create a flow log, you can view the flow log. You can use the captured traffic data to analyze cross-region traffic, optimize traffic costs, and troubleshoot network faults. For more information, see View a flow log.