Virtual Private Cloud (VPC) provides flow logs that record information about inbound and outbound traffic of an elastic network interface (ENI). Flow logs help you to verify access control list (ACL) rules, monitor network traffic, and troubleshoot network issues.

Features and supported regions

The flow log feature is in public preview. To use this feature,submit a ticket.

The following table lists the regions that support the flow log feature.
District Supported region
Asia Pacific China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), and Indonesia (Jakarta)
Europe & Americas US (Silicon Valley), US (Virginia), Germany (Frankfurt), and UK (London)
Middle East & India India (Mumbai) and UAE (Dubai)

Functions

Flow logs can record the information about network traffic of a specified ENI, VPC, or vSwitch. After you enable the flow log feature for a VPC or a vSwitch, information about traffic of ENIs in the VPC or vSwitch is captured. Flow logs also capture information about the ENIs that are created after the flow log feature is enabled.

The traffic information captured by the flow log feature is written to flow log entries in Log Service. Each flow log entry includes a 5-tuple of a traffic flow captured within the specified time period. The maximum time period lasts approximately 10 minutes. During the time period, statistics about a traffic flow are captured and aggregated into a flow log record.

The following table describes the fields of a flow log record.
Field Description
version The version of the flow log.
vswitch-id The ID of the vSwitch to which the ENI belongs.
vm-id The ID of the cloud instance to which the ENI is bound.
vpc-id The ID of the VPC to which the ENI belongs.
account-id The ID of the Alibaba Cloud account.
eni-id The ID of the ENI.
srcaddr The source IP address.
srcport The source port.
dstaddr The destination IP address.
dstport The destination port.
protocol The Internet Assigned Numbers Authority (IANA) protocol number of traffic.

For more information, see Protocol Numbers.

direction The direction of the traffic. Valid values:
  • in: inbound traffic
  • out: outbound traffic
packets The number of data packets.
bytes The size of data packets.
start The time when the capture starts.
end The time when the capture ends.
log-status The state of the flow log record. Valid values:
  • OK: The data is recorded.
  • NODATA: No inbound or outbound traffic is transmitted through the ENI during the time period.
  • SKIPDATA: Some flow log records are skipped within the time period.
action The action that has been performed on the traffic flow. Valid values:
  • ACCEPT: the traffic flow has been allowed by security groups or ACLs.
  • REJECT: the traffic flow has been rejected by security groups or ACLs.

Billing method

You can store and analyze flow logs in only Log Service. You are charged for traffic flow data collection and Log Service when you use flow logs.
  • The fee of traffic flow data collection
    A fee is charged based on the amount of traffic flow data that is captured.
    Note The fee of traffic flow data collection is not charged during the public preview.
  • The fee of Log Service

    The data captured by a flow log is stored in Log Service. You can view and analyze the flow log in Log Service. You are charged for data storage and retrieval when you use Log Service.

Limits

The following table lists the limits of flow logs.

Item Limit Adjustable
Number of flow logs that can be created in each region 10 N/A
ECS instance families that do not support flow logs
  • When you enable flow logs for a VPC or a vSwitch, ECS instances in the VPC or vSwitch do not support flow logs if they belong to the following instance families. Other ECS instances that meet the requirement support flow logs.
  • Elastic network interfaces (ENIs) that are associated with ECS instances of the following instance families do not support flow logs.

ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

Upgrade or release an ECS instance.

Procedure

To configure a flow log, perform the following steps:Configure a flow log
  1. Activate Log Service

    The traffic data captured by the flow log feature is stored in Alibaba Cloud Log Service. Therefore, you must activate Log Service before you create a flow log.

  2. Optional. Create an AccessKey pair

    If you want to import data by calling API or SDK, you must create an AccessKey pair. If you want to log events by using Logtail, you do not need to create an AccessKey pair.

  3. Create a project

    You must create a project in Log Service. For more information, see Create a project.

  4. Create a Logstore

    A Logstore is a set of resources created for a project. All data in a Logstore is retrieved from the same source. After you create a project, you must create a Logstore. For more information, see Create a Logstore.

  5. Specify a resource from which traffic flow data is captured

    Before you create a flow log, you must specify the resource from which traffic flow data is captured. You can capture traffic flow data from an ENI, VPC, or vSwitch. For more information, see Create an ENI, Work with VPCs, and Work with vSwitches.

  6. Create a flow log

    After you create a flow log, the flow log can capture the traffic data of network instances that are attached to a Cloud Enterprise Network (CEN) instance in different regions. For more information, see Work with a flow log.

  7. View flow logs

    After you create a flow log, you can view the flow log. You can analyze cross-region data transmission, reduce costs, and troubleshoot network errors based on the captured traffic data. For more information, see View a flow log.