Virtual Private Cloud (VPC) provides the flow log feature to capture information about inbound and outbound traffic on an elastic network interface (ENI). You can use the flow log feature to verify access control lists (ACLs) rules, monitor network traffic, and troubleshoot network errors. To use this feature to capture network traffic, you must create a flow log.

Create a flow log

Make sure that the following requirements are met:
  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Flow Log.
  3. If this is the first time you use the flow log feature, click Authorize and click Confirm. You must complete the authorization to ensure that flow logs can be imported to Log Service.
  4. In the top navigation bar, select the region where you want to create the flow log.
    For more information about regions that support the flow log feature, see Features and supported regions.
  5. On the Flow Log page, click Create Flow Log.
  6. In the Create Flow Log dialog box, set the following parameters and click OK.
    Parameter Description
    Name Specify a name for the flow log.

    The name must be 2 to 128 characters in length and can contain letters, digits, hyphens (-), and underscores (_). The name must start with a letter and cannot start with http:// or https://.

    Resource Type Select the type of resource from which you want to capture traffic, and then select the resource. Supported resource types:
    • VPC: captures traffic from all ENIs in the specified VPC.
    • VSwitch: captures traffic from all ENIs associated with the specified vSwitch.
    • Network Interface: captures traffic from the specified ENI.

    In the following scenarios, flow logs are not supported:

    • If the VPC to which a specified vSwitch belongs contains Elastic Compute Service (ECS) instances of the following instance families, you cannot create a flow log for the VPC.
    • If the ECS instances that are associated with the ENI belong to the following instance families, you cannot create a flow log for the ENI.

    ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

    You must upgrade or release the ECS instances before you can create flow logs.
    Traffic Type Select the type of traffic that you want to capture. Valid values:
    • All: captures traffic of the specified resource.
    • Allow: captures traffic that is allowed by security group rules of the specified resource.
    • Drop: captures traffic that is denied by security group rules of the specified resource.
    Project Specify a project to store captured traffic.
    • Select Project: Select an existing project to store the captured traffic.
    • Create Project: Create a project to store captured traffic.
    Logstore Specify a Logstore to store captured traffic.
    • Select Logstore: Select a Logstore from an existing project to store the captured traffic.
    • Create Logstore: Create a Logstore to store captured traffic.
    Turn on FlowLog Analysis Report Function Select this option to enable Log Service indexing and create a dashboard for the Logstore. Then, you can consume the log data by using SQL queries or analyze the log data in the dashboard.

    Log Service dashboards are free of charge. However, Log Service indexing is billed based on data usage. For more information, see Log Service billing.

    Description Enter a description for the flow log.

    The description must be 2 to 256 characters in length and cannot start with http:// or https://.

View a flow log

After you create a flow log, you can view the flow log. Flow log data helps you verify ACLs rules, monitor network traffic, and troubleshoot network errors.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. On the Flow Log page, find the flow log that you want to view, and click the name of the Logstore.
  5. In the Log Service console, click Search & Analyze.
    After the flow log appears, you can view and analyze the captured data.

Modify a flow log

After you create a flow log, you can modify the name and description of the flow log.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. On the Flow Log page, find the flow log that you want to modify, and click the Modify the name of a flow log icon in the Instance ID/Name column to modify the name of the flow log.
    The name must be 2 to 128 characters in length and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.
  5. Click Modify the name of a flow log in the Description column to modify the description of the flow log.
    The description must be 2 to 256 characters in length, and cannot start with http:// or https://.

Enable a flow log

You can enable a flow log that is in the Inactive state. After you enable the flow log, the flow log starts to capture traffic from ENIs.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. On the Flow Log page, find the flow log that you want to enable and click Enable in the Actions column.
    After the flow log is enabled, the state of the flow log changes to Active.

Disable a flow log

You can set a flow log to stop capturing traffic from ENIs by disabling the flow log. After you disable the flow log, the flow log is not deleted. You can enable a flow log that is in the Inactive state to capture traffic from ENIs.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. On the Flow Log page, find the flow log that you want to disable and click Disable in the Actions column.
    After the flow log is disabled, the state of the flow log changes to Inactive.

Delete a flow log

You can delete a flow log that is in the Active or Inactive state. After you delete the flow log, you can still view captured traffic in the Log Service console.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. On the Flow Log page, find the flow log that you want to delete, and click Delete in the Actions column.
  5. In the Delete Flow Log message, click OK.