All Products
Search
Document Center

Cloud Enterprise Network:CreateFlowlog

Last Updated:Jul 15, 2026

Creates a flow log.

Operation description

Flow logs help you catch traffic information forwarded by transit router instances and network instance connections (inter-region connections, VPC connections, VPN connections, ECR connections, and VBR connections). Before you create a flow log, note the following information:

  • Only Enterprise Edition transit routers support flow log creation.

  • For traffic information of inter-region connections, flow logs catch only outbound traffic of the transit router. Inbound traffic of the transit router is not caught.

    For example, an Elastic Computing Service (ECS) instance in the US (Silicon Valley) region accesses an ECS instance in the US (Virginia) region through Cloud Enterprise Network (CEN). After you configure a flow log for the transit router in the US (Virginia) region, you can view the packet information sent from the US (Virginia) ECS instance to the US (Silicon Valley) ECS instance in the Simple Log Service console, but you cannot view the packet information sent from the US (Silicon Valley) ECS instance to the US (Virginia) ECS instance. To view the packet information sent from the US (Silicon Valley) ECS instance to the US (Virginia) ECS instance, configure a flow log on the transit router in the US (Silicon Valley) region.

  • When a flow log catches traffic information of a VPC connection, only traffic forwarded by the transit router elastic network interface (ENI) is caught. To learn about traffic forwarded by other ENIs in the VPC, see VPC flow log overview.

  • The CreateFlowlog operation is asynchronous. After you send a request, the system returns a flow log ID, but the flow log has not been created. The creation task is still running in the background. You can invoke the DescribeFlowlogs operation to query the status of the flow log.

    • If the flow log is in the Creating state, the flow log is being created. In this state, you can only execute query operations.

    • If the flow log is in the Active state, the flow log is created.

Before you begin

Before you create a flow log for a resource, make sure that the required resources exist. To create the resources, see:

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

cen:CreateFlowlog

create

*All Resource

*

None None

Request parameters

Parameter

Type

Required

Description

Example

ClientToken

string

No

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters.

Note

If you do not specify this parameter, the system automatically uses the RequestId of the API request as the ClientToken. The RequestId may be different for each API request.

123e4567-e89b-12d3-a456-42665544****

RegionId

string

Yes

The region ID of the flow log.

You can call the DescribeChildInstanceRegions operation to query the region ID.

cn-hangzhou

FlowLogName

string

No

The name of the flow log.

The name can be empty or 1 to 128 characters in length and cannot start with http:// or https://.

myFlowlog

Description

string

No

The description of the flow log.

The description can be empty or 1 to 256 characters in length and cannot start with http:// or https://.

myFlowlog

CenId

string

Yes

The instance ID of the Cloud Enterprise Network (CEN).

cen-7qthudw0ll6jmc****

ProjectName

string

No

The project that stores the caught traffic.

  • If you have already created a project in the current region, enter the name of the existing project.

  • If you have not created a project in the current region, specify a custom name for the project. The system performs automatic creation of the project.

    The project name must be globally unique within an Alibaba Cloud region and cannot be modified after creation. The naming rules are as follows:

    • The project name must be globally unique.

    • The name can contain only lowercase letters, digits, and hyphens (-).

    • The name must start and end with a lowercase letter or digit.

    • The name must be 3 to 63 characters in length.

flowlog-project

LogStoreName

string

No

The Logstore that stores the caught traffic.

  • If you have already created a Logstore in the current region, enter the name of the existing Logstore.

  • If you have not created a Logstore in the current region, specify a custom name for the Logstore. The system performs automatic creation of the Logstore. The naming rules for the Logstore are as follows:

    • The Logstore name must be unique within the same project.

    • The name can contain only lowercase letters, digits, hyphens (-), and underscores (_).

    • The name must start and end with a lowercase letter or digit.

    • The name must be 3 to 63 characters in length.

flowlog-logstore

Interval

integer

No

The capture window duration of the flow log. Unit: seconds. Valid values: 60 and 600. Default value: 600.

600

TransitRouterAttachmentId

string

No

The ID of the VPC connection, VPN connection, VBR connection, ECR connection, or inter-region connection.

Leave this parameter empty if you want to configure a flow log for a transit router instance.

tr-attach-r6g0m3epjehw57****

TransitRouterId

string

No

The transit routing instance ID.

tr-bp1rmwxnk221e3fas****

LogFormatString

string

No

The string that defines custom flow log record fields.

The format is defined as: ${field 1}${field 2}${field 3}...${field n}

  • If you leave this parameter empty, all default fields are recorded.

  • If you specify this parameter, because ${srcaddr}${dstaddr}${bytes} are required, the string must start with ${srcaddr}${dstaddr}${bytes}. For all supported flow log fields, see Configure a flow log.

${srcaddr}${dstaddr}${bytes}

Tag

array<object>

No

The tag information.

You can specify up to 20 tags at a time.

object

No

The tag information.

You can specify up to 20 tags at a time.

Key

string

No

The tag key of the resource.

Once specified, the tag key cannot be an empty string. The tag key can be up to 64 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://.

You can specify up to 20 tag keys at a time.

TagKey

Value

string

No

The tag value of the resource.

The tag value can be empty or up to 128 characters in length. It cannot start with aliyun or acs: and cannot contain http:// or https://.

Each tag key corresponds to one tag value. You can specify up to 20 tag values at a time.

TagValue

Response elements

Element

Type

Description

Example

object

The response parameters.

RequestId

string

The request ID.

54B48E3D-DF70-471B-AA93-08E683A1B457

Success

string

Indicates whether the API call is successful.

  • true: successful.

  • false: failed.

true

FlowLogId

string

The flow log ID.

flowlog-m5evbtbpt****

Examples

Success response

JSON format

{
  "RequestId": "54B48E3D-DF70-471B-AA93-08E683A1B457",
  "Success": "true",
  "FlowLogId": "flowlog-m5evbtbpt****"
}

Error codes

HTTP status code

Error code

Error message

Description

400 ProjectOrLogstoreNotExist The specified project or logstore does not exist. The error message returned because the specified project or Logstore does not exist.
400 SourceProjectNotExist The Source Project or logstore does not exist. The error message returned because the specified source project or Logstore does not exist.
400 OperationUnsupported.action This action is not support. The error message returned because this operation is not supported in the specified region.
400 RuleExist The rule has already existed. The rule already exists.
400 QuotaExceeded.FlowlogCount This user has reached the maximum instance number of flowlog. The error message returned because the number of flow logs has reached the upper limit.
400 InvalidFlowlogId.exist This cenId already has flowlog instance existed. The error message returned because the specified CEN instance is already associated with a flow log.
400 Flowlog.AlreayExist This attachment already has existed flowlog instance. The error message returned because the specified flow log already exists. You cannot create duplicate flow logs.
400 IllegalParam.TransitRouterAttachmentId TransitRouterAttachmentId is illegal. The error message returned because the specified transit router is invalid.
400 InvalidTransitRouterAttachmentId.NotFound The TransitRouterAttachmentId is not found. The error message returned because the specified transit router attachment ID (TransitRouterAttachmentId) does not exist.
400 IncorrectStatus.flowlog This action is not allowed in the current flow log status. This action is not allowed in the current flow log status.
400 InvalidOperation.TransitRouterNotExist Operation is invalid because the transit router not exist. The error message returned because the specified transit router does not exist.
400 IncorrectStatus.TransitRouterAttachmentId The resource is not in a valid state for the attachment operation. The error message returned because the operation is not supported when the specified attachment is in an unstable state
400 ProjectExist Project already exist, please try a different project name. The log Project already exists, try a different Project name.
400 InvalidParameter.ProjectName Project name is invalid or does not belong to specified region. The Project name is illegal or does not belong to the specified region.
400 IncorrectStatus.TrFlowlog Flowlog status for specified TransitRouter is invalid for this operation. Flowlog status for specified TransitRouter is invalid for this operation.
400 OperationInvalid.IncompatibleFlowlogExist Operation is invalid because incompatible flowlog config exists. There are incompatible Flowlog configurations, please delete and try again.
400 InvalidParameter.LogFormatString LogFormatString is invalid. The specified log format is invalid.
400 InvalidParameter.LogStoreName Specified LogStore name is invalid. Logstore name is invalid.
400 OperationFailed.InvalidLogInfo The entered log service information is invalid. Check whether the ProjectName and LogStoreName are correct, and whether Log Service has been activated. The entered log service information is invalid. Check whether the ProjectName and LogStoreName are correct, and whether Log Service has been activated.
400 IncorrectStatus.TransitRouterInstance The status of TransitRouter is incorrect. The error message returned because the transit router is in an invalid state.
400 InvalidParameter Invalid parameter. The error message returned because the parameter is set to an invalid value.
400 Unauthorized The AccessKeyId is unauthorized. The error message returned because you do not have the permissions to perform this operation.
400 InvalidParameter.CenId The specified parameter CenId is invalid.
400 InvalidParameter.TagValue The specified parameter TagValue is invalid. The input parameter Tag Value is invalid.
403 NoPermission.AliyunServiceRoleForTRFlowLog You are not authorized to create service linked role AliyunServiceRoleForTRFlowLog. You are not authorized to create service linked role AliyunServiceRoleForTRFlowLog.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.