Transit routers provide the flow log feature. Flow logs can capture information about cross-region traffic between transit routers. You can analyze cross-region traffic, troubleshoot network issues, and reduce traffic costs by using flow logs.

Introduction

Flow logs can capture traffic information during a specified capture window. You can set the duration of a capture window to 1 minute or 10 minutes. During a capture window, flow logs first aggregate captured information, and then write the aggregated information to Log Service as flow log entries. You can query and analyze traffic information in the Log Service console.

The following table describes the fields in a flow log entry.
Field Description
account-id The ID of the Alibaba Cloud account
cen-id The ID of the Cloud Enterprise Network (CEN) instance
src-region-id The ID of the source region
srcaddr The source IP address
srcport The source port
dst-region-id The ID of the destination region
dstaddr The destination IP address
dstport The destination port
protocol The protocol type
packets The number of data packets
bytes The size of data packets
start The start time of the capture window
end The end time of the capture window

Description

Transit routers provide the flow log feature free of charge. However, Log Service charges storage fees and retrieval fees based on resource usage. For more information, see Log Service billing.
Note For more information about when and how you are charged for flow logs of transit routers, see the announcements of Alibaba Cloud.

Limits

  • Only Enterprise Edition transit routers support the flow log feature. Basic Edition transit routers do not support the flow log feature.

    If you want to use flow logs in a region where Basic Edition transit routers are deployed, submit a ticket to upgrade the transit routers from Basic Edition to Enterprise Edition.

  • Flow logs can capture information about cross-region traffic only between transit routers. Flow logs cannot capture information about traffic between network instances associated with transit routers.

Prerequisites

Before you use flow logs, make sure that a cross-region connection between transit routers is established. For more information, see Cross-region connections.

Create a flow log

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. Choose Basic Settings > Transit Router, find the transit router that you want to manage, and then click the ID of the transit router.
  4. On the details page of a transit router, click the Flow Logs tab.
  5. If your Alibaba Cloud account does not have Log Service activated, you must first activate Log Service before you can use flow logs.
    On the Flow Logs tab, click Activate Now. On the Log Service page, view and select the Log Service Terms of Service check box, and then click Activate Now. After you activate Log Service, return to the Flow Logs tab.
    Note If your Alibaba Cloud account already has Log Service activated, ignore this step.
  6. On the Flow Logs tab, click Create Flow Log.
  7. In the Create Flow Log dialog box, set the following parameters and click OK.
    Parameter Description
    Name Enter a name for the flow log.

    The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

    Description Enter a description for the flow log.

    This parameter is optional. If you enter a description, it must be 2 to 256 characters in length and cannot start with http:// or https://.

    Region By default, the system displays the region where the current transit router is deployed.
    Transit Router ID By default, the system displays the ID of the current transit router.
    Cross-region Bandwidth Plan ID Select a cross-region connection.
    Project Select a project to store traffic information.

    You can select an existing project or create one. If you select Create Project, you must also create a Logstore.

    Logstore Select a Logstore to store traffic information.

    You can select an existing Logstore or create one.

    Collection Interval Select the duration of the capture window. Valid values:
    • 1 Minute
    • 10 Minutes
    Notes on Creating Service Linked Roles When you create a flow log, the system automatically creates a service-linked role named AliyunServiceRoleForSLSAudit. Log Service can assume the AliyunServiceRoleForSLSAudit role to obtain some read and write permissions on transit routers to collect traffic information.

    If the AliyunServiceRoleForSLSAudit role already exists, the system does not create it again. For more information, see Manage the AliyunServiceRoleForSLSAudit service-linked role.

    After you create a flow log, it is enabled by default. You can click the name of a project or a Logstore in the Log Service column to go to the Log Service console and analyze captured traffic information. For more information, see Log search overview and Log analysis overview.

Disable a flow log

You can enable or disable a flow log based on your business requirements.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. Choose Basic Settings > Transit Router, find the transit router that you want to manage, and then click the ID of the transit router.
  4. On the details page of a transit router, click the Flow Logs tab. On the Flow Logs tab, find the flow log that you want to disable and click Stop in the Actions column.
    If you want to enable a flow log, click Start in the Actions column.

Delete a flow log

You can delete a flow log that you no longer need.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. Choose Basic Settings > Transit Router, find the transit router that you want to manage, and then click the ID of the transit router.
  4. On the details page of a transit router, click the Flow Logs tab. On the Flow Logs tab, find the flow log that you want to delete and click Delete in the Actions column.
  5. In the Delete Flow Log message, click OK.