Enable VPC flow logs to analyze and audit network traffic - Elastic Compute Service

You can enable VPC traffic logs, which allows the flow log service to collect traffic from VPCs, vSwitches, and Elastic Network Interfaces (ENIs). This traffic is then stored in Simple Log Service (SLS) as flow logs.

Security risks

VPC flow logs record all IP traffic that flows to and from your VPC. The core benefits are:

Traffic monitoring and analysis: Monitor network traffic patterns and analyze application communication behavior.
Troubleshooting: Quickly identify issues such as abnormal network connectivity and performance bottlenecks.
Security, audit, and compliance: Meet data security and compliance requirements by providing traceable records of network activity.
Network security attack analysis: Analyze potential network security attacks, such as unusual traffic or illegal scans.

VPC flow logs record network flow information, including communication between ECS instances within a VPC and between the VPC and external networks. Each flow log record is an aggregated statistic for a specific network session. A session is uniquely identified by its 5-tuple: source IP, destination IP, source port, destination port, and protocol. The log content includes key metrics such as communication duration and traffic volume, and metadata such as traffic direction and network element ID.

Best practices

Enable and create VPC flow logs

Enable VPC flow logs
The first time you use the flow log feature, complete the following steps:
- On the Flow Log page, click Authorize Now, and then click Authorize to complete the security authentication. This operation automatically creates a RAM role.
  a RAM role AliyunVPCLogArchiveRole and a RAM policy AliyunVPCLogArchiveRolePolicy. By default, the VPC
  This role and policy grant access to Simple Log Service and ensure that flow logs are written to the service.
- On the flow log page, click Enable Now. Then, click Enable Now. If you created flow log instances during the public preview, you need to click
  Click Activate Now to view and manage these instances again.
- Go to the Simple Log Service console and enable Simple Log Service.
Create a flow log
Go to the Flow Logs page in the VPC console. Click Create a flow log. On the Create a flow log panel, configure the following parameters:
- Collection Configuration:
  - Region: Select the region where the target resource is located.
  - Resource Type and Resource Instance: The available resource types are ENI, vSwitch, and VPC. If you select a VPC or vSwitch, the system monitors the traffic of all ENIs within the selected resource.
    Once this is done, the system monitors traffic on all Elastic Network Interfaces (ENIs) within it.
  - Data Transfer Type: Select the traffic to capture. You can capture traffic that is allowed or denied by access controls. Access controls include security groups and network ACLs.
  - IP Version: You can collect traffic for IPv4 only or for both IPv4 and IPv6 (Dual-stack). The regions that currently support IPv6 include the following: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Shenzhen), Singapore, US (Silicon Valley), and US (Virginia).
  - Sampling Interval (Minutes): The capture window for aggregating traffic information. You can select 1 minute, 5 minutes, or 10 minutes. A smaller interval provides more timely logs, which helps you discover and locate issues faster. A larger interval is less timely but reduces the number of log entries, which saves costs. For example, for a persistent TCP connection, a 1-minute interval generates 60 log entries per hour, whereas a 10-minute interval generates only 6.
    Generating logs more frequently helps you discover and locate issues faster. A larger window is less timely, but it reduces the number of log entries and saves costs.
    For example, for a persistent TCP connection, a 1-minute window generates 60 log entries per hour. A 10-minute window generates only 6 entries per hour.
    When multiple flow log instances capture traffic from the same network interface card (NIC), the system uses the smallest sampling interval among all instances as the actual capture interval.
  - Sampling Path: Select specific capture scenarios to reduce costs. Before you select a scenario, you must first deselect the default All Scenarios option. You can capture traffic that passes through the following network elements: IPv4 gateway, NAT Gateway, VPN Gateway, Transit Router (TR), gateway endpoint, virtual border router (VBR), Express Connect Router (ECR), and Gateway Load Balancer (GWLB).
    You can capture traffic passing through the following network elements: IPv4 gateway, NAT Gateway, VPN Gateway, Transit Router (TR), gateway endpoint, virtual border router (VBR), Express Connect Router (ECR), and Gateway Load Balancer (GWLB).
- Analysis and Delivery: Select at least one destination.
  - Deliver to Log Service:
    - Select Project and Logstore: When you create a flow log for the first time, we recommend that you click Create Project and Create Logstore to isolate the flow log data from other data. To aggregate multiple flow logs in one place for centralized analysis, select the same Logstore.
    - Enable Log Analysis Report: We recommend that you select this option. This feature automatically creates an index and creates a dashboard in the corresponding Logstore to support SQL execution and visual analytics on flow logs. After this feature is enabled, SLS will generate billing.
  - Enable NIS Traffic Analysis (Not yet available).
Click OK to create the flow log. After the flow log is created, the system automatically starts collecting traffic information.

2. Analyze flow logs

By analyzing flow logs, you can monitor network performance, troubleshoot network issues, optimize network traffic costs, and perform network security analysis.

Custom analysis: Use a Logstore

Go to the Flow Logs page in the VPC console. In the Simple Log Service column for the target flow log, click the Logstore instance name to go to its details page. On this page, you can perform the following actions:

View Raw Logs to see the details of flow log entries.
Enter a statement to query and analyze flow logs.

Template-based analysis: Use the Flowlog Log Center

The Flowlog Log Center provides a set of visualization templates. These templates support statistics for VPC policies, ENI traffic, and traffic between network segments, which helps you quickly analyze VPC flow logs.

Go to the Flowlog Log Center page and click Add in the upper-right corner.
On the Create Instance panel, enter an Instance Name. Select the Project and Logstore that correspond to your existing flow logs. Then, click OK.
After the instance is created, click the instance ID in the Flowlog Log Center. On the Flow Log Details page, you can view and analyze flow log information.
The Monitoring Center provides the following dashboards and custom query features:
- Overview: Displays accept and reject trends for flow logs, inbound and outbound traffic trends, the total number of packets and bytes for each VPC and ENI, and the geographic distribution of source and destination IP addresses.
  the total packet and byte count for each ENI, and the geographical distribution of source and destination IP addresses.
- Policy Statistics: Displays information such as accept and reject trends, and the number of accepted and rejected connections. This information is based on the 5-tuple, which consists of the source IP, destination IP, source port, destination port, and protocol.
  This information is based on 5-tuples, which consist of a source IP, a source port, a protocol, a destination IP, and a destination port.
  - Accept: Traffic that is allowed by security groups and network ACLs.
  - Reject: Traffic that is denied by security groups and network ACLs.
- ENI Traffic: Displays inbound and outbound traffic information for ENIs.
- Inter-ECS Traffic: Displays traffic between ECS instances.
- Custom Query: You can refer to the quick guide to query and analyze logs.
Enable inter-domain analysis (Optional): On the Flow Log Details page, click CIDR Block Settings. On the CIDR Block Settings tab, turn on the Inter-Domain Analysis" switch.
After you enable the inter-domain analysis feature, the system automatically creates a data transformation task. This task generates VPC flow logs that contain network segment information, which is used to analyze traffic between different network segments. The data transformation feature incurs charges.
Inter-domain Analysis provides the following dashboards and custom query features:
- Inter-domain Traffic: Displays traffic between different network segments.
- ECS-to-Domain Traffic: Displays traffic from ECS instances to destination CIDR blocks.
- Threat Intelligence: Displays threat intelligence information for source and destination IP addresses.
- Custom Query: You can query and analyze VPC flow logs that contain network segment information.