Network troubleshooting and security auditing require visibility into the traffic flowing through your Virtual Private Cloud (VPC). VPC flow logs capture IP traffic data from VPCs, vSwitches, and Elastic Network Interfaces (ENIs), and store it in Simple Log Service (SLS) for querying, visualization, and alerting.
How flow logs work
The flow log service collects traffic from VPCs, vSwitches, and ENIs and stores it in SLS.
Each flow log record is an aggregated statistic for a network session within a capture window. A session is identified by its 5-tuple: source IP, destination IP, source port, destination port, and protocol. Each record includes:
Communication duration and traffic volume: how long the session lasted and how much data was transferred
Traffic direction: inbound or outbound relative to the network interface
Network element ID: the ENI, vSwitch, or VPC associated with the traffic
Use cases
Traffic monitoring: identify traffic patterns and understand how applications communicate across your network.
Troubleshooting: diagnose abnormal connectivity, packet loss, and performance bottlenecks by examining flow-level data.
Security auditing and compliance: maintain traceable records of all network activity and detect unauthorized access attempts by reviewing rejected traffic.
Threat detection: spot unusual traffic spikes, port scans, or connections to suspicious IP addresses.
Prerequisites
Before you begin, make sure that you have:
A VPC with at least one vSwitch and one ENI (for example, an ECS instance)
RAM permissions to manage VPC flow logs and SLS
Authorize the flow log service
The first time you use flow logs, complete these authorization steps:
Go to the Flow Log page.
Click Authorize Now, then click Authorize. This creates a RAM role
AliyunVPCLogArchiveRoleand a RAM policyAliyunVPCLogArchiveRolePolicy. The role and policy grant the VPC service access to SLS so that flow logs can be written to your Logstore.On the Flow Log page, click Enable Now, then click Enable Now again.
If you created flow log instances during the public preview, click Activate Now to view and manage those instances.
Go to the Simple Log Service console and activate SLS if you have not already done so.
Create a flow log
Go to the Flow Logs page in the VPC console.
Click Create a flow log.
In the Collection Configuration section, configure the following parameters:
When multiple flow log instances capture traffic from the same NIC, the system uses the smallest sampling interval among all instances as the actual capture interval.
Parameter Description Flow Log Name Enter a name for the flow log. Region Select the region where the target resource is located. Resource Type and Resource Instance Select ENI, vSwitch, or VPC. Selecting a VPC or vSwitch monitors all ENIs within it. Data Transfer Type Select the traffic to capture: traffic allowed by access controls, traffic denied by access controls, or both. Access controls include security groups and network ACLs. IP Version Select IPv4 to capture IPv4 traffic only, or Dual-stack to capture both IPv4 and IPv6 traffic. IPv6 is supported in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Shenzhen), Singapore, US (Silicon Valley), and US (Virginia). Sampling Interval (Minutes) Select the capture window: 1 minute, 5 minutes, or 10 minutes. A shorter interval produces more frequent log entries, which helps you detect and diagnose issues faster but generates more data. A longer interval reduces log volume and cost. For example, a persistent TCP connection generates 60 log entries per hour at a 1-minute interval, but only 6 entries per hour at a 10-minute interval. Sampling Path Select specific network elements to capture traffic from. Deselect All Scenarios first, then choose from: IPv4 gateway, NAT Gateway, VPN Gateway, Transit Router (TR), gateway endpoint, virtual border router (VBR), Express Connect Router (ECR), and Gateway Load Balancer (GWLB). Narrowing the capture path reduces log volume and cost. In the Analysis and Delivery section, select at least one destination:
Deliver to Log Service: Select a Project and Logstore. For your first flow log, click Create Project and Create Logstore to isolate flow log data from other logs. To centralize analysis for multiple flow logs, select the same Logstore.
Enable Log Analysis Report: Select this option to automatically create an index and create a dashboard in your Logstore. This enables SQL queries and visual analytics on flow logs. After you enable this feature, SLS billing applies.
Enable NIS Traffic Analysis: Not yet available.
Click OK.
After creation, the system automatically starts collecting traffic.
Analyze flow logs
Query raw flow log data in SLS
Use SLS queries to search, filter, and analyze raw flow log data.
Go to the Flow Logs page in the VPC console.
In the Simple Log Service column, click the Logstore name for the target flow log.
On the Logstore page:
View Raw Logs to inspect individual flow log entries.
Enter a query statement to search and analyze flow logs.
Use pre-built dashboards in the Flowlog Log Center
The Flowlog Log Center provides pre-built visualization dashboards for common analysis tasks.
Go to the Flowlog Log Center and click Add.
On the Create Instance panel, enter an Instance Name, select the Project and Logstore that contain your flow logs, and click OK.
Click the instance ID to open Flow Log Details. The Monitoring Center provides the following dashboards:
Dashboard Description Overview Accept/reject trends, inbound/outbound traffic trends, total packets and bytes per VPC and ENI, geographic distribution of source and destination IPs. Policy Statistics Accept and reject trends based on the 5-tuple. Accept: traffic allowed by security groups and network ACLs. Reject: traffic denied by security groups and network ACLs. Use this dashboard to identify blocked connections and validate access control rules. ENI Traffic Inbound and outbound traffic per ENI. Inter-ECS Traffic Traffic between ECS instances. Custom Query Run SQL queries against flow log data. See the query and analysis guide.
Analyze traffic between CIDR blocks (optional)
Analyze traffic between different CIDR blocks, detect threats, and trace traffic from ECS instances to specific network segments.
On the Flow Log Details page, click CIDR Block Settings.
On the CIDR Block Settings tab, turn on Inter-Domain Analysis. This creates a data transformation task that enriches flow logs with network segment information. Data transformation incurs charges.
After the transformation task starts, the following dashboards become available:
Dashboard Description Inter-domain Traffic Traffic volume between different CIDR blocks. ECS-to-Domain Traffic Traffic from ECS instances to specific destination CIDR blocks. Threat Intelligence Threat intelligence data for source and destination IPs. Use this dashboard to identify connections to known malicious addresses. Custom Query Run queries against flow logs enriched with network segment data. See the query and analysis guide.