All Products
Search

This Product

    Express Connect:ECR flow logs

    Document Center

    Express Connect:ECR flow logs

    Last Updated:Dec 17, 2025

    Express Connect Router (ECR) supports flow logs to collect and analyze network traffic between a virtual border router (VBR) and an ECR. This lets you analyze the traffic status of the VBR instance and evaluate network throughput and performance.

    Features

    Flow log overview

    ECR flow logs collect network traffic between a VBR and an ECR. A flow log captures traffic information within a specified aggregation interval, which is 1 minute by default. During this interval, the flow log aggregates the captured traffic information and delivers it as a flow log record to Simple Log Service (SLS) for further analysis.

    During packet capture, not every packet is recorded in the flow log. By default, ECR flow logs capture packets with a sampling probability of 1:4096. As a result, short packet flows may not be captured. However, this sampling frequency does not affect the results of long-term network traffic analysis. If you need more detailed sample data, change the sampling ratio to 1:1024.

    image

    Use cases

    Traffic monitoring

    Traffic usage and cost reduction

    • Collect real-time traffic between VBR instances and ECRs and get insight into their operational status, including traffic source and destination, latency, and packet loss.

    • Monitor network throughput and performance of VBR and ECR connection.

    • Sample and filter traffic based on specific 5-tuples to analyze traffic trends and identify high-traffic periods on Express Connect circuits.

    • Reduce bandwidth costs by analyzing traffic distribution.

    Log fields

    The following table describes the fields in a flow log record.

    Field

    Description

    version

    The flow log version.

    account-id

    The ID of the Alibaba Cloud account.

    vbr-id

    The ID of the VBR instance.

    ecr-id

    The ID of the ECR instance.

    src-region-id

    The ID of the source region.

    srcaddr

    The source IP address.

    srcport

    The source port.

    dst-region-id

    The ID of the destination region.

    dstaddr

    The destination IP address.

    dstport

    The destination port.

    protocol

    The IANA protocol number of the traffic.

    For more information, see Protocol Numbers.

    packets

    The number of packets.

    bytes

    The size of the packets.

    start

    The timestamp at which the aggregation interval begins.

    The time is a UNIX timestamp. It measures the time in seconds from 00:00:00 UTC on January 1, 1970 to the start of the aggregation interval.

    end

    The end time of the aggregation interval.

    The time is a UNIX timestamp. It measures the time in seconds from 00:00:00 UTC on January 1, 1970 to the end of the aggregation interval.

    instance-id

    The ID of the instance associated with the ECR. For example, the instance ID of a VPC or an Enterprise Edition transit router (TR).

    dscp

    The DSCP value in the packet.

    ip-version

    The IP protocol. Valid values:

    • v4: IPv4

    • v6: IPv6

    ratelimit-drop

    The rate of packets dropped due to throttling. Unit: pps.

    direction

    Captures traffic information in both directions of the VBR connection:

    • in: Traffic from the VBR to the ECR.

    • out: Traffic from the ECR to the VBR.

    Billing

    Billing for ECR flow logs includes traffic collection fees and Simple Log Service fees. For more information, see ECR flow log billing.

    image

    Manage flow logs

    Create a flow log

    Before you begin, make sure you have:

    1. Log on to the Express Connect console.

    2. In the navigation pane on the left, click Express Connect Router (ECR). On the Express Connect Router (ECR) page, click the ID of the target ECR instance.

    3. Click the Flow Logs tab, and then click Create Flow Log.

    4. In the Create Flow Log dialog box, set the following parameters and click OK.

      Parameter

      Description

      Name

      Enter a name for the flow log.

      VBR Instance

      Select the ID of the associated VBR instance.

      Region

      The system displays the region of the current VBR.

      Project

      Select a project to store the flow logs. You can select an existing project or create a new one.

      You can only select a project that is in the same region as the current VBR, or create a new project in the region where the VBR is located.

      Logstore

      Select a Logstore to store the flow logs.

      You can select an existing Logstore or create a new one.

      Note

      If you select Create Project, you can only select Create Logstore for the Logstore.

      Sampling Frequency

      Select the duration of the aggregation interval for capturing traffic information. Valid values:

      • 1 Minute (default)

      • 10 Minutes

      Sampling Ratio

      The ratio of captured packets to total packets during data collection. A sampling ratio is used to reduce storage and processing pressure.

      For example, 1:4096 indicates that the flow log captures packets with a sampling probability of 1:4096. Valid values:

      • 1:4096 (default)

      • 1:2048

      • 1:1024

      Description

      Enter a description for the flow log.

      Service-Linked Role

      When you create a flow log, the system automatically creates a service-linked role named AliyunServiceRoleForECRFlowLog. ECR uses this role to get the permissions to read from and write to Simple Log Service. This allows ECR to call Simple Log Service API operations to collect traffic information from specified resources.

      If the role already exists, the system does not create it again. For more information, see System policies for Express Connect.

    Query and analyze flow logs

    After you create the flow log, wait until the status in the Status column changes to Started. In the Simple Log Service column, click the project and Logstore names to go to the Simple Log Service console. In the console, you can query and analyze the flow logs. For more information, see Query and analyze logs.

    123

    Other operations

    Action

    Steps

    Start a flow log

    You can start a flow log that is in the Stopped state. After you start the flow log, it starts to collect traffic information from VBR connections.

    On the Flow Log page, find the target flow log, and then click Start in the Actions column. After you start the flow log, its status changes to Started.

    Stop a flow log

    If you want to temporarily stop collecting traffic information between VBR connections, you can disable the flow log. Disabling the flow log does not delete it. When you want to collect traffic information between VBR connections again, you can enable the flow log that is in the Stopped status.

    On the Flow Log page, find the target flow log, and then click Stop in the Actions column. After you stop the flow log, its status changes to Stopped.

    Delete a flow log

    Deleting a flow log stops the recording of traffic information for the related resource. This operation does not delete existing log data.

    On the Flow Log page, find the target flow log, and then click Delete in the Actions column.

    References

    • To query traffic information on a transit router (TR), see Configure a flow log.

    • To query inbound and outbound traffic information for elastic network interfaces (ENIs) in a VPC, see Flow logs.