Log Service and Alibaba Cloud Virtual Private Cloud (VPC) jointly provide the flow log feature. You can use the feature to record the traffic of a VPC, the traffic of an elastic network interface (ENI) in the VPC, and the traffic of a vSwitch in the VPC. You can check access control rules, monitor network traffic, and troubleshoot network errors based on the flow logs. This topic describes the assets, billing, and limits of the flow log feature.

The flow log feature captures traffic information, records the traffic information in logs, and then sends the logs to Log Service. Each log records a specified five-tuple of network traffic that is captured within a specified time window. The time window is approximately 10 minutes. During this time window, the flow log feature aggregates traffic data and sends the traffic data that is recorded as logs to Log Service. If you enable the flow log feature for a VPC or a vSwitch, traffic that is transferred over the ENIs in the VPC or the vSwitch is captured. The ENIs that are created after the flow log feature is enabled are included.

Assets

  • Custom projects and Logstores
    Note
    • We recommend that you do not delete the projects or Logstores that are related to VPC flow logs. If you delete the projects or Logstores, the flow logs cannot be collected or sent to Log Service.
    • After you enable the flow log feature for a VPC, the data retention period of the Logstores that store VPC flow logs is forcefully changed to seven days.
  • Dedicated dashboards
    By default, Log Service generates three dashboards for the flow log feature.
    Note We recommend that you do not make changes to the dedicated dashboards because the dashboards may be upgraded or updated at any time. You can create a custom dashboard to visualize query results. For more information, see Create a dashboard.
    Dashboard Description
    Logstore Name-vpc_flow_log_traffic_cn Displays the overall traffic information about a VPC. The information includes Source Address Heat Map by Bytes, Top 10 Flow by Bytes, and Top 10 Action/Protocol by Bytes.
    Logstore Name-vpc_flow_log_rejection_cn Displays information about the traffic that is rejected by security groups and network ACLs. The information includes Total REJECT Bytes, REJECT Bytes Ratio, Total REJECT Packets, and REJECT Packets Ratio.
    Logstore Name-vpc_flow_log_overview_cn Displays the overall information about a VPC. The information includes Total Actions, Total ACCEPT Bytes, Total REJECT Bytes, and Total ACCEPT Packets.

Billing

The flow log feature allows you to deliver only the network logs that are extracted to Log Service. When you use the flow log feature, you are charged for Log Service usage and network log extraction.
  • Fee of network log extraction
    You are charged based on the amount of network logs that are extracted. The fees are included in your VPC bills. For more information, see Billing of flow logs.
    Note The public preview of the flow log feature ends on September 1, 2022. You are charged if you continue to use the flow log feature after this date. For more information, see Announcement on commercialization of the flow log feature.
  • Fee of Log Service usage

    After VPC flow logs are collected and sent to Log Service, you are charged based on the storage space, read traffic, number of requests, data transformation, and data shipping. The fees are included in your Log Service bills. For more information, visit the Log Service pricing page.

Limits

  • Supported regions

    The VPC that you use must reside in the same region as the project that you specify in Log Service. The following table describes the regions in which the flow log feature is supported.

    Area Supported region
    Asia Pacific China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Fuzhou - Local Region), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and India (Mumbai)
    Europe & Americas Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)
    Middle East UAE (Dubai)
  • Resources
    Resource Limit Adjustable
    Maximum number of flow log instances that can be created in a region 10 Submit a ticket.
    VPCs for which you cannot enable the flow log feature If a VPC contains an Elastic Compute Service (ECS) instance of one of the following instance families, you cannot enable the flow log feature for the VPC:

    ecs.c1, ecs.c2, ecs.c4, ecs.c5, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

    If your Elastic Compute Service (ECS) instance does not support advanced virtual private cloud (VPC) features, upgrade or release the ECS instance.
    Note If a VPC that is used, a VPC to which a vSwitch belongs, or a VPC to which an ENI is bound contains an ECS instance of one of the preceding instance families and has the flow log feature enabled, you must upgrade the instance to make sure that the flow log feature works as expected.
    vSwitches for which you cannot enable the flow log feature If a vSwitch belongs to a VPC that contains an ECS instance of one of the following instance families, you cannot enable the flow log feature for the vSwitch:

    ecs.c1, ecs.c2, ecs.c4, ecs.c5, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

    ENIs for which you cannot enable the flow log feature If an ENI is bound to a VPC that contains an ECS instance of one of the following instance families, you cannot enable the flow log feature for the ENI:

    ecs.c1, ecs.c2, ecs.c4, ecs.c5, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

  • You can use the flow log feature to capture the traffic of a VPC, the traffic of an ENI in the VPC, and the traffic of a vSwitch in the VPC. If you enable the flow log feature for a VPC, ENIs in the VPC, and vSwitches in the VPC, only one set of flow logs are generated.