NAT Gateway:Locate high-traffic ECS instances that use Internet NAT gateways

Use cases

• Diagnose bandwidth bottlenecks: When multiple ECS instances share SNAT bandwidth through an Internet NAT gateway, flow logs let you rank instances by outbound traffic and pinpoint the ones causing congestion.

• Reduce costs: Identify the specific instances and source IP addresses driving high traffic, then modify their network access paths to cut unnecessary bandwidth charges.

How it works

The Internet NAT gateway is a security gateway that provides Source Network Address Translation (SNAT) and Destination Network Address Translation (DNAT) features. It enables fine-grained monitoring and management for instances that frequently access the Internet, including top traffic display and burst traffic identification.

VPC flow logs can capture traffic from specific elastic network interfaces (ENIs), VPCs, or all ENIs in a vSwitch. All traffic between ECS instances and the Internet passes through the NAT gateway's ENI, which acts as the single entry and exit point. Every byte—inbound and outbound—is observable through a single flow log capture point.

With the ENI as the transit point, traffic between an ECS instance and the Internet follows four routes:

Log on to the Flow Log Center to monitor and analyze traffic in the IN and OUT directions and track data recorded for ENIs. For field definitions, see Flow logs.

Example scenario

A company runs three ECS instances in a virtual private cloud (VPC). All Internet access goes through an Internet NAT gateway using SNAT. Servers are slow to load external resources. The company wants to identify which of the three instances generates the most outbound traffic so it can reallocate bandwidth.

The following diagram shows the setup: three ECS instances in vSwitch1 access the Internet via the NAT gateway in vSwitch2.

In this tutorial, you learn how to:

• Create a flow log for the vSwitch that contains the ECS instances

• Simulate traffic from each instance using wrk

• Query and visualize the flow log data to identify the highest-traffic instance

Prerequisites

Before you begin, ensure that you have:

• A VPC in the China (Hangzhou) region with two vSwitches: vSwitch1 and vSwitch2. See Create and manage a VPC.

• Three ECS instances (ECS01, ECS02, ECS03) created in vSwitch1. See Create an instance on the Custom Launch tab.

• An Internet NAT gateway in vSwitch2 with an SNAT entry that covers vSwitch1. See Use the SNAT feature of an Internet NAT gateway to access the Internet.

<details> <summary>Example configuration parameters</summary>

</details>

Step 1: Create a flow log

Before creating a flow log, verify that the flow log prerequisites are met.

1. Log on to the VPC console.

2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.

3. In the top navigation bar, select China (Hangzhou).

4. On the Flow Log page, click Create a flow log.

5. In the Create a flow log dialog box, configure the following settings and click OK.

   Setting	Value
   Resource type	Select vSwitch.
   Resource instance	Select the instance ID of vSwitch1.
   Data transfer type	Select All Traffic.
   Project	Click Create Project and enter a name for the new project.
   Logstore	Click Create Logstore and enter a name for the new Logstore.
   Enable log analysis report	Enable this option.

Step 2: Simulate traffic with wrk

1. Log on to ECS01, ECS02, and ECS03.

2. Install wrk on all three instances:

   yum -y install git make gcc
   git clone https://github.com/wg/wrk.git
   yum install unzip
   cd wrk
   make

3. Run the following commands on each instance to simulate traffic at different concurrency levels: On ECS01:

   Flag	Description
   -c	Number of concurrent connections per thread
   -d	Test duration (for example, 60s = 60 seconds)
   -t	Number of threads (simulated concurrent users)

   ./wrk -c 1000 -d 60s -t 3 http://101.XX.XX.200:80/  # 101.XX.XX.200 is a public IP

   On ECS02:

   ./wrk -c 2000 -d 60s -t 3 http://101.XX.XX.200:80/  # 101.XX.XX.200 is a public IP

   On ECS03:

   ./wrk -c 3000 -d 60s -t 3 http://101.XX.XX.200:80/  # 101.XX.XX.200 is a public IP

Step 3: View and analyze flow logs

1. Log on to the VPC console.

2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.

3. In the top navigation bar, select China (Hangzhou).

4. On the Flow Log page, find the flow log you created and click the Logstore link in the Simple Log Service column.

5. In the Simple Log Service console, enter the following SQL statement in the query box. This query aggregates outbound traffic from the ECS instances to a specific public IP address, grouped by source IP and time. Results include three fields—time, bandwidth (in bps), and srcaddr (the ECS instance's private IP address)—sorted in ascending order of time, with up to 1,000 entries.

   • Inbound traffic (from a specific public IP to ECS instances): Replace dstaddr with srcaddr for the public IP filter, and group by dstaddr. Set Aggregated Column to dstaddr when generating the chart.

     srcaddr: "101.XX.XX.200" and action: ACCEPT and dstaddr: 172.16.1.* | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, dstaddr,sum(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) as bandwidth group by time,dstaddr order by time asc limit 1000

   • All outbound traffic (from ECS instances to all public IP addresses): Filter by source IP range and exclude intranet destinations. Set Aggregated Column to srcaddr when generating the chart.

     srcaddr: 172.16.1.* and action: ACCEPT | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, srcaddr,sum(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) as bandwidth from log where ip_to_domain(dstaddr)!='intranet' group by time,srcaddr order by time asc limit 1000

   dstaddr: "101.XX.XX.200" and action: ACCEPT and srcaddr: 172.16.1.* | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, srcaddr,sum(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) as bandwidth group by time,srcaddr order by time asc limit 1000

   To change the query direction, use one of the following alternative statements: For field definitions, see Field details of VPC flow logs.

6. Set the time range to Last 5 Minutes.

7. On the General Configurations tab, click in Chart types to select a flow chart.

8. In the Query and analysis configuration section, configure the chart axes: In Standard configurations, set Format to bps, Kbps, Mbps (SI).

   Parameter	Value
   X-axis field	time
   Y-axis field	bandwidth
   Aggregated column	srcaddr

9. Click Add to new dashboard and configure the following:

   Setting	Value
   Operation	Select Create new dashboard.
   Layout mode	Select Grid layout.
   Dashboard name	Enter a name, for example, ECS_outbound_traffic_through_NAT_gateway.

10. Click Search & Analysis to view outbound traffic per ECS instance.

The chart visualizes bandwidth over time per source IP address. As shown in the following example, ECS03 (private IP 172.16.1.46) generates the highest traffic among the three instances.

With this data, you can identify overloaded instances and adjust bandwidth allocation to resolve the bottleneck.

What's next

• Flow Log overview — field reference for VPC flow logs

• Querying and analyzing logs — advanced query and analysis techniques

• Common errors in querying and analyzing logs — troubleshooting guide for log query errors