VPC traffic analysis - Network Intelligence Service - Alibaba Cloud Documentation Center

After you enable traffic analysis for VPC flow logs, NIS Traffic Analyzer automatically analyzes VPC traffic and generates traffic analysis charts. These charts help you monitor VPC network usage and health in real time. You can view VPC bandwidth, packet rate, top N traffic, and traffic between your VPC and the internet for a specific time range. The traffic analysis charts also help you observe, optimize, and maintain your network. For example, you can use the charts to quickly identify high-traffic ECS instances, abnormal Internet traffic, and access records from intrusive IP addresses.

Filter traffic

By default, NIS Traffic Analyzer analyzes all collected traffic in the selected region from the last hour. For specific analysis needs, you can perform a focused analysis by specifying the resource region, resource scope, time range, traffic direction, and traffic aggregation dimension. 筛选流量

The selectable time range is limited by the storage duration of NIS Traffic Analyzer.
Whether you can view 1-tuple, 2-tuple, or 5-tuple traffic analysis data depends on the traffic aggregation dimension of NIS Traffic Analyzer.

When you specify the resource scope, you can filter traffic by different resource levels, dimensions, and scenarios based on the traffic aggregation dimension.

Traffic aggregation dimension	Supported filter conditions (You can select multiple conditions)	Description
1-tuple	VPC, vSwitch, ENI, ECS, Cloud IP	If you select VPC, traffic from all VPCs is filtered by default. If you enter a specific VPC ID, only traffic from that VPC is filtered. The other filter conditions are similar to the VPC filter. When you use the traffic path and network protocol filter conditions, you can filter traffic for specific scenarios or network protocols. Note The supported network protocols are subject to what is displayed in the console.
2-tuple	VPC, vSwitch, ENI, ECS, Source IP, Destination IP, Traffic Path, Client Country, Client City, Client ASN, Client Carrier Note Client Country, Client City, Client ASN, and Client Carrier are available only when you view Internet traffic.
5-tuple	VPC, vSwitch, ENI, ECS, Source IP, Destination IP, Traffic Path, Source Port, Destination Port, Network Protocol, Client Country, Client City, Client ASN, Client Carrier

Click to view supported traffic paths.

Traffic Path	Description
All scenarios	Analyzes traffic in all scenarios.
VPC private network traffic, System route	Analyzes VPC private network traffic forwarded by system routes.
VPC private network traffic, Access ECS (custom route)	Analyzes VPC private network traffic that is forwarded by custom routes where the next hop is an ECS instance.
VPC private network traffic, Access ENI (custom route)	Analyzes VPC private network traffic that is forwarded by custom routes where the next hop is an ENI.
High-availability virtual IP traffic	Analyzes traffic that passes through a high-availability virtual IP address (HaVip).
Intra-region Alibaba Cloud service traffic	Analyzes traffic to Alibaba Cloud services in the same region (100.64.0.0/10).
Gateway endpoint traffic	Analyzes traffic that passes through a gateway endpoint.
NAT Gateway traffic	Analyzes traffic that passes through a NAT Gateway.
Transit Router (Enterprise Edition) traffic	Analyzes traffic that passes through a Transit Router (Enterprise Edition).
VPN Gateway traffic	Analyzes traffic that passes through a VPN Gateway.
Virtual Border Router (VBR) uplink traffic	Analyzes traffic that accesses an Express Connect circuit through a virtual border router (VBR).
Internet traffic, IPv4 gateway	Analyzes traffic that accesses the internet through an IPv4 gateway.
Internet traffic, IPv6 gateway	Analyzes traffic that accesses the internet through an IPv6 gateway.
Internet traffic, Direct access through EIP	Analyzes traffic that accesses the internet through an EIP.
VPC peering connection traffic	Analyzes traffic that passes through a VPC peering connection.
Transit Router (Basic Edition) traffic, Intra-region VPC access	Analyzes traffic that accesses a VPC in the same region through a Transit Router (Basic Edition).
Transit Router (Basic Edition) traffic, Inter-region VPC access	Analyzes traffic that accesses a VPC in a different region through a Transit Router (Basic Edition).
Transit Router (Basic Edition) traffic, Intra-region VBR access	Analyzes traffic that accesses a VBR in the same region through a Transit Router (Basic Edition).
Transit Router (Basic Edition) traffic, Inter-region VBR access	Analyzes traffic that accesses a VBR in a different region through a Transit Router (Basic Edition).
Transit Router (Basic Edition) traffic, Other	Analyzes traffic in other scenarios that passes through a Transit Router (Basic Edition). For example, this includes traffic that accesses Alibaba Cloud services across regions or a Cloud Connect Network (CCN).
Express Connect Router (ECR) traffic	Analyzes traffic that passes through an ECR.
Gateway Load Balancer endpoint traffic	Analyzes traffic that passes through a GWLB endpoint.
Other traffic	Analyzes other traffic.

View all traffic analysis charts

The following two pages display analysis data for all traffic, including Internet traffic, for a specified VPC resource or scenario.

The Traffic Distribution page displays analysis data for allowed traffic only.
The Access Control Block Analysis page displays analysis data only for traffic that is blocked by access control rules, such as traffic denied by network ACLs or security group rules.

View traffic distribution

Log on to the NIS console.
In the navigation pane on the left, choose NIS Traffic Analyzer.
On the NIS Traffic Analyzer page, click the ID of the target traffic analyzer.

In the navigation pane on the left of the traffic analyzer's product page, choose VPC Traffic > All Traffic > Traffic Distribution. Specify the filter conditions to view the corresponding traffic trend chart and the Top N Traffic Analysis table.

VPC-全部-CN

Chart	Description
Traffic Trend chart	Bandwidth: The traffic transmission rate of the resource during the current time range. Unit: bps. Packet Rate: The packet transmission rate of the resource during the current time range. Unit: pps. TCP RTT: The round-trip time for establishing a TCP connection during the current time range. Unit: ms.
Top N Traffic Analysis	After you select the 1-tuple, 2-tuple, or 5-tuple tab at the top of the page, the system automatically displays the corresponding Top N Traffic Analysis table: 1-tuple: Displays the collection VPC ID, collection vSwitch ID, collection ENI ID, collection ECS ID, traffic path, traffic direction, destination IP (only for inbound traffic), source IP (only for outbound traffic), packets, TCP RTT (ms), traffic (bytes), and traffic percentage. 2-tuple: Displays the source IP, destination IP, collection VPC ID, collection vSwitch ID, collection ENI ID, collection ECS ID, traffic path, traffic direction, packets, TCP RTT (ms), traffic (bytes), and traffic percentage. 5-tuple: Displays the source IP, source port, protocol, destination IP, destination port, collection VPC ID, collection vSwitch ID, collection ENI ID, collection ECS ID, traffic path, traffic direction, packets, TCP RTT (ms), traffic (bytes), and traffic percentage.
	You can filter the top N traffic data by traffic aggregation dimension, traffic volume range (in bytes), and top N range.
	View trend When viewing top N traffic, to understand the trend of a specific traffic flow, in the Traffic Observation > Trend Chart column, click View Trend. The system automatically displays the trend chart for that traffic flow within the current time range, including the Bandwidth, Packet Rate, and TCP RTT trend charts. Drill down on traffic If the traffic analyzer supports multiple traffic aggregation dimensions, you can drill down on a specific traffic flow to view its details when viewing top N traffic. You can drill down from 1-tuple traffic to view the corresponding 2-tuple top N traffic information. You can drill down from 2-tuple traffic to view the corresponding 5-tuple top N traffic information.

View access control block analysis

Log on to the NIS console.
In the navigation pane on the left, choose NIS Traffic Analyzer.
On the NIS Traffic Analyzer page, click the ID of the target traffic analyzer.

In the navigation pane on the left of the traffic analyzer's product page, choose VPC Traffic > All Traffic > Access Control Block Analysis. Specify the filter conditions to view the corresponding blocked traffic trend chart and the blocked traffic details table.

VPC-拦截-CN

Chart	Description
Blocked Traffic Trend Chart	Bandwidth: The rate of blocked traffic during the current time range. Unit: bps. Packet Rate: The rate of blocked packets during the current time range. Unit: pps.
Blocked Traffic Details	After you select the 1-tuple, 2-tuple, or 5-tuple tab at the top of the page, the system automatically displays the corresponding Top N Blocked Traffic Analysis table: 1-tuple: Displays the collection VPC ID, collection vSwitch ID, collection ENI ID, collection ECS ID, traffic path, traffic direction, destination IP (only for inbound traffic), source IP (only for outbound traffic), packets, traffic (bytes), and traffic percentage. 2-tuple: Displays the source IP, destination IP, collection VPC ID, collection vSwitch ID, collection ENI ID, collection ECS ID, traffic path, traffic direction, packets, traffic (bytes), and traffic percentage. 5-tuple: Displays the source IP, source port, protocol, destination IP, destination port, collection VPC ID, collection vSwitch ID, collection ENI ID, collection ECS ID, traffic path, traffic direction, packets, traffic (bytes), and traffic percentage.
	You can filter the top N blocked traffic data by traffic aggregation dimension, traffic volume range (in bytes), and top N range.
	View trend When viewing blocked traffic details, to understand the trend of a specific blocked traffic flow, in the Traffic Observation > Trend Chart column, click View Trend. The system automatically displays the trend chart for that blocked traffic flow within the current time range, including the Bandwidth and Packet Rate trend charts. Drill down on traffic If the traffic analyzer supports multiple traffic aggregation dimensions, you can drill down on a specific blocked traffic flow to view its details when viewing blocked traffic details. You can drill down from 1-tuple blocked traffic to view the corresponding 2-tuple top N blocked traffic information. You can drill down from 2-tuple blocked traffic to view the corresponding 5-tuple top N blocked traffic information.

View Internet traffic analysis charts

The following two pages display analysis data for Internet traffic of a specified VPC resource or scenario.

The Internet Traffic Distribution page displays analysis data for allowed Internet traffic only.
The Internet Access Control Block Analysis page displays analysis data only for Internet traffic that is blocked by access control rules, such as Internet traffic denied by network ACLs or security group rules.

View Internet traffic distribution

Log on to the NIS console.
In the navigation pane on the left, choose NIS Traffic Analyzer.
On the NIS Traffic Analyzer page, click the ID of the target traffic analyzer.

In the navigation pane on the left of the traffic analyzer's product page, choose VPC Traffic > Internet Traffic > Internet Traffic Distribution. Specify the filter conditions to view the corresponding Internet traffic trend chart, the Top N Internet Traffic Analysis table, and the traffic map. The traffic map is available only on the 2-tuple page.

公网-全部-CN

Chart	Description
Traffic Trend chart	Bandwidth: The Internet traffic transmission rate of the resource during the current time range. Unit: bps. Packet Rate: The Internet packet transmission rate of the resource during the current time range. Unit: pps. TCP RTT: The round-trip time for establishing a TCP connection during the current time range. Unit: ms. Top Peer IPs Accessing Alibaba Cloud: The top N public IP addresses that accessed Alibaba Cloud during the current time range. Important The Internet Region Coverage and Top Peer IPs Accessing Alibaba Cloud statistics are displayed only on the 2-tuple page.
Top N Traffic Analysis	After you select the 1-tuple, 2-tuple, or 5-tuple tab at the top of the page, the system automatically displays the corresponding Top N Internet Traffic Analysis table: 1-tuple: Displays the Alibaba Cloud VPC ID, Alibaba Cloud vSwitch ID, Alibaba Cloud ENI ID, Alibaba Cloud ECS ID, traffic path, traffic direction, destination IP (only for inbound traffic), source IP (only for outbound traffic), packets, TCP RTT (ms), traffic (bytes), and traffic percentage. 2-tuple: Displays the city, country, carrier, ASN, source IP, destination IP, Alibaba Cloud VPC ID, Alibaba Cloud vSwitch ID, Alibaba Cloud ENI ID, Alibaba Cloud ECS ID, traffic path, traffic direction, packets, TCP RTT (ms), traffic (bytes), and traffic percentage. 5-tuple: Displays the city, country, carrier, ASN, source IP, source port, protocol, destination IP, destination port, Alibaba Cloud VPC ID, Alibaba Cloud vSwitch ID, Alibaba Cloud ENI ID, Alibaba Cloud ECS ID, traffic path, traffic direction, packets, TCP RTT (ms), traffic (bytes), and traffic percentage.
	You can filter the top N Internet traffic data by traffic aggregation dimension, traffic volume range (in bytes), and top N range.
	View trend When viewing top N Internet traffic, to understand the trend of a specific Internet traffic flow, in the Traffic Observation > Trend Chart column, click View Trend. The system automatically displays the trend chart for that Internet traffic flow within the current time range, including the Bandwidth, Packet Rate, and TCP RTT trend charts. Drill down on traffic If the traffic analyzer supports multiple traffic aggregation dimensions, you can drill down on a specific Internet traffic flow to view its details when viewing top N Internet traffic. You can drill down from 1-tuple traffic to view the corresponding 2-tuple top N traffic information. You can drill down from 2-tuple traffic to view the corresponding 5-tuple top N traffic information.
Traffic Map	The 2-tuple page displays a traffic map. You can view the following two types of Internet traffic data: RTT: The round-trip time (RTT) of Internet traffic in the current region during the current time range. Unit: ms. Traffic: The volume of Internet traffic (in bytes) between each country and the VPC resources during the current time range. Unit: Byte.

View Internet access control block analysis

Log on to the NIS console.
In the navigation pane on the left, choose NIS Traffic Analyzer.
On the NIS Traffic Analyzer page, click the ID of the target traffic analyzer.

In the navigation pane on the left of the traffic analyzer's product page, choose VPC Traffic > Internet Traffic > Internet Access Control Block Analysis. Specify the filter conditions to view the corresponding blocked traffic trend chart and the blocked traffic details table.

公网-拦截-CN

Chart	Description
Blocked Traffic Trend chart	Bandwidth: The rate of blocked Internet traffic during the current time range. Unit: bps. Packet Rate: The rate of blocked Internet packets during the current time range. Unit: pps.
Blocked Traffic Details	After you select the 1-tuple, 2-tuple, or 5-tuple tab at the top of the page, the system automatically displays the corresponding Top N Blocked Traffic Analysis table: 1-tuple: Displays the Alibaba Cloud VPC ID, Alibaba Cloud vSwitch ID, Alibaba Cloud ENI ID, Alibaba Cloud ECS ID, traffic path, traffic direction, destination IP (only for inbound traffic), source IP (only for outbound traffic), packets, traffic (bytes), and traffic percentage. 2-tuple: Displays the city, country, carrier, ASN, source IP, destination IP, Alibaba Cloud VPC ID, Alibaba Cloud vSwitch ID, Alibaba Cloud ENI ID, Alibaba Cloud ECS ID, traffic path, traffic direction, packets, traffic (bytes), and traffic percentage. 5-tuple: Displays the city, country, carrier, ASN, source IP, source port, protocol, destination IP, destination port, Alibaba Cloud VPC ID, Alibaba Cloud vSwitch ID, Alibaba Cloud ENI ID, Alibaba Cloud ECS ID, traffic path, traffic direction, packets, traffic (bytes), and traffic percentage.
	You can filter the top N blocked traffic data by traffic aggregation dimension, traffic volume range (in bytes), and top N range.
	View trend When viewing blocked traffic details, to understand the trend of a specific blocked traffic flow, in the Traffic Observation > Trend Chart column, click View Trend. The system automatically displays the trend chart for that blocked traffic flow within the current time range, including the Bandwidth and Packet Rate trend charts. Drill down on traffic If the traffic analyzer supports multiple traffic aggregation dimensions, you can drill down on a specific blocked traffic flow to view its details when viewing blocked traffic details. You can drill down from 1-tuple traffic to view the corresponding 2-tuple top N traffic information. You can drill down from 2-tuple traffic to view the corresponding 5-tuple top N traffic information.

Limits

A single query can scan a maximum of 10 million raw logs. If this limit is exceeded, the system returns a QuotaExceeded.CheckRowReadLimit error. You can optimize your query to reduce the number of scanned logs in the following ways:

Shorten the query time range: Focus on the period when the service traffic occurred to narrow the query scope. A longer time span requires more logs to be scanned.
Optimize the traffic scope of the query: Filter and analyze traffic based on specific service parameters to narrow the query scope. You can also first analyze the target traffic range in the 2-tuple view and then drill down to the 5-tuple view for a more detailed analysis.