Virtual Private Cloud (VPC) provides the flow log feature to record information about inbound and outbound traffic of an elastic network interface (ENI). You can use the flow log feature to check access control list (ACL) rules, monitor network traffic, and troubleshoot network errors.

Feature release and supported regions

If it is your first time using the flow log feature, you must first click Enable Log Service in the VPC console to enable the flow log feature.
Note If you have created flow logs, the flow logs are displayed after you click Enable Log Service.
The following table describes the regions that support the flow log feature.
Area Region
Asia Pacific China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Fuzhou - Local Region), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and India (Mumbai)
Europe & Americas Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)
Middle East UAE (Dubai)

Description

Flow logs can capture information about network traffic of a specified ENI, VPC, or vSwitch. After you enable the flow log feature for a VPC or a vSwitch, traffic information about ENIs in the VPC or vSwitch is captured. Flow logs also capture traffic information about ENIs that are created after the flow log feature is enabled.

Note The flow logs created in the Log Service console are displayed in the flow log list in the VPC console. However, you cannot modify, start, stop, or delete the flow logs in the VPC console.

The traffic information captured by the flow log feature is written to Log Service as flow log entries. Each flow log entry includes a 5-tuple of a traffic flow captured within the capture window. The capture window is approximately 10 minutes. During the capture window, traffic information is captured and aggregated into a flow log entry.

The following table describes the fields of a flow log entry.
Field Description
version The version of the flow log.
vswitch-id The ID of the vSwitch to which the ENI belongs.
vm-id The ID of the Elastic Compute Service (ECS) instance with which the ENI is associated.
vpc-id The ID of the VPC to which the ENI belongs.
account-id The ID of the Alibaba Cloud account.
eni-id The ID of the ENI.
srcaddr The source IP address.
srcport The source port.
dstaddr The destination IP address.
dstport The destination port.
protocol The Internet Assigned Numbers Authority (IANA) protocol number of the traffic.

For more information, see Protocol Numbers.

direction The direction of the traffic. Valid values:
  • in: inbound
  • out: outbound
packets The number of data packets.
bytes The size of data packets.
start The start time of the capture window.
end The end time of the capture window.
log-status The logging status of the flow log. Valid values:
  • OK: Data is being recorded as expected.
  • NODATA: No inbound or outbound traffic was transmitted through the ENI during the capture window.
  • SKIPDATA: Some flow log records were skipped during the capture window.
action The action that was performed on the traffic flow. Valid values:
  • ACCEPT: The traffic flow was allowed by security groups or ACLs.
  • REJECT: The traffic flow was rejected by security groups or ACLs.

Billing and pricing

For more information about the billing of flow logs, see Billing of flow logs.

Limits

Item Limit Adjustable
Maximum number of flow logs that can be created in each region 10 No quotas
ECS instance families that do not support flow logs
  • When you enable flow logs for a VPC or a vSwitch, ECS instances in the VPC or vSwitch do not support flow logs if they belong to the following instance families. Other ECS instances that meet the requirements support flow logs:
  • ENIs that are associated with ECS instances of the following instance families do not support flow logs:

    ecs.c1, ecs.c2, ecs.c4, ecs.c5, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

Upgrade the ECS instances that do not support flow logs. For more information, see Upgrade the instance types of subscription instances and Change the instance type of a pay-as-you-go instance.

Procedure

flow-en
  1. Activate Log Service

    The traffic information captured by the flow log feature is stored in Log Service. You must activate Log Service before you create a flow log.

  2. Optional. Create an AccessKey pair

    If you want to write data by using an API or SDK, you must create an AccessKey pair. If you want to collect logs by using Logtail, you do not need to create an AccessKey pair.

  3. Create a project

    You must create a project in Log Service. For more information, see Create a project.

  4. Create a Logstore

    A Logstore is a collection of resources in a project. All data in a Logstore is retrieved from the same source. After you create a project, you must create a Logstore. For more information, see Create a Logstore.

  5. Specify a resource from which traffic information is captured

    Before you create a flow log, you must specify the resource from which traffic information is captured. You can capture traffic information from an ENI, VPC, or vSwitch. For more information, see Create an ENI, Create and manage a VPC, and Create and manage a vSwitch.

  6. Create a flow log

    You can create a flow log to capture information about inbound and outbound traffic of ENIs in a VPC. For more information, see Create and manage a flow log.

  7. View flow logs

    After you create a flow log, you can view the flow log. You can analyze inter-region data transmission, control data transfer costs, and troubleshoot network issues based on the captured traffic information.