Overview of flow logs - Virtual Private Cloud - Alibaba Cloud Documentation Center

Virtual Private Cloud (VPC) provides the flow log feature to record information about inbound and outbound traffic of an elastic network interface (ENI). You can use the flow log feature to check access control list (ACL) rules, monitor network traffic, and troubleshoot network errors.

Feature release and supported regions

If it is your first time using the flow log feature, you must first click Enable Log Service in the VPC console to enable the flow log feature.

Note If you have created flow logs, the flow logs are displayed after you click Enable Log Service.

The following table describes the regions that support the flow log feature.


Area	Region
Asia Pacific	China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Fuzhou - Local Region), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and India (Mumbai)
Europe & Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)
Middle East	UAE (Dubai)

Description

Flow logs can capture information about network traffic of a specified ENI, VPC, or vSwitch. After you enable the flow log feature for a VPC or a vSwitch, traffic information about ENIs in the VPC or vSwitch is captured. Flow logs also capture traffic information about ENIs that are created after the flow log feature is enabled.

Note The flow logs created in the Log Service console are displayed in the flow log list in the VPC console. However, you cannot modify, start, stop, or delete the flow logs in the VPC console.

The traffic information captured by the flow log feature is written to Log Service as flow log entries. Each flow log entry includes a 5-tuple of a traffic flow captured within the capture window. The capture window is approximately 10 minutes. During the capture window, traffic information is captured and aggregated into a flow log entry.

The following table describes the fields of a flow log entry.


Field	Description
version	The version of the flow log.
vswitch-id	The ID of the vSwitch to which the ENI belongs.
vm-id	The ID of the Elastic Compute Service (ECS) instance with which the ENI is associated.
vpc-id	The ID of the VPC to which the ENI belongs.
account-id	The ID of the Alibaba Cloud account.
eni-id	The ID of the ENI.
srcaddr	The source IP address.
srcport	The source port.
dstaddr	The destination IP address.
dstport	The destination port.
protocol	The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. For more information, see Protocol Numbers.
direction	The direction of the traffic. Valid values: in: inbound out: outbound
packets	The number of data packets.
bytes	The size of data packets.
start	The start time of the capture window.
end	The end time of the capture window.
log-status	The logging status of the flow log. Valid values: OK: Data is being recorded as expected. NODATA: No inbound or outbound traffic was transmitted through the ENI during the capture window. SKIPDATA: Some flow log records were skipped during the capture window.
action	The action that was performed on the traffic flow. Valid values: ACCEPT: The traffic flow was allowed by security groups or ACLs. REJECT: The traffic flow was rejected by security groups or ACLs.

Billing and pricing

For more information about the billing of flow logs, see Billing of flow logs.

Limits


Item	Limit	Adjustable
Maximum number of flow logs that can be created in each region	10	No quotas
ECS instance families that do not support flow logs	When you enable flow logs for a VPC or a vSwitch, ECS instances in the VPC or vSwitch do not support flow logs if they belong to the following instance families. Other ECS instances that meet the requirements support flow logs: ENIs that are associated with ECS instances of the following instance families do not support flow logs: ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.	Upgrade the ECS instances that do not support flow logs. For more information, see Upgrade the instance types of subscription instances and Change the instance type of a pay-as-you-go instance.

Procedure

Activate Log Service
The traffic information captured by the flow log feature is stored in Log Service. You must activate Log Service before you create a flow log.
Optional. Create an AccessKey pair
If you want to write data by using an API or SDK, you must create an AccessKey pair. If you want to collect logs by using Logtail, you do not need to create an AccessKey pair.
Create a project
You must create a project in Log Service. For more information, see Create a project.
Create a Logstore
A Logstore is a collection of resources in a project. All data in a Logstore is retrieved from the same source. After you create a project, you must create a Logstore. For more information, see Create a Logstore.
Specify a resource from which traffic information is captured
Before you create a flow log, you must specify the resource from which traffic information is captured. You can capture traffic information from an ENI, VPC, or vSwitch. For more information, see Create an ENI, Create and manage a VPC, and Create and manage a vSwitch.
Create a flow log
You can create a flow log to capture information about inbound and outbound traffic of ENIs in a VPC. For more information, see Create and manage a flow log.
View flow logs
After you create a flow log, you can view the flow log. You can analyze inter-region data transmission, control data transfer costs, and troubleshoot network issues based on the captured traffic information.