All Products
Search

This Product

    Virtual Private Cloud:Flow logs

    Document Center

    Virtual Private Cloud:Flow logs

    Last Updated:Mar 03, 2025

    Virtual private clouds (VPCs) provide flow logs to record inbound and outbound traffic of an elastic network interface (ENI). Use this feature to monitor network performance, troubleshoot network errors, reduce traffic costs, and conduct security analysis.

    Overview

    image

    You can create flow logs for specific ENIs, VPCs, or vSwitches. Flow logs for a VPC or vSwitch capture all the traffic of ENIs, including ENIs added after flow logs have been enabled.

    Traffic information captured by flow logs is stored in Simple Log Service as flow log entries. Each log records the 5-tuples of the traffic flow within a specific window, called a capture window. The traffic information of a flow is captured and aggregated into a flow log entry.

    Based on your scenario, you can opt to collect traffic for specific paths to reduce flow log costs. The available options include:

    • All Scenarios

    • Traffic Through IPv4 Gateway

    • Traffic Through NAT Gateway

    • Traffic Through VPN Gateway

    • Traffic Through Transit Router

    • Traffic That Accesses Cloud Service Through Gateway Endpoint

    • Traffic That Accesses Express Connect Circuit Through VBR

    • Traffic Through an Express Connect Router (ECR)

    • Traffic Through a Gateway Load Balancer Endpoint

    Scenarios

    Network monitoring

    Cost reduction

    Security analysis

    By querying flow logs, you can:

    • monitor VPC throughput and performance

    • monitor traffic information and trends

    • troubleshoot network issues

    • check access control rules

    By analyzing network transmission through flow logs, you can get the following information to reduce traffic costs:

    • traffic from the VPC to other regions

    • traffic from the VPC to specific public IP addresses

    • traffic from the VPC to local IDC and other cloud networks

    • ECS instances with traffic surges

    When an unexpected event occurs, you can get the following information by querying VPC flow logs:

    • all IP accesses

    • accesses of suspicious IPs or attacker IPs through outbound and inbound traffic records

    Billing

    image

    Flow log generation is billed on a tiered pricing basis by the volume of logs generated monthly in each region. Every Alibaba Cloud account receives a free quota of 5 GB per month for each region. Log charges follow the billing policy of the Simple Log Service. For more information, see Billing of flow logs.

    Limits

    • Feature limits

      If you're using the flow log feature for the first time, enter the Log Service page, and click Enable Now to activate the flow log feature.

      Note

      If you have already created flow log instances, click Enable Now to bring back the previously created flow log instances on the flow log page.

    • Supported regions

      Click to view the supported regions

      Area

      Regions

      Asia Pacific - China

      China (Hangzhou)China (Shanghai)China (Qingdao)China (Beijing)China (Zhangjiakou)China (Hohhot)China (Ulanqab)China (Shenzhen)China (Heyuan)China (Guangzhou)China (Chengdu)China (Hong Kong), and China (Fuzhou - Local Region)

      Asia Pacific - Others

      Japan (Tokyo)South Korea (Seoul)SingaporeMalaysia (Kuala Lumpur)Indonesia (Jakarta)Philippines (Manila), and Thailand (Bangkok)

      Europe & Americas

      Germany (Frankfurt)UK (London)US (Silicon Valley), and US (Virginia)

      Middle East

      UAE (Dubai) and SAU (Riyadh - Partner Region)

      Important

      The SAU (Riyadh - Partner Region) region is operated by a partner.

    • Quota limit

      Name/ID

      Description

      Default value

      Adjustable

      vpc_quota_flowlog_inst_nums_per_user

      Maximum number of flow logs that can be created by each account

      10

      You can increase the quota by performing the following operations:

    Manage flow logs

    1. Log on to the VPC console.

    2. In the left-side navigation pane, select O&M and Monitoring > Flow Log. From the top menu bar, set the region where you want to create a flow log.

    Proceed with the following operations based on your requirements:

    Create or delete flow logs

    Create flow logs

    Note

    Ensure the following prerequisites have been met before creating a flow log:

    • If you have not used this feature before, click Authorize Now and Confirm Authorization Policy. Authorization is required to import the flow log into Simple Log Service.

    • Simple Log Service has been activated on the Simple Log Service product page.

    • Resources for log collection have been created, such as ENIs, VPCs, and vSwitches.

    On the Flow Log page, click Create a flow log. In the Create a flow log dialog box, configure the following parameters:

    • Resource Type: Choose the resource type for which you want to collect traffic. Valid values: VPC, vSwitch, and ENI.

      Note

      When the resource type is VPC or vSwitch, you can go to the Flow Log page, and view the collected data by clicking View ENI Collection Scope in the Actions column.

    • Resource Instance: Choose the resource instance for which you want to collect traffic.

    • Data Transfer Type: Choose the type of traffic that you want to collect. Valid values: All Traffic, Allowed Traffic, and Denied Traffic.

    • IP Version: Currently, only IPv4 is supported.

    • Project: You can choose either Create Project or Select Project to store the collected traffic.

      Note

      If a Project or Logstore is deleted after creating a flow log, this may cause a failure in log delivery. The flow log will automatically stop in the backend but will continue to show as Delivery Succeeded. To restore data delivery, recreate a Project or Logstore with the same name and restart the flow log.

    • Logstore: You can choose either Create Logstore or Select Logstore to store the collected traffic.

    • Enable Log Analysis Report: Enables indexing and creates a dashboard for a logstore. This lets you perform SQL statements and visualize data analysis.

      Indexing in Log Service is billed by data usage, while dashboards are provided at no additional cost. For more information, see Billable items.

    • Sampling Interval (Minutes): Specify the sampling interval. Available intervals are 1, 5, and 10 minutes, with the default set to 10 minutes. A shorter sampling interval results in more frequent and timely flow log generation, but also increases the number of log entries and overall cost of flow logs.

      Note

      • After a flow log is created, go to the Flow Log page and select Edit under the Sampling Interval (Minutes) column to modify the sampling interval.

      • When multiple flow logw in a VPC are collecting traffic of the same ENI, the sampling interval will be set to the shortest sampling interval among all flow log instances.

    • Sampling Path: Select the sampling path for the flow log. Available paths include All Scenarios, Traffic Through IPv4 Gateway, Traffic Through NAT Gateway, Traffic Through VPN Gateway, Traffic Through Transit Router, Traffic That Accesses Cloud Service Through Gateway Endpoint, and Traffic That Accesses Express Connect Circuit Through VBR. All Scenarios is selected by default.

      Note

      By default, sampling paths do not record traffic categorized as Denied Traffic. To record the rejected traffic, when creating a flow log, select Traffic Type as Denied Traffic and choose Sampling Path as All Scenarios.

    Delete flow logs

    Flow logs in the Started or Not Started states can be deleted. The collected traffic remains accessible on the console even after a flow log is deleted.

    Analyze flow logs

    By analyzing flow logs, you can check access control rules, monitor network traffic, and troubleshoot network issues.

    Use Logstore

    1. On the Flow Log page, click the Logstore link in the Simple Log Service column.

    2. Use Simple Log Service features in the console to query and analyze flow logs.

    Use Flow Log Center

    1. Log on to the Log Service Console.

    2. In the Log Application section, click View More Log Applications. In the Log Application dialog box, click Flow Log Center.

    3. On the Flow Log Management page, click Add. In the Create Instance panel, select the project and Logstore you configured when creating the flow log.

    4. After the instance is created, click the instance ID in the Flow Log Center. On the Flow Log Details page, you can view and analyze the data.

      日志中心

      You can find various dashboards and customize queries in the Monitoring Center.

      • Overview: Displays the status of flow logs.

      • Policy Statistics: Shows trends for accepted and rejected traffic and 5-tuple details of accepts and rejects, which include the source CIDR block, source port, protocol type, destination CIDR block, and destination port.

        • Accept: Traffic permitted by security groups and network ACLs.

        • Reject: Traffic blocked by security groups and network ACLs.

      • ENI Traffic: Displays inbound and outbound traffic details for ENIs.

      • Inter-ECS Traffic: Illustrates the traffic flow between ECS instances.

      • Custom Query: Lets you query and analyze flow logs.

    5. On the Flow Log Details page, click CIDR Block Settings and enable the Inter-Domain Analysis.

      When you enable the inter-domain analysis feature, the system automatically creates data transformation tasks, and generates VPC flow logs with CIDR blocks for you to analyze the traffic between CIDR blocks. Note that the data transformation feature incurs additional charges.

      With the following CIDR blocks predefined by Simple Log Service, you can enable the inter-domain analysis feature when necessary. If the predefined CIDR blocks do not meet your needs, add custom ones.

      image

      Inter-Domain Analysis provides the following dashboards and custom query capabilities:

      • Inter-domain Traffic: Shows traffic patterns between different CIDR blocks.

      • ECS-to-Domain Traffic: Displays traffic from ECS instances to various destination CIDR blocks.

      • Threat Intelligence: Provides threat intelligence information for source and destination IP addresses.

      • Custom Query: Lets you query and analyze VPC flow logs.

    Start or stop flow logs

    Start flow logs

    You can start flow logs that are currently in the Not Started state to start gathering traffic data from ENIs.

    Stop flow logs

    To stop collecting the traffic information from an ENI, you can turn off a flow log. This does not delete the flow log. To resume traffic data collection, restart the flow log that is in the Not Started state. Upon stopping a flow log, log generation fees will cease.

    FAQs

    How long can VPC flow logs be retained?

    VPC flow logs are automatically delivered to the Simple Log Service and are subject to its retention policy.

    • If you select Enable Log Analysis Report, the data retention period will automatically be set to 7 days.

    • Otherwise, when creating VPC flow logs, the default data retention period for the newly created Logstore is 300 days. Check the data retention period for existing Logstores in the Simple Log Service Console.

    Adjust the data retention period based on your needs.

    Where can I query network logs for Classified Protection of Information Security?

    VPCs do not have logging enabled by default. To record logs, you must turn on the VPC flow log, which records inbound and outbound traffic information for ENIs and helps you monitor the network.

    If I only want to collect logs of a few ECS instances in a VPC, how do I create flow logs?

    When creating a flow log, select Resource Type as ENI and create a separate flow log for each ENI associated with your ECS instances.

    Additional actions