All Products
Search

This Product

    Virtual Private Cloud:Locate high-traffic ECS instances that use Internet NAT gateways

    Document Center

    Virtual Private Cloud:Locate high-traffic ECS instances that use Internet NAT gateways

    Last Updated:Sep 15, 2023

    This topic describes how to use flow logs to locate high-traffic Elastic Compute Service (ECS) instances that use SNAT to access the Internet.

    Prerequisites

    Background information

    The following scenario is used in this topic. Multiple ECS instances that belong to the same vSwitch in a VPC access the Internet by using the SNAT feature of an Internet NAT gateway. The task is to locate ECS instances that send large amounts of network traffic.交换机流日志

    Procedure

    配置步骤

    Step 1: Create an Internet NAT gateway

    1. Log on to the NAT Gateway console.
    2. On the Internet NAT Gateway page, click Create NAT Gateway.

    3. When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.

      创建角色 For more information, see Service-linked roles.

    4. On the buy page, set the following parameters and click Buy Now.

      Parameter

      Description

      Billing Method

      By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.

      Resource Group

      Select the resource group to which the virtual private cloud (VPC) belongs. For more information, see Resource group overview.

      Tags

      • Tag Key: Select or enter a tag key.

        You can specify at most 20 tag keys. A tag key can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

      • Tag Value: Select or enter a tag value.

        You can specify at most 20 tag values. A tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

      Region

      Select the region where you want to create the Internet NAT gateway.

      VPC

      Select the VPC where you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.

      Associate vSwitch

      Select the vSwitch to which the Internet NAT gateway belongs.

      Metering Method

      By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.

      Billing Cycle

      By default, By Hour is selected. Bills are generated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.

      Instance Name

      Enter a name for the Internet NAT gateway.

      The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.

      Access Mode

      Select the mode in which you want to create the Internet NAT gateway. The following modes are supported:

      • SNAT for All VPC Resources: If you select this value, the Internet NAT gateway is created in unified access mode. After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.

        If you select SNAT for All VPC Resources, you must also specify an elastic IP address (EIP).

      • Configure Later: If you select this option, you can configure the Internet NAT gateway in the console after you complete the payment.

        If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.

      In this example, Configure Later is selected.

    5. On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.

      When the Purchased message appears, the Internet NAT gateway is created.

    Step 2: Create an elastic IP address (EIP) and associate it with the NAT gateway

    1. On the Internet NAT Gateway page, find the NAT gateway created in Step1. You can use one of the following methods to associate EIP with the NAT gateway:

      • Click Associate Now in the EIP column.

      • Choose icon > Bind Elastic IP Address in the Actions column.

    2. In the Associate EIP dialog box, set the following parameters and click OK.

      • Resource Group: Select the resource group to which the EIP belongs.

      • Select EIP: Select the EIP that you want to associate with the NAT gateway.

        Purchase and Associate EIP is selected in this example. The system automatically creates a pay-by-data-transfer EIP and associates the EIP with the NAT gateway.

      After you associate an EIP with the NAT gateway, the EIP appears in the Elastic IP Address column.

    Step 3: Create an SNAT entry

    1. On the Internet NAT Gateway page, find the NAT gateway that you created in Step1 and click Configure SNAT in the Actions column.

    2. On the SNAT Management tab, click Create SNAT Entry.

    3. On the Create SNAT Entry page, set the following parameters and click OK.

      • SNAT Entry: Specify the scope to which the SNAT entry applies. In this example, Specify vSwitch is selected.

        • Select vSwitch: Select a vSwitch from the drop-down list. If no vSwitch is available in the drop-down list, click Create vSwitch from the drop-down list. Then, you can log on to the VPC console to create a vSwitch.

          Note

          If you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP.

          In this example, the created vSwitch is selected.

        • vSwitch CIDR Block: displays the CIDR block of the vSwitch.

      • Select Public IP Address: Select the EIP that is used to access the Internet. In this example, Use Single IP is selected and the EIP created in Step2 is used.

      • Entry Name: Enter a name for the SNAT entry.

      After you configure the SNAT entry, you can log on to your ECS instance to access the Internet.

    Step 4: Create a flow log

    Before you create a flow log, you must log on to the Simple Log Service (SLS) product page to activate SLS.

    1. Log on to the VPC console.
    2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.

    3. In the top navigation bar, select China (Hohhot).

    4. On the Flow Log page, click Create a flow log.

    5. In the Create a flow log dialog box, set the following parameters and click OK.

      • Name: Enter a name for the flow log. In this example, Locate_High_Traffic_ECS is used.

      • Resource Type: Select the type of resource whose traffic you want to capture, and then select the resource. In this example, vSwitch is selected.

      • Data Transfer Type: Select the type of traffic data that you want to capture. In this example, All Traffic is selected.

      • Project: Select the project that is used to store the captured traffic. In this example, Create Project is selected.

      • Logstore: Select the Logstore that is used to store the captured traffic. In this example, Create Logstore is selected.

      • Enable Log Analysis Report: After you enable this feature, SLS indexing is enabled and a dashboard is created for the Logstore. Then, you can consume the log data by using SQL queries and analyze the log data in the dashboard. SLS dashboards are free of charge. However, SLS indexing is billed based on data usage. For more information, see SLS billing. In this example, this feature is enabled.

      • Sampling Interval (Minutes): Select the time interval at which data is collected. Valid values: 1, 5, and 10. In this example, the sampling interval is 10 minutes.

      • Description: Enter a description for the flow log.

    Step 5: Query the flow log

    1. Log on to the VPC console.
    2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.

    3. In the top navigation bar, select China (Hohhot).

    4. On the Flow Log page, find the flow log and click the name of the Logstore in the Simple Log Service column.

      NAT

    5. You can perform the steps shown in the following figure to analyze the traffic of the ECS instances that use SNAT to access the Internet.

      查看流日志

      Number

      Description

      1

      Enter the following SQL statement to aggregate and sort the flow log and filter the chart that displays ECS instances with a large amount of traffic to a specific public IP address.

      dstaddr: "X.X.X.X" and action: ACCEPT and srcaddr: 10.0.0.* | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, srcaddr,sum(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) as bandwidth group by time,srcaddr order by time asc limit 1000

      The SQL statement defines the following parameters: time, bandwidth (bit/s), and srcaddr (source address). time and srcaddr are aggregate columns and are sorted in ascending order of time. In this case, 1,000 log entries are queried. The following section describes the parameters:

      • dstaddr: the public IP address

      • srcaddr: the private CIDR block

      • Set other parameters to the values shown in this example.

      Note

      • Enter the following SQL statement to filter the chart that displays traffic from a specific public IP address to ECS instances.

        srcaddr: "X.X.X.X" and action: ACCEPT and dstaddr: 10.0.0.* | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, 
dstaddr,sum(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) as bandwidth group by time,dstaddr order by time asc limit 1000

        • srcaddr: the public IP address

        • dstaddr: the private IP address

        • Set Aggregate Column to dstaddr when you generate the chart.

      • Enter the following SQL statement to filter the chart that displays traffic from ECS instances to all public IP addresses.

        srcaddr: 10.0.0.* and action: ACCEPT | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, 
srcaddr,sum(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) as bandwidth from log where ip_to_domain(dstaddr)!='intranet' group by time,srcaddr order by time asc limit 1000

        • srcaddr: the private IP address

        • dstaddr: the public IP address

        • Set Aggregate Column to srcaddr when you generate the chart.

      2

      Select the time period that you want to query.

      3

      Click the Graph tab and click 流图 to select a chart type.

      4

      In the Common Settings section, set the following parameters:

      • Axis X Field: Set the value to time.

      • Axis Y Field: Set the value to bandwidth.

      • Aggregate Column: Set the value to srcaddr.

      • Format: Set the value to bps, Kbps, Mbps.

      Keep the default values for other parameters.

      5

      Click Add to New Dashboard and set the following parameters in the dialog box that appears:

      • Operation: Create Dashboard is used in this example.

      • Layout Mode: Grid Layout is used in this example.

      • Dashboard Name: Enter a name for the dashboard. In this example, ECS_outbound_traffic through_NAT_gateway is used.

      You can view information about the flow log on the dashboard.

      6

      Click Search & Analyze to view the traffic that is generated when each ECS instance accesses the Internet and locate the ECS instances that have large amounts of outbound traffic.