This topic describes how to use flow logs to locate high-traffic Elastic Compute Service (ECS) instances that use SNAT to access the Internet.
Prerequisites
In this example, a virtual private cloud (VPC) is created in the China (Hohhot) region and a vSwitch is created in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
Three ECS instances are created in the vSwitch. For more information, see Create an instance by using the wizard.
Background information
The following scenario is used in this topic. Multiple ECS instances that belong to the same vSwitch in a VPC access the Internet by using the SNAT feature of an Internet NAT gateway. The task is to locate ECS instances that send large amounts of network traffic.
Procedure
Step 1: Create an Internet NAT gateway
- Log on to the NAT Gateway console.
- On the Internet NAT Gateway page, click Create NAT Gateway.
When you create an Internet NAT gateway for the first time, click Create in the Notes on Creating Service-linked Roles section of the buy page to create a service-linked role. After the service-linked role is created, you can create Internet NAT gateways.
For more information, see Service-linked roles.
On the buy page, set the following parameters and click Buy Now.
Parameter
Description
Billing Method
By default, Pay-As-You-Go is selected. You can pay for resources after you use them. For more information, see Billing of Internet NAT gateways.
Resource Group
Select the resource group to which the virtual private cloud (VPC) belongs. For more information, see Resource group overview.
Tags
Tag Key: Select or enter a tag key.
You can specify at most 20 tag keys. A tag key can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.
Tag Value: Select or enter a tag value.
You can specify at most 20 tag values. A tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.
Region
Select the region where you want to create the Internet NAT gateway.
VPC
Select the VPC where you want to create the Internet NAT gateway. After the Internet NAT gateway is created, you cannot change the VPC to which the Internet NAT gateway belongs.
Associate vSwitch
Select the vSwitch to which the Internet NAT gateway belongs.
Metering Method
By default, Pay-By-CU is selected. You are charged based on the resources that you use. For more information, see Billing of Internet NAT gateways.
Billing Cycle
By default, By Hour is selected. Bills are generated on an hourly basis. If you use an Internet NAT gateway for less than 1 hour, the usage duration is rounded up to 1 hour.
Instance Name
Enter a name for the Internet NAT gateway.
The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter.
Access Mode
Select the mode in which you want to create the Internet NAT gateway. The following modes are supported:
SNAT for All VPC Resources: If you select this value, the Internet NAT gateway is created in unified access mode. After the Internet NAT gateway is created, all resources in the VPC can access the Internet by using the SNAT feature of the NAT gateway.
If you select SNAT for All VPC Resources, you must also specify an elastic IP address (EIP).
Configure Later: If you select this option, you can configure the Internet NAT gateway in the console after you complete the payment.
If you select Configure Later, only the Internet NAT gateway is created. No SNAT entry is created.
In this example, Configure Later is selected.
On the Confirm page, confirm the information, select the Terms of Service check box, and then click Confirm.
When the Purchased message appears, the Internet NAT gateway is created.
Step 2: Create an elastic IP address (EIP) and associate it with the NAT gateway
On the Internet NAT Gateway page, find the NAT gateway created in Step1. You can use one of the following methods to associate EIP with the NAT gateway:
Click Associate Now in the EIP column.
Choose
in the Actions column.
In the Associate EIP dialog box, set the following parameters and click OK.
Resource Group: Select the resource group to which the EIP belongs.
Select EIP: Select the EIP that you want to associate with the NAT gateway.
Purchase and Associate EIP is selected in this example. The system automatically creates a pay-by-data-transfer EIP and associates the EIP with the NAT gateway.
After you associate an EIP with the NAT gateway, the EIP appears in the Elastic IP Address column.
Step 3: Create an SNAT entry
On the Internet NAT Gateway page, find the NAT gateway that you created in Step1 and click Configure SNAT in the Actions column.
On the SNAT Management tab, click Create SNAT Entry.
On the Create SNAT Entry page, set the following parameters and click OK.
SNAT Entry: Specify the scope to which the SNAT entry applies. In this example, Specify vSwitch is selected.
Select vSwitch: Select a vSwitch from the drop-down list. If no vSwitch is available in the drop-down list, click Create vSwitch from the drop-down list. Then, you can log on to the VPC console to create a vSwitch.
NoteIf you select multiple vSwitches, the system creates multiple SNAT entries that use the same EIP.
In this example, the created vSwitch is selected.
vSwitch CIDR Block: displays the CIDR block of the vSwitch.
Select Public IP Address: Select the EIP that is used to access the Internet. In this example, Use Single IP is selected and the EIP created in Step2 is used.
Entry Name: Enter a name for the SNAT entry.
After you configure the SNAT entry, you can log on to your ECS instance to access the Internet.
Step 4: Create a flow log
Before you create a flow log, you must log on to the Simple Log Service (SLS) product page to activate SLS.
- Log on to the VPC console.
- In the left-side navigation pane, choose .
In the top navigation bar, select China (Hohhot).
On the Flow Log page, click Create a flow log.
In the Create a flow log dialog box, set the following parameters and click OK.
Name: Enter a name for the flow log. In this example, Locate_High_Traffic_ECS is used.
Resource Type: Select the type of resource whose traffic you want to capture, and then select the resource. In this example, vSwitch is selected.
Data Transfer Type: Select the type of traffic data that you want to capture. In this example, All Traffic is selected.
Project: Select the project that is used to store the captured traffic. In this example, Create Project is selected.
Logstore: Select the Logstore that is used to store the captured traffic. In this example, Create Logstore is selected.
Enable Log Analysis Report: After you enable this feature, SLS indexing is enabled and a dashboard is created for the Logstore. Then, you can consume the log data by using SQL queries and analyze the log data in the dashboard. SLS dashboards are free of charge. However, SLS indexing is billed based on data usage. For more information, see SLS billing. In this example, this feature is enabled.
Sampling Interval (Minutes): Select the time interval at which data is collected. Valid values: 1, 5, and 10. In this example, the sampling interval is 10 minutes.
Description: Enter a description for the flow log.
Step 5: Query the flow log
- Log on to the VPC console.
- In the left-side navigation pane, choose .
In the top navigation bar, select China (Hohhot).
On the Flow Log page, find the flow log and click the name of the Logstore in the Simple Log Service column.
You can perform the steps shown in the following figure to analyze the traffic of the ECS instances that use SNAT to access the Internet.
Number
Description
1
Enter the following SQL statement to aggregate and sort the flow log and filter the chart that displays ECS instances with a large amount of traffic to a specific public IP address.
dstaddr: "X.X.X.X" and action: ACCEPT and srcaddr: 10.0.0.* | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, srcaddr,sum(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) as bandwidth group by time,srcaddr order by time asc limit 1000
The SQL statement defines the following parameters: time, bandwidth (bit/s), and srcaddr (source address). time and srcaddr are aggregate columns and are sorted in ascending order of time. In this case, 1,000 log entries are queried. The following section describes the parameters:
dstaddr
: the public IP addresssrcaddr
: the private CIDR blockSet other parameters to the values shown in this example.
NoteEnter the following SQL statement to filter the chart that displays traffic from a specific public IP address to ECS instances.
srcaddr: "X.X.X.X" and action: ACCEPT and dstaddr: 10.0.0.* | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, dstaddr,sum(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) as bandwidth group by time,dstaddr order by time asc limit 1000
srcaddr: the public IP address
dstaddr: the private IP address
Set Aggregate Column to dstaddr when you generate the chart.
Enter the following SQL statement to filter the chart that displays traffic from ECS instances to all public IP addresses.
srcaddr: 10.0.0.* and action: ACCEPT | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, srcaddr,sum(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) as bandwidth from log where ip_to_domain(dstaddr)!='intranet' group by time,srcaddr order by time asc limit 1000
srcaddr: the private IP address
dstaddr: the public IP address
Set Aggregate Column to srcaddr when you generate the chart.
2
Select the time period that you want to query.
3
Click the Graph tab and click to select a chart type.
4
In the Common Settings section, set the following parameters:
Axis X Field: Set the value to time.
Axis Y Field: Set the value to bandwidth.
Aggregate Column: Set the value to srcaddr.
Format: Set the value to bps, Kbps, Mbps.
Keep the default values for other parameters.
5
Click Add to New Dashboard and set the following parameters in the dialog box that appears:
Operation: Create Dashboard is used in this example.
Layout Mode: Grid Layout is used in this example.
Dashboard Name: Enter a name for the dashboard. In this example, ECS_outbound_traffic through_NAT_gateway is used.
You can view information about the flow log on the dashboard.
6
Click Search & Analyze to view the traffic that is generated when each ECS instance accesses the Internet and locate the ECS instances that have large amounts of outbound traffic.