This topic describes how to view the traffic data of an Express Connect circuit in a hybrid cloud.
Background information
The following scenario is used in this topic. Application A and Application B belong to two departments of an enterprise in the China (Hangzhou) region. Application A and Application B use the same Express Connect circuit to communicate with the data center. The IT department wants to view the traffic data generated when the two applications communicate with the data center by using the Express Connect circuit.
Preparations
In the China (Hangzhou) region, the department of Application A uses Account-1 to deploy a virtual private cloud (VPC) named VPC-ApplicationA. The department of Application B uses Account-2 to deploy a VPC named VPC-ApplicationB. For more information, see Create and manage a VPC.
The following table describes how CIDR blocks are planned in this example. You can plan the CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.
Item
Account
CIDR block
Server or client IP address
Data center
N/A
10.1.1.0/24
Client IP: 10.1.1.1
VPC-ApplicationA
Account-1
192.168.20.0/24
Server IP address: 192.168.20.161
VPC-ApplicationB
Account-2
192.168.10.0/24
Server IP address: 192.168.10.161
VBR
Account-1
VLAN: 0
IPv4 CIDR block on the Alibaba Cloud side: 172.16.1.2/30
IPv4 CIDR block on the user side: 172.16.1.1/30
N/A
Before you create a flow log, you must log on to the Log Service product page to activate Simple Log Service.
Procedure
Step 1: Create an Express Connect circuit
You must apply for an Express Connect circuit in the China (Hangzhou) region. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections.
In this example, Account-1 is used to create a dedicated Express Connect circuit named leasedline1.
Step 2: Create a virtual border router (VBR)
Use Account-1 to create a VBR for the Express Connect circuit and use the VBR to bridge the VPC and data center.
Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region where you want to create the VBR.
In this example, the China (Hangzhou) region is selected.
On the Virtual Border Routers (VBRs) page, click Create VBR.
In the Create VBR panel, set the following parameters and click OK:
Account: Select Current Account.
Name: VBR is used in this example.
Physical Connection Interface: Select the interface of Dedicated Physical Connection or Shared Physical Connection.
VLAN ID: Enter 0.
IPv4 Address (Alibaba Cloud Gateway): Enter 172.16.1.2.
IPv4 Address (Data Center Gateway): Enter 172.16.1.1.
Subnet Mask (IPv4 Address): Enter 255.255.255.252.
Step 3: Configure routes for the VBR
Use Account-1 to log on to the VBR and configure routes that point to the data center.
Log on to the Express Connect console.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
In the top navigation bar, select the region of the VBR.
In this example, the China (Hangzhou) region is selected.
On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
Click the Routes tab and click Add Route.
In the Add Route Entry panel, set the following parameters and click OK.
Next Hop Type: Select Physical Connection Interface.
Destination Subnet: Enter the CIDR block of the data center. In this example, 10.1.1.0/24 is used.
Next Hop: Select the physical connection interface of leasedline1.
Step 4: Attach the VBR and the VPCs to a CEN instance
After the physical connection is established, you must attach the VBR that is associated with the Express Connect circuit and the VPCs that you want to connect to a Cloud Enterprise Network (CEN) instance.
Perform the following operations with Account-1:
- Log on to the CEN console.
On the Instances page, click Create CEN Instance. For more information, see Create a CEN instance.
On the Instances page, find the CEN instance and click its ID.
On the tab, click Create Transit Router. For more information, see Transit routers.
On the tab, find the transit router in the region, and click Create Connection in the Actions column to attach the VPCs and the VBR to the CEN instance.
In this example, the VBR, VPC-ApplicationA, and VPC-ApplicationB are attached to the same CEN instance. After the VBR and the VPCs are attached to the CEN instance, the route entries of the VPCs and the VBR are automatically advertised to the CEN instance. The VPCs and the VBR can learn routes from each other through the CEN instance. For more information, see Connect VPCs and Connect VBRs.
If routes that point to Elastic Compute Service (ECS) instances, VPN gateways, or high-availability virtual IP addresses (HAVIPs) exist in the VPCs, advertise these routes to the CEN instance in the CEN console based on your requirements.
For more information, see Advertise routes to a transit router.
The following table describes a CEN route.
Destination CIDR block | Next hop |
10.1.1.0/24 | VBR |
192.168.20.0/24 | VPC-ApplicationA |
192.168.10.0/24 | VPC-ApplicationB |
Step 5: Configure health checks
You must configure health checks. After you configure health checks, the system sends probe packets at the specified time interval to verify the connectivity of the Express Connect circuit.
Perform the following operations with Account-1:
- Log on to the CEN console.
In the left-side navigation pane, click Health Checks.
Select the region to which the VBR belongs and click Set Health Check.
In the Set Health Check dialog box, set the following parameters and click OK.
Instances: Select the CEN instance to which the VBR is attached.
Virtual Border Router (VBR): Select the VBR that you want to monitor.
Source IP: In this example, Automatic IP Address is selected.
If you select Automatic IP Address, the system automatically allocates IP addresses from the 100.96.0.0/16 CIDR block for probing the connectivity of the Express Connect circuit.
Destination IP: Enter the interface IP address of the network device in the data center.
Probe Interval (Seconds): Specify the time interval at which probe packets are sent for health checks. Unit: seconds. In this example, the default value is used.
Probe Packets: Specify the number of probe packets that are sent at each interval. Unit: packets. In this example, the default value is used.
Change Route: Specify whether to enable the route switching feature.
Yes is selected by default. The health check feature can switch to the redundant route.
If you clear Yes, the health check feature does not switch to the redundant route. Only probing is performed.
Step 6: Configure routes and health checks for the data center
To connect the data center to Alibaba Cloud by using the Express Connect circuit, perform the following operations. The following configurations are used for reference only. The commands may vary based on the network device vendor. Contact the vendor to obtain the information about specific commands.
# Specify a priority for the route from the data center to Alibaba Cloud. This ensures that traffic is transmitted through leaseline1.
ip route 192.168.0.0/16 172.16.1.2
# Configure the return route of the probe packets.
ip route 100.96.0.0 255.255.0.0 172.16.1.2 # Configure a reverse route for the health check probe packets on the device that is associated with the Express Connect circuit in the data center.Step 7: Create flow logs
Use Account-1 and Account-2 to create a flow log separately. The following operations are performed with Account-1. Repeat the same operations with Account-2.
- Log on to the VPC console.
In the left-side navigation pane, click Flow Log.
In the top navigation bar, select the China (Hangzhou) region.
On the Flow Log page, click Create a flow log.
In the Create a flow log dialog box, configure the following parameters and click OK:
Flow Log Name: Enter a name for the flow log. In this example, hybrid_cloud_leased_line_traffic is entered.
Resource Type: Select the type of resource whose traffic you want to capture, and then select the resource. In this example, VPC and VPC-ApplicationA are selected. The flow log captures the traffic data of VPC-ApplicationA.
Data Transfer Type: Select the type of traffic data that you want to capture. In this example, All is selected.
Project: Select the project that is used to store the captured traffic data. In this example, Create Project is selected.
Logstore: Select the Logstore that is used to store the captured traffic data. In this example, Create Logstore is selected.
Enable Log Analysis Report: After you enable this feature, Simple Log Service indexing is enabled and a dashboard is created for the Logstore. Then, you can consume the log data by using SQL queries and analyze the log data in the dashboard. Simple Log Service dashboards are free of charge. However, Simple Log Service indexing is billed based on data usage. For more information, see Simple Log Service billing. In this example, this feature is enabled.
Description: Enter a description for the flow log.
Step 8: Prepare for further data processing and analytics
Use Account-2 to deliver the flow log of Account-2 to the Logstore of Account-1. Then, you can analyze the traffic data that is captured from different applications in the same Logstore.
Perform the following operations with Account-2:
- Log on to the VPC console.
In the left-side navigation pane, click Flow Log.
In the top navigation bar, select the China (Hangzhou) region.
On the Flow Log page, find the flow log of VPC-ApplicationB and click the Logstore in the Simple Log Service column.
In the upper-right corner of the page, click Data Transformation and then click Save as Transformation Job.
In the Create Data Transformation Job panel, set the following parameters and click OK.
Job Name: Enter a name for the data transformation job. In this example, hybrid_cloud_leased_line_traffic is used.
Authorization Method: Select an authorization method. In this example, Default Role is selected. If this is the first time you perform this operation, you must complete the authorization.
Storage Target: Click Add and then set the following parameters:
Target Name: Enter the name of the target flow log.
Target Region: Select the region of the Logstore that is used to store the flow log. In this example, the region of the Logstore in Account-1 is selected.
Target Project: Enter the project that is used to store the flow log. In this example, the project of Account-1 is used.
Target Store: Enter the Logstore to which you want to store the flow log. In this example, the Logstore of Account-1 is used.
Authorization Method: Select an authorization method. In this example, AccessKey Pair is selected.
AccessKey ID: Enter the AccessKey ID of the account. In this example, the AccessKey ID is Account-1.
AccessKey Secret: Enter the AccessKey secret of the account. In this example, the AccessKey secret is Account-1.
Time Range: In this example, All is selected.
In the left-side navigation pane, find the Logstore that you have created and then choose . You can view or modify the data transformation job that is created.
Step 9: View the flow log
Perform the following operations with Account-1:
- Log on to the VPC console.
In the left-side navigation pane, click Flow Log.
In the top navigation bar, select the China (Hangzhou) region.
On the Flow Log page, find the flow log that you want to manage and click the name of the Logstore.
View the traffic data of VPC-ApplicationA that flows to the data center by performing the steps in the following figure.
Number
Description
1
Enter the following SQL statement to aggregate and sort the traffic data generated when VPC-ApplicationA communicates with the data center:
XXXX and dstaddr: 10.1.* and action: ACCEPT | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, sum(bytes*8/("end"-start)) as bandwidth group by time order by time asc limit 1000The SQL statement defines the following parameters: time, bandwidth (bit/s), and srcaddr (source address). The parameters are sorted in ascending order of time. In this case, 1,000 log entries are retrieved. The following section describes the parameters:
account-id: the UID of Account-1, which is XXXX in the preceding SQL statement.dstaddr: the CIDR block of the data center.Set other parameters to the values shown in this example.
NoteEnter the following SQL statement to filter the traffic that flows from the data center to VPC-ApplicationA:
XXXX and srcaddr: 10.1.* and action: ACCEPT | select date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, sum(bytes*8/("end"-start)) as bandwidth group by time order by time asc limit 1000account-id: the UID of Account-1, which is XXXX in the preceding SQL statement.srcaddr: the CIDR block of the data center.
To filter the traffic that flows from VPC-ApplicationB to the data center, specify
account-idto the UID of Account-2 anddstaddrto the CIDR block of the data center, and repeat other steps.
2
Select the time period during which you want to query flow logs.
3
Click the Graph tab and click
to select a chart type. 4
In the Properties section, set the following parameters:
Chart Types: Line Chart is selected in this example.
X Axis: Set the value to time.
Y Axis: Set the value to bandwidth.
Aggregate Column: Leave this parameter empty.
Format: Set this parameter to bps,Kbps,Mbps.
Keep the default values for other parameters.
5
Click Add to New Dashboard and configure the following parameters in the dialog box that appears:
Operation: Create Dashboard is used in this example.
Layout Mode: Grid Layout is used in this example.
Dashboard Name: Enter a name for the dashboard. In this example, outbound_traffic_from_account_1_to_the_data_center is used.
You can view information about the flow logs on the dashboard.
6
Click Search & Analyze to view the traffic data generated when VPC-ApplicationA communicates with the data center.