All Products
Search

This Product

    VPN Gateway:Analyze VPN gateway traffic with ENI flow logs

    Document Center

    VPN Gateway:Analyze VPN gateway traffic with ENI flow logs

    Last Updated:Apr 01, 2026

    When a VPN gateway instance runs in dual-tunnel mode, the system automatically creates elastic network interfaces (ENIs) in the vSwitches of your VPC to handle traffic between the VPC and the gateway. Capture flow logs for those ENIs and query them in Simple Log Service (SLS) to identify which hosts are communicating, how much bandwidth each pair consumes, and which direction traffic is flowing.

    How it works

    The following diagram shows the example setup used in this topic: two VPCs connected through an IPsec-VPN connection, with flow logs enabled on the ENIs of VPN gateway 1.

    image
    To set up a VPC-to-VPC IPsec-VPN connection in dual-tunnel mode before following this topic, see Create a VPC-to-VPC IPsec-VPN connection (dual-tunnel mode).

    ENI count by feature combination:

    Enabled featuresENIs created
    IPsec-VPN only2
    SSL-VPN only2
    IPsec-VPN and SSL-VPN4

    In this example, only IPsec-VPN is enabled, so the system creates two ENIs.

    Traffic direction in flow log records:

    ValueMeaning
    inTraffic from the VPC to the ENI
    outTraffic from the ENI to the VPC

    Prerequisites

    Before you begin, make sure that you have:

    Step 1: Find the ENI IDs

    After you create a VPN gateway instance in dual-tunnel mode, the instance details page lists the system-created ENIs.

    1. Log on to the VPN gateway console.

    2. In the top navigation bar, select the region where the VPN gateway instance resides.

    3. On the VPN Gateways page, click the ID of the target VPN gateway instance.

    4. In the Basic Information section, note the IDs and names of the system-created ENIs.

      ENI

    Step 2: Create a flow log

    Flow logs are enabled by default upon creation and immediately start recording traffic. For details on all flow log fields, see Introduction to flow logs.

    1. Go to the Flow Log page in the VPC console and click Create a flow log. If this is your first time using flow logs, click Activate Now.

    2. In the Create a flow log dialog box, configure the following parameters and click OK: For all other parameters, keep the default values. For a full parameter reference, see Create a flow log.

      ParameterValue for this exampleNotes
      Resource TypeENICaptures traffic at the network interface level
      Resource InstanceENI of the VPN gateway instanceSelect from the ENIs identified in Step 1
      Data Transfer TypeAll TrafficLogs all traffic. Choose Allowed Traffic or Denied Traffic to filter by security group and network ACL rules
      ProjectCreate ProjectCreates a new SLS project to manage the flow logs
      LogstoreCreate LogstoreDeliver all ENI logs for VPN gateway 1 to the same Logstore to centralize analysis
      Enable Log Analysis ReportEnabledEnables indexing and creates a dashboard, allowing SQL queries and data visualization. Indexing is billed based on data usage; dashboards are free
      Sampling Interval (Minutes)1 minuteControls how frequently traffic data is captured. A shorter interval produces more granular data but increases log volume

    Step 3: Query and analyze flow logs

    Flow log data is automatically delivered to Simple Log Service. Use the SLS console to run queries and visualize traffic patterns.

    1. Log on to the VPC console.VPC console

    2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.

    3. In the top navigation bar, select the region where the flow log was created.

    4. On the Flow Log page, find the flow log and click the Logstore name in the Simple Log Service column. The SLS console opens automatically.

      logstore

    5. On the Logstore details page, query and analyze ENI logs to identify VPN gateway traffic patterns.

    Example: identify top communicating hosts

    This query returns the hosts communicating through each ENI, the traffic direction, and the total bytes transferred for each host pair.

    Query statement:

    * | select "eni-id",srcaddr,dstaddr,direction,sum(bytes) as byte from log GROUP BY "eni-id",srcaddr,dstaddr,direction ORDER BY "eni-id" DESC limit 10

    Procedure:

    2024-05-31_10-57-18-CN
    StepAction
    Select the time range for the query
    Enter the SQL query
    Click Search & Analyze
    On the General Configurations tab, keep the default settings for all modules. Customize the chart display as needed — see Overview of charts
    In the Preview Chart section, review and filter the results. Example insights from VPN gateway 1: VPN gateway 1 is transferring traffic through eni-7xv1sg8m****39. ECS2 in VPC1 has not communicated in the last 15 minutes. ECS1 and ECS4 consumed significant bandwidth in the last 15 minutes
    (Optional) Click Add to New Dashboard to save the query results as a persistent dashboard view. Set Operation to Create Dashboard, Layout Mode to Grid Layout, and enter a Dashboard Name (for example, VPN gateway 1). See Dashboards for details

    Other query scenarios

    Adapt the SQL to answer other questions about your VPN gateway traffic:

    • Top bandwidth consumers: Sort by sum(bytes) DESC to find which host pairs generate the most traffic.

    • Per-ENI traffic split: Group by "eni-id" only to compare traffic volume across the two ENIs and verify load distribution.

    • Single-host activity: Add WHERE srcaddr = '<IP>' to trace all connections from a specific host.

    What's next

    For more information about log query and analysis, see Index-based query and analysis.