Configure a flow log - Cloud Enterprise Network - Alibaba Cloud Documentation Center

Transit routers support the flow log feature. Flow logs are used to capture the information about inter-region network traffic between transit routers and about connections on virtual border routers (VBRs). You can analyze the bandwidth usage, troubleshoot network errors, and reduce data transfer fees based on the captured information.

What is a flow log?

Flow logs

Flow logs are used to capture traffic information during a specified time window. You can set the time window to 1 minute or 10 minutes. During the specified time window, the flow log first aggregates the captured traffic information, and then writes the traffic information to Log Service as flow log entries. You can query and analyze the log entries in the Log Service console.

The fields in log entries vary based on the monitored object. The following table describes the fields in log entries generated by inter-region connections and VBR connections.

Note

In the following table, indicates that the field is supported and indicates that the field is not supported.

Log field	Description	Inter-region connection	VBR connection
account-id	The ID of the Alibaba Cloud account
attachment-id	The ID of the network instance connection
cen-id	The ID of the Cloud Enterprise Network (CEN) instance
src-region-id	The ID of the source region
srcaddr	The source IP address
srcport	The source port
dst-region-id	The ID of the destination region
dstaddr	The destination IP address
dstport	The destination port
protocol	The protocol
packets	The number of data packets
bytes	The size of data packets
start	The beginning of the time window
end	The end of the time window
direction	The direction in which the network traffic flows over the VBR connection in: The network traffic flows from the on-premises network to Alibaba Cloud. out: The network traffic flows from Alibaba Cloud to the on-premises network.

Billing rules

After you enable the flow log feature for a transit router, you are charged for the following billable items:

Flow log collection fee
You are charged a flow log collection fee based on the number of flow log entries that are collected.
Note
Network log retrieval is free of charge. The time when the fee will be charged will be posted in the product announcements.
Service fee of Log Service
Flow log entries are stored in Log Service. You can view and analyze the flow log entries in Log Service. You are charged for data storage and retrieval when you use Log Service. For more information, see Log Service billing.

Limits

Only Enterprise Edition transit routers support the flow log feature. Basic Edition transit routers do not support the flow log feature.
If you want to use flow logs in a region where a Basic Edition transit router is deployed, upgrade the transit router from Basic Edition to Enterprise Edition first. For more information, see Upgrade transit routers from Basic Edition to Enterprise Edition.
Only flow logs in the following regions can capture the information about network traffic over VBR connections:
China (Hangzhou), China (Shanghai), China (Nanjing-Local Region), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Chengdu), Singapore, China (Hong Kong), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Japan (Tokyo), Germany (Frankfurt), UK (London), US (Virginia), US (Silicon Valley), and Australia (Sydney) Closing Down.
Flow logs are used to capture information about outbound traffic on transit routers. Information about inbound traffic on transit routers is not captured.
For example, an Elastic Compute Service (ECS) instance in the US (Silicon Valley) region accesses an ECS instance in the US (Virginia) region through CEN. After you enable the flow log feature for the transit router in the US (Virginia) region, you can check the log entries about packets sent from the ECS instance in the US (Virginia) region to the ECS instance in the US (Silicon Valley) region. However, packets sent from the ECS instance in the US (Silicon Valley) region to the ECS instance in the US (Virginia) region are not recorded. If you want to record the packets sent from the ECS instance in the US (Silicon Valley) region to the ECS instance in the US (Virginia) region, you must also enable the flow log feature on the transit router that is in the US (Silicon Valley) region.
If a TCP connection only contains packets for connection establishment, connection reset, or connection closure, the flow logs of the forwarding router will not record the TCP connection.
For example, if a TCP connection does not complete the three-way handshake, or if the client connection request is reset by a firewall, the flow logs will not record the connection. This is designed to prevent a large number of flow logs from being generated due to TCP scanning attacks.

Prerequisites

An inter-region connection is created between two regions if you want to capture the information about the network traffic between the regions. For more information, see Manage inter-region connections.
A VBR is connected to an Enterprise Edition transit router if you want to capture the information about the network traffic on the VBR. For more information, see Create a VBR connection.

Create a flow log

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the details page of the transit router, click the Flow Logs tab.
If your Alibaba Cloud account does not have Log Service activated, you must first activate Log Service before you can use flow logs.
On the Flow Logs tab, click Activate Now. On the Log Service page, view and select the Log Service Terms of Service check box, and then click Activate Now. After you activate Log Service, return to the Flow Logs tab.
Note
If your Alibaba Cloud account already has Log Service activated, skip this step.
On the Flow Logs tab, click Create Flow Log.

In the Create Flow Log dialog box, set the following parameters and click OK.

Parameter	Description
Name	Enter a name for the flow log.
Description	Enter a description for the flow log.
Region	The region where the current transit router is deployed is displayed by default.
Transit Router ID	The ID of the current transit router is displayed by default.
Instance	Select the instance whose network traffic you want to capture. Inter-region (default): Select Inter-region and an inter-region connection if you want to capture the information about the inter-region network traffic between transit routers. VBR: Select VBR and a VBR connection if you want to capture the information about the network traffic transmitted over a VBR connection.
Project	Select a project to store traffic information. You can select an existing project or create one. If you select Create Project, the system creates a project.
Logstore	Select a Logstore to store log entries. You can select an existing Logstore or create one.
Collection Interval	Select the duration of the time window. Valid values: 1 Minute 10 Minutes
Notes on Creating Service Linked Roles	When you create a flow log, the system automatically creates the service-linked role AliyunServiceRoleForSLSAudit. Log Service can assume the AliyunServiceRoleForSLSAudit role to obtain required read and write permissions on transit routers to collect traffic information. If the AliyunServiceRoleForSLSAudit role already exists, the system does not create it again. For more information, see Manage the AliyunServiceRoleForSLSAudit service-linked role.

After you create a flow log, the flow log is enabled by default. You can click the name of a project or a Logstore in the Log Service column to go to the Log Service console and analyze the captured traffic information. For more information, see Log search overview and Log analysis overview.

Disable a flow log

You can enable or disable a flow log based on your business requirements.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the details page of the transit router, click the Flow Logs tab. On the Flow Logs tab, find the flow log that you want to disable and click Disable in the Actions column.
In the Disable Flow Log message, click OK.
If you want to enable the flow log, you can click Enable in the Actions column. Then, click OK in the Enable Flow Log message.

Delete a flow log

You can delete a flow log that you no longer use.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the details page of the transit router, click the Flow Logs tab. On the Flow Logs tab, find the flow log that you want to delete and click Delete in the Actions column.
In the Delete Flow Log message, click OK.

References

CreateFlowlog: creates a flow log.
ModifyFlowLogAttribute: modifies the name and description of a flow log.
ActiveFlowLog: enables a flow log.
DeactiveFlowLog: disables a flow log.
DeleteFlowlog: deletes a flow log.
DescribeFlowlogs: queries the configuration of a flow log.