NAT Gateway provides the session log feature. After you create an SNAT entry for your NAT gateway and traffic flows through the NAT gateway, SNAT sessions are recorded as log entries to facilitate tracking and monitoring.
Overview
SNAT sessions are recorded as log entries and delivered to Simple Log Service projects. Each session log entry captures a specific 5-tuple network flow within a specific capture window. The capture period lasts about 10 minutes. During this period, the session log feature first aggregates the data and then delivers the data to Simple Log Service projects. The data delivery delay is typically within 5 minutes. However, session logs may not be delivered on time to ensure delivery. Session logs may not be 100% delivered due to network latency or delivery latency.
The session log feature is in public preview. To use the session log feature, contact your account manager.
The collection of session log data does not affect the throughput or latency of NAT gateways.
The following table describes the fields of session logs:
Field | Description |
intstance | The ID of the NAT gateway. |
vpc_id | The ID of the virtual private cloud (VPC) to which the NAT gateway belongs. |
protocol | The Internet Assigned Numbers Authority (IANA) protocol number. For more information, see Protocol Numbers. |
pri_ip | The source IP address. |
pri_port | The source port. Note If the packet uses ICMP, pri_port indicates the ICMP ID. |
pub_ip | The destination IP address. |
pub_port | The destination port. |
nat_ip |
|
nat_port |
|
bytes_from_pub |
|
pkts_from_pub |
|
bytes_from_vpc | The amount of traffic from the VPC. |
pkts_from_vpc | The number of packets from the VPC. |
start_time | The time when the session log was created. |
end_time | The time when the session log was stopped. |
Billing
You are not charged for using the session log feature. However, recorded SNAT sessions are stored in Simple Log Service projects and you are charged for using Simple Log Service. For more information, see Billing of Simple Log Service.
Limits
You cannot enable the session log feature for pay-by-specification NAT gateways.
The NAT gateway and the Simple Log Service project must belong to the same region.
Supported regions
The following table describes the regions that support the session log feature.
Area | Region |
Chinese mainland | China (Qingdao), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), and China (Chengdu) |
Asia Pacific | Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Japan (Tokyo), and South Korea (Seoul) |
Europe & Americas | Germany (Frankfurt) |
Procedure
Create a project
You must create a project for Simple Log Service. For more information, see Create a project.
Create a Logstore
A Logstore is a collection of resources in a project. All data in a Logstore is retrieved from the same source. After you create a project, you must create a Logstore. For more information, see Create a Logstore.
Start a session log
Start a session log to record SNAT sessions and deliver log entries to Simple Log Service. For more information, see Start a session log.
Start a session log
- Log on to the NAT Gateway console.
In the top navigation bar, select the region of the NAT gateway.
In the left-side navigation pane, click Internet NAT Gateway or VPC NAT Gateway.
On the Internet NAT Gateway or VPC NAT Gateway page, find the NAT gateway and click its ID.
On the details page, choose the tab and click Enable Session Log.
In the Enable Session Log dialog box, set the following parameters and click OK.
Parameter
Description
NAT Gateway ID/Name
Displays the ID and name of the selected NAT gateway.
Region
Displays the region to which the NAT gateway belongs.
Project
Specify a project to manage captured traffic information. Valid values:
Select Project: Select an existing project to store the captured traffic information.
Create Project: Create a project to store the captured traffic information.
Logstore
Specify a Logstore to store captured traffic information. Valid values:
Select Logstore: Select a Logstore from an existing project to store captured traffic information.
Create Logstore: Create a Logstore to store captured traffic information.
View a session log
- Log on to the NAT Gateway console.
In the top navigation bar, select the region of the NAT gateway.
In the left-side navigation pane, click Internet NAT Gateway or VPC NAT Gateway.
On the Internet NAT Gateway or VPC NAT Gateway page, find the NAT gateway and click its ID.
On the details page, choose . Then, find the session log to view information.
Parameter
Description
Session Log Status
After the session log is started, Enabled is displayed.
After you start the session log, the system automatically creates the
AliyunServiceRolePolicyForNatgwLogDeliveryservice-linked role so that data can be delivered to Simple Log Service. For more information, see AliyunServiceRolePolicyForNatgwLogDelivery.Delivery Status
The delivery status of the session log. Valid values:
Successful: The session log is delivered to Simple Log Service.
Modifying: The session log is being modified or started.
Failed: The session log failed to be delivered to Simple Log Service. For more information, see Error codes.
Delivery Type
The delivery type. Set the value to sls.
Destination Information
In the Destination Information column, click the Logstore link to go to the Simple Log Service console. Before you view and analyze logs, you must manually create an index for the Logstore to which the session log is delivered. For more information, see Create an index and Query and analyze logs.
Disable the session log
- Log on to the NAT Gateway console.
In the top navigation bar, select the region of the NAT gateway.
In the left-side navigation pane, click Internet NAT Gateway or VPC NAT Gateway.
On the Internet NAT Gateway or VPC NAT Gateway page, find the NAT gateway and click its ID.
On the details page, choose the tab, find the session log and click Stop in the Actions column.
In the message that appears, click OK.
NoteAfter the session log is stopped, delivered log entries are not deleted.
Delivery error codes
Error code | Description |
ProjectNotExist | The destination project does not exist. |
LogStoreNotExist | The destination Logstore does not exist. |
ProjectForbidden | The project is disabled and the cause may be overdue payments. |
InvalidAccessKeyId | The service-linked role is not created when you start the session log. |
Unauthorized | The service-linked role is not created when you start the session log. |
UnavaliableTarget | Log entries cannot be delivered within 5 minutes to the destination if one of the following error codes is returned: Unauthorized, ProjectNotExist, LogStoreNotExist, and ProjectForbidden. If new data needs to be delivered after 5 minutes, the system performs a delivery test. If the test is successful, new data can be delivered. Otherwise, delivery is disabled for another 5 minutes. |
WriteQuotaExceed | The write traffic to a project exceeds the upper limit. By default, all Logstores in a project support up to 30 GB write traffic per minute. |
ShardWriteQuotaExceed | If the log session traffic is large and the shards in your Logstores are insufficient, we recommend that you split more shards. For more information, see Manage shards. |