NAT Gateway provides the session log feature. After you create an SNAT entry for your NAT gateway and traffic flows through the NAT gateway, SNAT sessions are recorded as log entries to facilitate tracking and monitoring.
Feature introduction
SNAT sessions are recorded as log entries and delivered to Simple Log Service projects. Each session log records a five-tuple network flow captured within a time window of approximately 10 minutes. During this period, session log first aggregates the data and then delivers the data to Simple Log Service. The data is usually delivered within 5 minutes. However, session logs may not be delivered on time to ensure delivery. Session logs may not be 100% delivered due to network latency or delivery latency.
The collection of session log data does not affect the throughput or latency of NAT gateways.
The following table describes the fields of session logs:
Field | Description |
instance | The NAT gateway ID. |
vpc_id | The ID of the virtual private cloud (VPC) to which the NAT gateway belongs. |
protocol | The Internet Assigned Numbers Authority (IANA) protocol number. For more information, see Protocol Numbers. |
pri_ip | The source IP address. |
pri_port | The source port. Note If the packet uses ICMP, pri_port indicates the ICMP ID. |
pub_ip | The destination IP address. |
pub_port | The destination port. |
nat_ip |
|
nat_port |
|
bytes_from_pub |
|
pkts_from_pub |
|
bytes_from_vpc | The amount of traffic from the VPC. |
pkts_from_vpc | The number of packets from the VPC. |
start_time | The time when the session log was created. |
end_time | The time when the session log was stopped. |
Billing
You are not charged for using the session log feature. However, recorded SNAT sessions are stored in Simple Log Service projects and you are charged for using Simple Log Service. For more information, see Billing of Simple Log Service.
Limits
You cannot enable the session log feature for pay-by-specification NAT gateways (no longer available for purchase).
The NAT gateway and the Simple Log Service project must belong to the same region.
Session log does not capture DNAT sessions.
Procedure
Create a project
You must create a project for Simple Log Service. For more information, see Create a project.
Create a Logstore
A Logstore is a collection of resources in a project. All data in a Logstore is retrieved from the same source. After you create a project, you must create a Logstore. For more information, see Create a Logstore.
Start a session log
Start a session log to record SNAT sessions and deliver log entries to Simple Log Service. For more information, see Start a session log.
Start a session log
Log on to the NAT Gateway console . In the top navigation bar, select the region where the NAT gateway resides.
In the left-side navigation pane, click Internet NAT Gateway or VPC NAT Gateway. Find the NAT gateway and click its ID.
On the details page, choose the tab and click Enable Session Log.
View a session log
Log on to the NAT Gateway console . In the top navigation bar, select the region where the NAT gateway resides.
In the left-side navigation pane, click Internet NAT Gateway or VPC NAT Gateway. Find the NAT gateway and click its ID.
On the details page, choose the tab and click the name in the Destination Information column.
Parameter
Description
Session Log Status
After the session log is started, Enabled is displayed.
After you start the session log, the system automatically creates the
AliyunServiceRolePolicyForNatgwLogDeliveryservice-linked role so that data can be delivered to Simple Log Service. For more information, see AliyunServiceRolePolicyForNatgwLogDelivery.Delivery Status
The delivery status of the session log. Valid values:
Successful: The session log is delivered to Simple Log Service.
Modifying: The session log is being modified or started.
Failed: The session log failed to be delivered to Simple Log Service. For more information, see Error codes.
Delivery Type
The delivery type. Set the value to sls.
Destination Information
In the Destination Information column, click the Logstore link to go to the Simple Log Service console. Before you view and analyze logs, you must manually create an index for the Logstore to which the session log is delivered. For more information, see Create an index and Query and analyze logs.
Disable the session log
Log on to the NAT Gateway console . In the top navigation bar, select the region where the NAT gateway resides.
In the left-side navigation pane, click Internet NAT Gateway or VPC NAT Gateway. Find the NAT gateway and click its ID.
On the details page, choose , find the session log, and then click Stop in the Actions column.
Delivery error codes
Error code | Description |
ProjectNotExist | The destination project does not exist. |
LogStoreNotExist | The destination Logstore does not exist. |
ProjectForbidden | The project is disabled and the cause may be overdue payments. |
InvalidAccessKeyId | The service-linked role is not created when you start the session log. |
Unauthorized | The service-linked role is not created when you start the session log. |
UnavaliableTarget | Log entries cannot be delivered within 5 minutes to the destination if one of the following error codes is returned: Unauthorized, ProjectNotExist, LogStoreNotExist, and ProjectForbidden. If new data needs to be delivered after 5 minutes, the system performs a delivery test. If the test is successful, new data can be delivered. Otherwise, delivery is disabled for another 5 minutes. |
WriteQuotaExceed | The write traffic to a project exceeds the upper limit. By default, all Logstores in a project support up to 30 GB write traffic per minute. |
ShardWriteQuotaExceed | If the log session traffic is large and the shards in your Logstores are insufficient, we recommend that you split more shards. For more information, see Manage shards. |