All Products
Search
Document Center

NAT Gateway:Session log

Last Updated:Feb 26, 2025

NAT Gateway provides the session log feature. After you create an SNAT entry for your NAT gateway and traffic flows through the NAT gateway, SNAT sessions are recorded as log entries to facilitate tracking and monitoring.

Feature introduction

SNAT sessions are recorded as log entries and delivered to Simple Log Service projects. Each session log records a five-tuple network flow captured within a time window of approximately 10 minutes. During this period, session log first aggregates the data and then delivers the data to Simple Log Service. The data is usually delivered within 5 minutes. However, session logs may not be delivered on time to ensure delivery. Session logs may not be 100% delivered due to network latency or delivery latency.

Note

The collection of session log data does not affect the throughput or latency of NAT gateways.

The following table describes the fields of session logs:

Field

Description

instance

The NAT gateway ID.

vpc_id

The ID of the virtual private cloud (VPC) to which the NAT gateway belongs.

protocol

The Internet Assigned Numbers Authority (IANA) protocol number.

For more information, see Protocol Numbers.

pri_ip

The source IP address.

pri_port

The source port.

Note

If the packet uses ICMP, pri_port indicates the ICMP ID.

pub_ip

The destination IP address.

pub_port

The destination port.

nat_ip

  • This parameter has different meanings based on the elastic IP address (EIP) association mode:

    • In NAT mode, this parameter indicates the private IP address of the EIP associated with the Internet NAT gateway.

    • In Multi-EIP-to-ENI mode, this parameter indicates the EIP associated with the Internet NAT gateway.

      Note
  • For a VPC NAT gateway, this parameter indicates the NAT IP address associated with the VPC NAT gateway.

nat_port

  • For an Internet NAT gateway, this parameter indicates the port used by the EIP associated with the Internet NAT gateway.

  • For a VPC NAT gateway, this parameter indicates the port used by the NAT IP address associated with the VPC NAT gateway.

bytes_from_pub

  • For an Internet NAT gateway, this parameter indicates the amount of traffic from the Internet.

  • For a VPC NAT gateway, this parameter indicates the amount of traffic from another VPC or a data center.

pkts_from_pub

  • For an Internet NAT gateway, this parameter indicates the number of packets from the Internet.

  • For a VPC NAT gateway, this parameter indicates the number of packets from another VPC or a data center.

bytes_from_vpc

The amount of traffic from the VPC.

pkts_from_vpc

The number of packets from the VPC.

start_time

The time when the session log was created.

end_time

The time when the session log was stopped.

Billing

You are not charged for using the session log feature. However, recorded SNAT sessions are stored in Simple Log Service projects and you are charged for using Simple Log Service. For more information, see Billing of Simple Log Service.

Limits

  • You cannot enable the session log feature for pay-by-specification NAT gateways (no longer available for purchase).

  • The NAT gateway and the Simple Log Service project must belong to the same region.

  • Session log does not capture DNAT sessions.

Procedure

image
  1. Create a project

    You must create a project for Simple Log Service. For more information, see Create a project.

  2. Create a Logstore

    A Logstore is a collection of resources in a project. All data in a Logstore is retrieved from the same source. After you create a project, you must create a Logstore. For more information, see Create a Logstore.

  3. Start a session log

    Start a session log to record SNAT sessions and deliver log entries to Simple Log Service. For more information, see Start a session log.

Start a session log

  1. Log on to the NAT Gateway console . In the top navigation bar, select the region where the NAT gateway resides.

  2. In the left-side navigation pane, click Internet NAT Gateway or VPC NAT Gateway. Find the NAT gateway and click its ID.

  3. On the details page, choose the Monitoring and Logging > Session Log tab and click Enable Session Log.

    image

View a session log

  1. Log on to the NAT Gateway console . In the top navigation bar, select the region where the NAT gateway resides.

  2. In the left-side navigation pane, click Internet NAT Gateway or VPC NAT Gateway. Find the NAT gateway and click its ID.

  3. On the details page, choose the Monitoring and Logging > Session Log tab and click the name in the Destination Information column.

    Parameter

    Description

    Session Log Status

    After the session log is started, Enabled is displayed.

    After you start the session log, the system automatically creates the AliyunServiceRolePolicyForNatgwLogDelivery service-linked role so that data can be delivered to Simple Log Service. For more information, see AliyunServiceRolePolicyForNatgwLogDelivery.

    Delivery Status

    The delivery status of the session log. Valid values:

    • Successful: The session log is delivered to Simple Log Service.

    • Modifying: The session log is being modified or started.

    • Failed: The session log failed to be delivered to Simple Log Service. For more information, see Error codes.

    Delivery Type

    The delivery type. Set the value to sls.

    Destination Information

    In the Destination Information column, click the Logstore link to go to the Simple Log Service console. Before you view and analyze logs, you must manually create an index for the Logstore to which the session log is delivered. For more information, see Create an index and Query and analyze logs.

Disable the session log

  1. Log on to the NAT Gateway console . In the top navigation bar, select the region where the NAT gateway resides.

  2. In the left-side navigation pane, click Internet NAT Gateway or VPC NAT Gateway. Find the NAT gateway and click its ID.

  3. On the details page, choose Monitoring and Logging > Session Log, find the session log, and then click Stop in the Actions column.

    image

Delivery error codes

Error code

Description

ProjectNotExist

The destination project does not exist.

LogStoreNotExist

The destination Logstore does not exist.

ProjectForbidden

The project is disabled and the cause may be overdue payments.

InvalidAccessKeyId

The service-linked role is not created when you start the session log.

Unauthorized

The service-linked role is not created when you start the session log.

UnavaliableTarget

Log entries cannot be delivered within 5 minutes to the destination if one of the following error codes is returned: Unauthorized, ProjectNotExist, LogStoreNotExist, and ProjectForbidden. If new data needs to be delivered after 5 minutes, the system performs a delivery test. If the test is successful, new data can be delivered. Otherwise, delivery is disabled for another 5 minutes.

WriteQuotaExceed

The write traffic to a project exceeds the upper limit. By default, all Logstores in a project support up to 30 GB write traffic per minute.

ShardWriteQuotaExceed

If the log session traffic is large and the shards in your Logstores are insufficient, we recommend that you split more shards. For more information, see Manage shards.