All Products
Search

This Product

    Virtual Private Cloud:Overview of flow logs

    Document Center

    Virtual Private Cloud:Overview of flow logs

    Last Updated:Nov 14, 2024

    Virtual private clouds (VPCs) provide flow logs to record inbound and outbound traffic of an elastic network interface (ENI). You can use the feature to check access control list (ACL) rules, monitor network traffic, and troubleshoot network errors.

    Overview

    Flow logs

    You can create flow logs for specific ENIs, VPCs, or vSwitches. Flow logs for a VPC or vSwitch capture all the traffic of ENIs, including ENIs added after flow logs have been enabled.

    image

    Flow log entries

    Traffic information captured by flow logs is stored in Simple Log Service as flow log entries. Each log records the 5-tuples of the traffic flow within a specific window, which is referred to as a capture window. The default window is 10 minutes, but can be adjusted to 1 or 5 minutes. Within the capture window, the traffic information of a flow is captured and aggregated into a flow log entry.

    You can configure the traffic to be captured for specific scenarios. The available options include All Traffic, Traffic Through IPv4 Gateway, Traffic Through NAT Gateway, Traffic Through VPN Gateway, Traffic Through Transit Router, Traffic That Accesses Cloud Service Through Gateway Endpoint, and Traffic That Accesses Express Connect Circuit Through VBR.

    Fields of flow log entries

    The following table outlines the fields for a flow log record:

    Field

    Description

    version

    The version of the flow log.

    account-id

    The Alibaba Cloud account ID.

    eni-id

    The ENI ID.

    vm-id

    The ID of the Elastic Compute Service (ECS) instance associated with the ENI.

    vswitch-id

    The ID of the vSwitch to which the ENI belongs.

    vpc-id

    The ID of the VPC to which the ENI belongs.

    type

    The type of traffic. IPv4 traffic is supported.

    protocol

    The Internet Assigned Numbers Authority (IANA) protocol of the traffic.

    For more information, see Internet protocol numbers.

    srcaddr

    The source IP address.

    srcport

    The source port.

    dstaddr

    The destination IP address.

    dstport

    The destination port.

    direction

    The traffic direction. Valid values:

    • in: inbound traffic.

    • out: outbound traffic.

    action

    The actions you can perform on the traffic. Valid values:

    • ACCEPT: The traffic flow was allowed by security groups or ACLs.

    • REJECT: The traffic flow was rejected by security groups or ACLs.

    packets

    The number of data packets.

    bytes

    The size of data packets.

    start

    The start time of the capture window.

    end

    The end time of the capture window.

    tcp-flags

    TCP flags and their corresponding masks:

    • SYN: 2

    • SYN, ACK: 18

    • RST: 4

    • PSH: 8

    • URG: 32

    • FIN: 1

    For more information about TCP flags, including the significance of SYN, FIN, ACK, and RST, see RFC 793.

    log-status

    The status of flow logs:

    • OK: Data recording is running as expected.

    • NODATA: No network traffic was recorded within the capture window. This may occur in standby systems, during off-peak business hours, or due to configuration issues that prevent traffic generation.

    • SKIPDATA: Some flow log records were skipped, which often occurs in situations of elevated traffic or traffic surges. This can lead to system overload and result in missed records.

    traffic_path

    The sampling paths of the traffic:

    • 6 - Through a gateway endpoint to cloud services.

    • 7 - Through a NAT gateway.

    • 8 - Through a transit router.

    • 9 - Through a VPN gateway.

    • 10 - Through a virtual border router (VBR) to an Express Connect circuit.

    • 11 - Through a Cloud Enterprise Network (CEN) Basic Edition to a VPC in the same region.

    • 12 - Through a CEN Basic Edition. This excludes scenarios in 11, 18, 19, and 20, such as traffic through the CEN Basic Edition to cross-region cloud services or to Cloud Connect Network (CCN).

    • 13 - Through an IPv4 gateway to the Internet.

    • 18 - Through a CEN Basic Edition to a VPC in a different region.

    • 19 - Through a CEN Basic Edition to a VBR in the same region.

    • 20 - Through a CEN Basic Edition a VBR in a different region.

    Flow log entry examples

    The format of a flow log is as follows:

    <account-id> <action> <bytes> <direction> <dstaddr> <dstport> <end> <eni-id> <log-status> <packets> <protocol> <srcaddr> <srcport> <start> <tcp-flags> <traffic_path> <type> <version> <vm-id> <vpc-id> <vswitch-id>

    Normally recorded, traffic accepted

    In this example, the Alibaba Cloud account ID is 1210123456****** and the VPC flow log version is 1. The ENI eni-bp166tg9uk1ryf****** allowed the following outbound traffic from 17:10:20 to 17:11:20 on July 12, 2024:

    The source address 172.31.16.139 and port 1332 transmitted 10 packets to the destination address 172.31.16.21 and port 80 through TCP where 6 indicates TCP, with a total packet size of 2,048 bytes. The status of the flow log entry is OK and no exceptions occurred.

    1210123456****** ACCEPT 2048 out 172.31.16.21 80 1720775480 eni-bp166tg9uk1ryf****** OK 10 6 172.31.16.139 1332 1720775420 22 - - 1 - vpc-bp1qf0c43jb3maz****** vsw-bp12632woke7abk******

    Normally recorded, traffic denied

    In this example, the Alibaba Cloud account ID is 1210123456****** and the VPC flow log version is 1. The ENI eni-bp1ftp5sm9oszt****** denied the following inbound traffic from 10:20:00 to 10:30:00 on July 15, 2024:

    The source address 172.31.16.139 and port 1332 transmitted 20 packets to the destination address 172.31.16.21 and port 80 through TCP where 6 indicates TCP, with a total packet size of 4,208 bytes. The status of the flow log entry is OK and no exceptions occurred.

    1210123456****** REJECT 4208 in 172.31.16.21 80 1721010600 eni-bp1ftp5sm9oszt****** OK 20 6 172.31.16.139 1332 1721010000 22 - - 1 - vpc-bp1qf0c43jb3maz****** vsw-bp12632woke7abk******

    No data

    In this example, the Alibaba Cloud account ID is 1210123456****** and the VPC flow log version is 1. No traffic data (status NODATA) was recorded on the ENI eni-bp1j7mmp34jlve****** from 10:52:20 to 10:55:20 on July 15, 2024.

    1210123456****** - - - - - 1721012120 eni-bp1j7mmp34jlve****** NODATA - - - - 1721011940 - - - 1 - vpc-bp1qf0c43jb3maz****** vsw-bp12632woke7abk******

    Data skipped

    In this example, the Alibaba Cloud account is 1210123456****** and the VPC flow log version is 1. The data record of the ENI eni-bp1dfm4xnlpruv****** was skipped (status SKIPDATA) from 16:20:30 to 16:23:30 on July 12, 2024.

    1210123456****** - - - - - 1720772610 eni-bp1dfm4xnlpruv****** SKIPDATA - - - - 1720772430 - - - 1 - vpc-bp1qf0c43jb3maz****** vsw-bp12632woke7abk******

    Billing

    For more information about flow log billing, see Billing.

    Limits

    Feature limits

    If you use the flow log feature for the first time, click Activate Now on the Flow Log page.

    Note

    When you click Activate Now, flow log instances that you have created will reappear on the flow log page.

    Supported regions

    Area

    Region

    Asia Pacific

    China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney) Closing Down, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)

    Europe & Americas

    Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

    Middle East

    UAE (Dubai) and SAU (Riyadh - Partner Region)

    Important

    The SAU (Riyadh - Partner Region) region is operated by a partner.

    Limits

    Name/ID

    Description

    Default value

    Adjustable

    vpc_quota_flowlog_inst_nums_per_user

    Maximum number of flow logs that can be created by each account

    10

    You can increase the quota by performing the following operations:

    Manage flow logs

    1. Log on to the VPC console.

    2. In the left-side navigation pane, select O&M and Monitoring > Flow Log. In the top menu bar, select the region where you want to create a flow log.

    You can proceed with the following operations based on your requirements:

    Create or delete flow logs

    Create flow logs

    Note

    Ensure the following prerequisites have been met before creating a flow log:

    • If you have not used this feature before, click Authorize Now and Confirm Authorization Policy. Authorization is required to import the flow log into Simple Log Service.

    • Simple Log Service has been activated on the Simple Log Service product page.

    • Resources for log collection have been created. You can specify ENIs, VPCs, or vSwitches to collect logs.

    On the Flow Log page, click Create a flow log. In the Create a flow log dialog box, configure the following parameters:

    • Resource Type: Choose the resource type for which you want to collect traffic. Valid values: VPC, vSwitch, and ENI.

      Note

      When an ENI has inbound or outbound traffic, you can go to the Flow Log page and view the collected data by clicking View ENI Collection Scope in the Actions column.

    • Resource Instance: Choose the resource instance for which you want to collect traffic.

    • Data Transfer Type: Choose the type of traffic that you want to collect. Valid values: All Traffic, Allowed Traffic, and Denied Traffic.

    • IP Version: Choose the type of IP address for traffic collection. Currently, only IPv4 is supported.

    • Project: You can choose either Create Project or Select Project to store the collected traffic.

    • Logstore: You can choose either Create Logstore or Select Logstore to store the collected traffic.

    • Enable Log Analysis Report: This feature enables indexing and creates a dashboard for a logstore. This allows you to perform SQL statements and visualize data analysis.

      Indexing in Log Service is billed based on data usage, while dashboards are provided at no additional cost. For more information, see Billable items.

    • Sampling Interval (Minutes): Specify the sampling interval. Available intervals are 1, 5, and 10 minutes, with the default set to 10 minutes.

      Note

      After a flow log is created, you can go to the Flow Log page and select Edit under the Sampling Interval (Minutes) column to adjust the sampling interval.

    • Sampling Path: Select the sampling path for the flow log. Available paths include All Scenarios, Traffic Through IPv4 Gateway, Traffic Through NAT Gateway, Traffic Through VPN Gateway, Traffic Through Transit Router, Traffic That Accesses Cloud Service Through Gateway Endpoint, and Traffic That Accesses Express Connect Circuit Through VBR. By default, All Scenarios is selected, but you can customize the option to collect traffic from other scenarios.

    Delete flow logs

    Flow logs in the Started or Not Started states can be deleted. The collected traffic remains accessible through the Log Management Console even after a flow log is deleted.

    1. Go to the Flow Log page, locate the flow log that you want to delete, and click Delete in the Actions column.

    2. In the Delete Flow Log dialog box, click OK to confirm the deletion.

    Analyze flow logs

    By analyzing flow logs, you can check access control rules, monitor network traffic, and troubleshoot network issues.

    Use Logstore

    1. On the Flow Log page, click the Logstore link in the Simple Log Service column.

    2. In the Log Management Console, select Search & Analysis to analyze the flow logs using the features available in the console.

    Use Flow Log Center

    1. Log on to the Log Service Console.

    2. In the Log Application section, click View More Log Applications. In the Log Application dialog box, select Flow Log Center.

    3. On the Flow Log Management page, click Add. In the Create Instance panel, select the project and Logstore you configured when creating the flow log.

    4. After the instance is created, click the instance ID in the Flow Log Center. On the Flow Log Details page, you can view and analyze the data.

      日志中心

      You can find various dashboards and customize queries in the Monitoring Center.

      • Overview: Displays the status of flow logs.

      • Policy Statistics: Shows trends for accepted and rejected traffic and 5-tuple details of accepts and rejects, which include the source CIDR block, source port, protocol type, destination CIDR block, and destination port.

        • Accept: Traffic permitted by security groups or ACLs.

        • Reject: Traffic blocked by security groups or ACLs.

      • ENI Traffic: Displays inbound and outbound traffic details for ENIs.

      • Inter-ECS Traffic: Illustrates the traffic flow between ECS instances.

      • Custom Query: Allows you to query and analyze logs.

    5. On the Flow Log Details page, click CIDR Block Settings and enable the Inter-Domain Analysis.

      When you enable the inter-domain analysis feature, the system automatically creates data transformation tasks, and generates VPC flow logs with CIDR block information for you to analyze the traffic between CIDR blocks. As the data transformation feature incurs additional charges, decide whether to enable inter-domain analysis based on your needs.

      With the following CIDR blocks predefined by Simple Log Service, you can enable the inter-domain analysis feature when necessary. If the predefined CIDR blocks do not meet your needs, you can add custom CIDR blocks.

      image

      Inter-Domain Analysis provides the following dashboards and custom query capabilities:

      • Inter-domain Traffic: Shows traffic patterns between different CIDR blocks.

      • ECS-to-Domain Traffic: Displays traffic from ECS instances to various destination CIDR blocks.

      • Threat Intelligence: Provides threat intelligence information for source and destination IP addresses.

      • Custom Query: Allows you to query and analyze VPC flow logs.

    Start or stop flow logs

    Start flow logs

    You can start flow logs that are currently in the Not Started state. Flow logs will start gathering traffic information from an ENI only after they are turned on.

    On the Flow Log page, find the flow log that you want to start. In the Actions column, click Start. This changes the status of the flow log to Started.

    Stop flow logs

    To stop collecting the traffic information from an ENI, you can turn off a flow log. This action will not delete the flow log. To resume traffic data collection, you can restart the flow log that is in the Not Started state.

    On the Flow Log page, find the flow log you want to stop. In the Actions column, click Stop. This changes the status of the flow log to Not Started.

    References

    You can also manage flow logs by using SDK, Terraform, or ROS. For more information, see the following documents: