Flow log-Cloud Enterprise Network(CEN)-阿里云帮助中心

How it works

Flow logs capture network traffic information outside the data path without affecting network performance. The workflow is as follows:

Traffic capture: Monitors IP traffic that flows through a specified resource, such as a VPC connection, an inter-region connection, or an entire transit router instance.
Data aggregation: Within a preset aggregation interval (1 minute or 10 minutes), the system aggregates packet information based on the traffic's five-tuple (source/destination IP address, source/destination port, and protocol) and counts the total bytes and packets.
Log delivery: After the aggregation interval ends, the system delivers the aggregated traffic statistics as a log record to the specified NIS Traffic Analyzer or Simple Log Service.
Analysis and query: Query or analyze the flow logs in the NIS or SLS console.

For example, if you deliver logs to SLS, you can view detailed traffic information for each network instance connection, analyze traffic that does not match any routes, and analyze traffic that matches a blackhole route.

Delivery destinations

Recommendations:
- For quick analysis, we recommend that you deliver logs to NIS Traffic Analyzer.
- For in-depth analysis scenarios, such as custom SQL queries, custom reports, and raw log queries, we recommend that you deliver logs to Simple Log Service.

Comparison:

Item	NIS Traffic Analyzer	Simple Log Service
Technical expertise	Low, featuring simple operations, a user-friendly interface, and a fast learning curve.	High (requires familiarity with SQL queries)
Flexibility	Limited. Analysis is restricted to a pre-built interface.	High. Allows for custom analysis by using SQL statements.
Custom reports	Not supported	Supported. You can create custom charts from query results.
Cost	NIS charges processing and storage fees for flow logs.	SLS charges for data writes, storage, and other items.

Capture direction

The capture direction of traffic information varies based on the resource:

Inter-region connection: Only outbound traffic from the current transit router is captured (the direction field is out). To capture bidirectional traffic, you must also enable the flow log for the inter-region connection on the peer transit router.
VPC, VPN, ECR, and VBR connections: Both inbound (the direction field is in) and outbound (the direction field is out) traffic are captured.
TR: Captures traffic of all network instance connections created on the transit router. The capture direction follows the preceding rules.

Fields

Flow logs capture traffic on a best-effort basis, so some fields in a log record may be empty. A field might be empty if the resource does not support it, or if the traffic does not contain the corresponding information.

Fields

Fields for flow log version 3 are supported from November 2024. If your flow logs do not have the required fields, delete your current flow log instance and create a new one.

Field	Description	Version
account-id	The Alibaba Cloud account ID of the Cloud Enterprise Network (CEN) instance.	2
attachment-id	The ID of the network instance connection.	2
bytes	The number of bytes.	2
cen-id	The ID of the CEN instance.	2
direction	The direction of the traffic. in: The traffic flows into the transit router. out: The traffic flows out of the transit router.	2
dscp	The Differentiated Services Code Point (DSCP) value of the packet. When a flow log captures traffic of an inter-region connection, this field records the DSCP value that is modified by the traffic marking policy.	3
dst-region-id	The ID of the region where the network instance connection is deployed. When traffic of an inter-region connection is captured, this field indicates the ID of the region where the destination transit router is deployed.	2
dstaddr	The destination IP address.	2
dstport	The destination port.	2
end	The timestamp that indicates when the aggregation interval ends. The value is a UNIX timestamp. It represents the total number of seconds that have elapsed from 00:00:00 UTC on January 1, 1970 to the end of the current aggregation interval.	2
flowlog-resource-type	The type of resource for which the flow log is enabled. Valid values: TransitRouterAttachment: a network instance connection. TransitRouter: a transit router instance.	3
packets	The number of packets.	2
packets-lost-blackhole	The number of packets dropped because they matched a blackhole route.	3
packets-lost-mtu-exceeded	The number of packets dropped because the MTU was exceeded.	3
packets-lost-no-route	The number of packets dropped because no matching route was found.	3
packets-lost-ttl-expired	The number of packets dropped because the TTL expired. Note This type of packet drop typically indicates a network loop.	3
protocol	The protocol of the packets.	2
src-region-id	The ID of the region where the network instance connection is deployed. When traffic of an inter-region connection is captured, this field indicates the ID of the region where the source transit router is deployed.	2
srcaddr	The source IP address.	2
srcport	The source port.	2
start	The timestamp that indicates when the aggregation interval starts. The value is a UNIX timestamp. It represents the total number of seconds that have elapsed from 00:00:00 UTC on January 1, 1970 to the start of the current aggregation interval.	2
tr-dst-az-id	The ID of the availability zone where the Elastic Network Interface (ENI) of the destination transit router is located. This field is recorded only when traffic to a VPC instance in the same region is captured.	3
tr-dst-eni	The ID of the ENI of the destination transit router. This field is recorded only when traffic to a VPC instance in the same region is captured.	3
tr-dst-resource-account-id	The Alibaba Cloud account ID of the destination network instance.	3
tr-dst-resource-id	The ID of the destination network instance. If the destination resource of the traffic is in a different region than the current transit router, this field records the ID of the peer transit router instance.	3
tr-dst-vsw-id	The ID of the vSwitch to which the ENI of the destination transit router belongs. This field is recorded only when traffic to a VPC instance in the same region is captured.	3
tr-id	The ID of the transit router instance to which the flow log belongs.	3
tr-pair-attachment-id	The ID of the inbound or outbound network instance connection, depending on the traffic direction: If the traffic direction is `in`, this field records the ID of the outbound network instance connection. If the traffic direction is `out`, this field records the ID of the inbound network instance connection. When a flow log captures traffic of a VPC, VPN, ECR, or VBR connection, this field is empty if the traffic is inter-region traffic. Note This field is also empty when the captured traffic is dropped. If dropped traffic is captured, the value of the `packets-lost-blackhole`, `packets-lost-mtu-exceeded`, `packets-lost-no-route`, or `packets-lost-ttl-expired` field is greater than 0.	3
tr-src-az-id	The ID of the availability zone where the ENI of the source transit router is located. This field is recorded only when traffic from a VPC instance in the same region is captured.	3
tr-src-eni	The ID of the ENI of the source transit router. This field is recorded only when traffic from a VPC instance in the same region is captured.	3
tr-src-resource-account-id	The Alibaba Cloud account ID of the source network instance.	3
tr-src-resource-id	The ID of the source network instance.	3
tr-src-vsw-id	The ID of the vSwitch to which the ENI of the source transit router belongs. This field is recorded only when traffic from a VPC instance in the same region is captured.	3
type	The traffic type. Valid values: v4: IPv4 traffic. v6: IPv6 traffic.	3
version	The version of the flow log.	3

Limitations

Only Enterprise Edition transit routers support flow logs. If you are using a Basic Edition transit router, you must first upgrade it.
Flow logs do not support capturing multicast traffic.
To prevent TCP scan attacks from generating excessive logs, flow logs do not record TCP connections consisting only of connection establishment, reset, or termination packets.

For example, a connection is not logged if the three-way handshake is not completed or if a client's connection request is reset by a firewall.
Existing flow logs cannot be automatically upgraded. To use fields from a newer version, you must delete the existing flow log and create a new one. New instances automatically use the latest version and are backward-compatible. You can check the version of a flow log in the Cloud Enterprise Network console.

Create a flow log

Console

Go to the Cloud Enterprise Network console. On the details page of the target transit router, click the Flow Logs tab.
Click Create Flow Log. In the Create Flow Log dialog box, configure the following parameters:
1. Collection Configuration:
  - Instance: Select the target resource to monitor. The capture direction varies based on the resource type.
  - Sampling Interval: The length of the aggregation interval for collecting traffic information. You can select 1 minute or 10 minutes. A shorter interval provides more timely data, which helps you detect and resolve issues faster. A longer interval reduces log entries and saves costs, but it also increases data latency.
    
    Important
    If you choose to deliver logs to NIS Traffic Analyzer, the sampling interval of the flow log must be less than or equal to the sampling interval of the target traffic analyzer. Otherwise, the delivery fails.
2. Analysis and Delivery:
  - Select Mode: Select one or more delivery destinations. You must select at least one.
    - Enable NIS Traffic Analysis: You must Select NIS Traffic Analyzer.
      
      Only some regions support delivering TR flow logs to NIS Traffic Analyzer.
    - Deliver to Simple Log Service: Select a target Log Service Project and Log Service Logstore. You can also create new ones on the fly.
  - Log Format: Select the fields to record in the flow log.
    - Default Format: Uses the fields selected by the system by default.
    - Custom Format: Customize the fields to record. This format supports more fields than the default format. Selecting fewer fields can simplify log information and reduce costs. The srcaddr, dstaddr, and bytes fields are required.
      
      After you select a log format, the system automatically generates the format as a string in the text box below. Click Copy Selected Formats to create multiple flow logs with the same format by using the API.

API

Call the CreateFlowlog operation to create a flow log.

Analyze flow logs

After a flow log is created, it is in the Active state by default. You can start to analyze the logs:

Analyze flow logs in NIS Traffic Analyzer

In the NIS Traffic Analyzer column of the target flow log instance, click the traffic analyzer ID to go to the NIS console for query and analysis.
Analyze flow logs in Simple Log Service

After a flow log is created, Simple Log Service requires several minutes to initialize before it begins recording traffic information. In the Log Service column of the target flow log instance, click the Project and Logstore names to go to the SLS console to query and analyze the logs. For more information about how to analyze logs, see the following topics:
- Tutorial: Query top inter-region traffic by using flow logs.
- Operation guide: Quick start for SLS query and analysis.

Manage flow logs

Console

Modify a flow log:
- Modify the sampling interval of a flow log: In the Sampling Interval (Minutes) column of the target flow log, click Modify.
- Modify the delivery destination of a flow log: You cannot modify the delivery destination directly. Instead, click Modify Delivery Configuration in the Actions column. This process replaces the original flow log with a new one that has the updated settings.
Stop a flow log: After you stop a flow log, the system stops delivering logs to NIS or SLS.

In the Actions column of the target flow log, click Stop. You can click Start later to restart it.
Delete a flow log: Deleting a flow log removes only the collection task. Traffic information that has already been delivered to NIS or SLS and is within the storage period is not deleted. Before deleting a flow log, ensure that its data source has been removed from the NIS Traffic Analyzer.

In the Actions column of the target flow log, click Delete.

API

Modify a flow log:
- To modify the sampling interval of a flow log, call the ModifyFlowLogAttribute operation.
- To modify the delivery destination of a flow log, you must delete the existing flow log and create a new one. You cannot directly modify the destination.
Stop a flow log: Call the DeactiveFlowLog operation to stop a flow log. You can later call the ActiveFlowLog operation to restart it.
Delete a flow log: Call the DeleteFlowlog operation to delete a flow log.

Billing

TR flow logs incur two types of fees:

Network log extraction fee: This fee is for collecting flow logs by the transit router. This fee is currently waived. You will be notified before it is officially charged.
Destination service fees: The destination service begins to charge fees after flow logs are delivered.
- NIS Traffic Analyzer: Fees are charged by NIS after flow logs are delivered to an NIS Traffic Analyzer. These include processing and storage fees.
- Simple Log Service: Fees are charged by SLS after flow logs are delivered to SLS. These include fees for data writes and storage.
  
  SLS offers two billing methods: pay-by-data-written and pay-by-feature. When you create a flow log in the Cloud Enterprise Network console and choose to create a new Logstore, the pay-by-feature method is used by default.

Supported regions

Regions that support delivering TR flow logs to NIS Traffic Analyzer:

China (Hangzhou), China (Shanghai), China (Shenzhen), China (Guangzhou), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Chengdu), Singapore, China (Hong Kong), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley).
Regions that support delivering TR flow logs to Simple Log Service:

All regions that support the creation of Enterprise Edition TRs.

Best practices

Balance cost and granularity: During initial deployment or troubleshooting, use a 1 minute sampling interval to obtain fine-grained data. For routine monitoring, you can use a 10 minute interval to reduce log volume and costs.
Use granular monitoring: Create separate flow logs for VPC connections that carry critical business traffic instead of enabling logging for the entire TR instance. This reduces unnecessary log data and lowers costs.
Choose a single destination: To reduce costs, select either NIS or SLS as the destination, but not both.

FAQ

Why is the "Flow Logs" tab missing?

This feature is available only for Enterprise Edition transit routers. First, confirm the edition of your transit router. If it is a Basic Edition, you must upgrade it to the Enterprise Edition to use this feature.

Why is there no data in SLS?

Follow these steps to troubleshoot the issue:

Check the flow log status: Make sure the flow log instance is in the Active state.
Wait for initialization: A newly created flow log needs a few minutes to initialize before it can start recording data.
Confirm network traffic: Verify that IP traffic is passing through the monitored resource. Logs are not generated if there is no traffic.
Check the query time range: In the Simple Log Service console, ensure that you have selected the correct time range for your query and consider that log delivery may have a delay of several minutes.

How to upgrade a flow log?

You cannot directly upgrade an existing flow log. To use the latest fields, you must delete the existing instance and create a new one. The new instance will automatically use the latest version and include all fields.