VPC flow logs-Virtual Private Cloud(VPC)-阿里云帮助中心

How it works

You can create flow logs to capture traffic at three levels: an ENI, a vSwitch, or a VPC. If you create a flow log for a VPC or vSwitch, the system captures traffic from all associated ENIs within the VPC or vSwitch, including those created after the flow log.

During each capture window (10 minutes by default), the system aggregates traffic into flow log records and sends them to Log Service (SLS).

Each flow log record captures a specific 5-tuple network flow within a capture window. The record includes information such as the source and destination IP addresses and ports, the protocol, and more. For example:

eni-id	direction	srcaddr	srcport	protocol	dstaddr	dstport	...
eni-xxx	in	10.0.0.1	53870	6	10.0.0.2	80	...
eni-xxx	out	10.0.0.2	80	6	10.0.0.1	53870	...

For a description of all fields, see Flow log fields.

To reduce costs, you can capture traffic from only the following network paths:

Traffic to the Internet through an IPv4 gateway
Traffic through a NAT Gateway
Traffic through a VPN Gateway
Traffic through a transit router (TR)
Traffic to cloud services through a gateway endpoint
Traffic to Express Connect through a virtual border router (VBR)
Traffic through an Express Connect Router (ECR)
Traffic through a Gateway Load Balancer endpoint
Traffic to the Internet

Capturing traffic from a public-facing Classic Load Balancer (CLB) to the Internet is not supported.

Use cases for flow logs:

Network monitoring: Understand VPC throughput and performance, analyze traffic and trends for resources in a VPC, troubleshoot network issues, and verify that security group or network ACL rules are applied correctly.
Optimizing network traffic costs: Analyze network traffic with flow logs to reduce data transfer costs. For example, you can identify traffic from your VPC to other regions, specific public IP addresses, an on-premises data center, or other cloud networks. You can also pinpoint ECS instances that generate high volumes of traffic.
Network security analysis: During a security incident, analyze ingress and egress traffic to identify anomalous IP addresses or investigate access patterns from suspicious sources.

Limits

To use the flow log feature for the first time, you must:
- On the Flow Log page, click Activate Now. If you created flow log instances during the public preview period, you must also click Activate Now to view and manage these instances.
- On the Flow Log page, click Authorize Now, and then click Authorize. This action automatically creates a RAM role named AliyunVPCLogArchiveRole and a RAM policy named AliyunVPCLogArchiveRolePolicy. By default, VPC uses this role and policy to access Simple Log Service and write flow logs to it.
- Activate Simple Log Service on the Simple Log Service product page.
After you enable flow logs, the first traffic capture from a new elastic network interface may be delayed by up to 10 minutes.
Flow logs do not capture multicast traffic.

Manage flow logs

Console

Create a flow log

Go to the flow log page in the VPC console and click Create a flow log. In the Create a flow log panel, configure the following parameters:

Collection Configuration:
1. Region: Select the region of the resource to monitor.
2. Resource Type and Resource Instance: Set the collection granularity to VPC, vSwitch, or ENI. If you select a VPC or vSwitch, the system monitors the traffic of all ENIs within the selected resource.
3. Data Transfer Type: Select the type of traffic to capture: traffic that is allowed or rejected by access control rules, such as security group and network ACL rules.
4. IP Version: Select IPv4 to capture only IPv4 traffic, or select Dual-stack to capture both IPv4 and IPv6 traffic. The following regions support IPv6: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Shenzhen), Singapore, US (Silicon Valley), and US (Virginia).
5. Sampling Interval (Minutes): The capture window for aggregating traffic information. You can set the interval to 1, 5, or 10 minutes. A shorter interval generates flow logs more frequently, which helps you identify and troubleshoot issues faster. A longer interval provides less timely data but reduces the number of log entries and helps save costs.
  
  For example, for a TCP session that maintains a persistent connection, a 1-minute window produces 60 log entries per hour, while a 10-minute window produces only 6.
  
  If multiple flow log instances in a VPC collect traffic from the same ENI, the shortest sampling interval among all instances becomes the actual capture period.
6. Sampling Path: You can select specific collection scenarios to reduce usage costs. Before you make a selection, you must deselect the default All Scenarios option.
  
  You can select traffic that passes through the following components: IPv4 gateways, NAT Gateway, VPN Gateway, Transit Router (TR), gateway endpoints, virtual border router (VBR), Express Connect Router (ECR), Gateway Load Balancer (GWLB) endpoints, and traffic to the internet.
Analysis and Delivery: You can deliver logs to Simple Log Service (SLS) and NIS Traffic Analyzer. Delivery to Simple Log Service (SLS) can be configured only when you create the flow log. This option cannot be re-enabled after it is disabled.
- Deliver to Log Service:
  - Select a Project and a Logstore: When you create a flow log for the first time, we recommend that you Create Project and Create Logstore to keep the log data isolated. If you need to consolidate multiple flow logs for centralized analysis, select the same Logstore.
  - Enable Log Analysis Report: We recommend that you select this option. This feature automatically creates an index and creates a dashboard for the Logstore that contains your flow logs. This allows you to perform SQL queries and visual analysis on your flow logs. After this feature is enabled, Simple Log Service (SLS) incurs charges.
- Enable NIS Traffic Analysis: Select NIS Traffic Analyzer to perform traffic analysis. If the list is empty, you must first Create NIS Traffic Analyzer. Ensure that the The sampling interval of the traffic analyzer must be greater than that of the flow log.
  
  Regions that support connecting VPC flow logs to an NIS Traffic Analyzer.
After you create the flow log, traffic information collection starts automatically. You can then analyze flow logs.

Start or stop a flow log

Go to the flow log page in the VPC console. Find the target flow log and click Start or Stop in the Actions column.

After you stop a flow log, you will no longer be charged for flow log generation. However, Simple Log Service (SLS) continues to incur charges for the stored flow logs.

Delete a flow log

Go to the flow log page in the VPC console. Find the target flow log and click Delete in the Actions column.

After you delete a flow log, you will no longer be charged for flow log generation. However, Simple Log Service (SLS) continues to incur charges for the stored flow logs. To stop all charges, you must go to the Simple Log Service console and delete the corresponding Logstore.

API

Before you create a flow log, ensure you have enabled the flow log feature and created a Project and a Logstore in Simple Log Service (SLS):

Call OpenFlowLogService to enable the flow log feature.
Call CreateProject to create a Project, and call CreateLogstore to create a Logstore.

After you meet these prerequisites, you can perform the following operations:

Call CreateFlowLog to create a flow log. You can also call CreateIndex to create an index.
Call DeactiveFlowLog to stop a flow log.
Call ActiveFlowLog to start a flow log.
Call DeleteFlowLog to delete a flow log.

Terraform

Resources: alicloud_log_project, alicloud_log_store, alicloud_vpc_flow_log

# Specify the region where you want to create the flow log.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Specify the description for the Project, and the names for the Logstore and flow log.
variable "name" {
  default = "vpc-flowlog-example"
}

# Generate a random string for the project name.
resource "random_uuid" "example" {
}

# Create a Simple Log Service (SLS) Project.
resource "alicloud_log_project" "example" {
  project_name = substr("tf-example-${replace(random_uuid.example.result, "-", "")}", 0, 16)
  description  = var.name
}

# Create a Simple Log Service (SLS) Logstore.
resource "alicloud_log_store" "example" {
  project_name          = alicloud_log_project.example.project_name
  logstore_name         = var.name
  shard_count           = 3
  auto_split            = true
  max_split_shard_count = 60
  append_meta           = true
}

# Create a VPC flow log.
resource "alicloud_vpc_flow_log" "example" {
  flow_log_name        = var.name
  log_store_name       = alicloud_log_store.example.logstore_name
  description          = var.name
  traffic_path         = ["all"] # Capture traffic from all scenarios.
  project_name         = alicloud_log_project.example.project_name
  resource_type        = "VPC" # The resource type is VPC.
  resource_id          = "vpc-bp1ekmgzch0bo3hxXXXXXX" # The ID of the VPC.
  aggregation_interval = "1" # The capture window is 1 minute.
  traffic_type         = "All" # Capture all traffic, regardless of whether it is allowed or rejected by access control rules.
}

Analyze flow logs

Analyzing flow logs helps you monitor network performance, troubleshoot network issues, optimize traffic costs, and analyze network security.

Console

Custom analysis: Logstore

Go to the Flow Log page in the VPC console. In the Simple Log Service column of the target flow log, click the Logstore instance name to open the Logstore details page. On this page, you can:

View the details of flow log entries on the Raw Logs tab.
Enter a query statement to query and analyze flow logs.

The Logstore query interface provides three tabs: Raw Logs, Graph, and Log Clustering. You can set a time range for your query. The interface displays a time-series chart of the log volume at the top and a table of query results with fields such as srcaddr, dstaddr, and protocol at the bottom.

Template-based analysis: Flow Log Center

The Flow Log Center provides visualization templates for policy statistics for VPCs, traffic statistics for ENIs, and traffic statistics between CIDR blocks. This helps you quickly analyze VPC flow logs.

Go to the Flow Log Center page and click Add in the upper-right corner.
In the Create Instance panel, enter an Instance Name, select the project and Logstore that contain the existing flow log, and click OK.
After the instance is created successfully, click the instance ID in the Flow Log Center. On the Flow Log Details page, you can view and analyze the flow log information.

The Monitoring Center provides the following dashboards and custom query features:
- Overview: Displays trends for accepted and rejected flow logs, inbound and outbound traffic trends, the total number of packets and bytes for each VPC and ENI, and the geographical distribution of source and destination IP addresses.
- Policy Statistics: Displays accept and reject trends, accept and reject counts based on the 5-tuple, and more. A 5-tuple consists of a source IP address, source port, protocol, destination IP address, and destination port.
  - Accept: Traffic that is allowed by security groups and network ACLs.
  - Reject: Traffic that is rejected by security groups and network ACLs.
- ENI Traffic: Displays inbound and outbound traffic for ENIs.
- Inter-ECS Traffic: Displays traffic between ECS instances.
- Custom Query: For more information, see Query and analysis quick start.
Enable inter-domain analysis (Optional): On the Flow Log Details page, click CIDR Block Settings. On the CIDR Block Settings tab, turn on the Inter-Domain Analysis switch.
Enabling the Inter-Domain Analysis feature automatically creates a data transformation task. This task adds CIDR block information to your VPC flow logs, allowing you to analyze traffic between different CIDR blocks. The data transformation feature incurs charges.

Log Service provides multiple predefined CIDR blocks. To analyze traffic between different CIDR blocks, you can enable the Inter-Domain Analysis feature with one click. You can also add custom CIDR blocks.

By default, three types of CIDR blocks are predefined: private network (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, which are modifiable), some Alibaba Cloud services (100.64.0.0/10), and the internet (all other CIDR blocks). You can edit or delete each type of CIDR block.
The Inter-domain Analysis feature provides the following dashboards and custom query features:
- Inter-domain Traffic: Displays traffic between different CIDR blocks.
- ECS-to-Domain Traffic: Displays traffic from ECS instances to destination CIDR blocks.
- Threat Intelligence: Displays threat intelligence about source and destination IP addresses.
- Custom Query: Enables you to query and analyze VPC flow logs that contain CIDR block information.

API

Call GetLogsV2 to query and analyze flow logs.

Use cases

This topic provides four typical use cases for flow logs.

Analyze internet source IPs

Assume you have a web server that listens on port 80 and is accessible from the internet. Access to the server is restricted by a security group based on source IP addresses.

In this case, you can create a flow log to query the source IP addresses that access port 80 and count the requests that are allowed or rejected by the security group.

Create a flow log
- For Resource Instance, select the ENI of the web server.
- For Data Transfer Type, select All Traffic.
- For Delivery Configuration, select Deliver to Log Service and Enable Log Analysis Report.
- Keep the default settings for the other options.
Analyze the flow log
1. Query statement
  
  Run the following query to filter for source IP addresses that access port 80 of 10.0.0.1. The query also shows the number of times the security group allowed or rejected each IP address:
```
dstaddr:10.0.0.1 AND dstport:80 | SELECT -- Filter for logs where the destination IP address is 10.0.0.1 and the destination port is 80.
srcaddr,
SUM(CASE WHEN action = 'ACCEPT' THEN 1 ELSE 0 END) AS accept_count, -- Count 1 for each ACCEPT (allowed) action.
SUM(CASE WHEN action = 'REJECT' THEN 1 ELSE 0 END) AS reject_count -- Count 1 for each REJECT (rejected) action.
FROM log
GROUP BY srcaddr -- Group by source IP address.
ORDER BY accept_count + reject_count DESC -- Sort the results in descending order by the total number of allowed and rejected requests.
```
2. Preview
  The srcaddr column displays the source IPs that accessed port 80, and the accept_count and reject_count columns respectively count the number of flow log entries from each source IP that were allowed and rejected by the security group within the query time range:
  - Five source IP addresses accessed port 80: 120.26.XX.XX, 121.43.XX.XX, 154.212.XX.XX, 176.65.XX.XX, and 198.235.XX.XX.
  - All requests from 120.26.XX.XX were allowed, while all requests from the other public IP addresses were rejected.

Analyze ECS traffic

Parameter	Intra-VPC traffic	Inter-VPC traffic
Diagram
Description	Assume you have deployed three ECS instances in one VPC and there is traffic between the instances. You can use flow logs to analyze the rate and trends of traffic between the ECS instances.	Assume you have two VPCs in different regions and each VPC contains multiple ECS instances. The two VPCs are connected using a peering connection. The peering connection uses pay-as-you-go Cloud Data Transfer (CDT) billing. You notice a recent surge in cross-region traffic costs. In this case, use flow logs to identify the ECS instances that generate high volumes of traffic and optimize your traffic costs.
Flow log configuration	Resource Instance: Select the `ECS1` ENI For Analysis and Delivery, select Deliver to Log Service and enable Enable Log Analysis Report. Keep the default settings for the other options.	For Resource Instance, select VPC `VPC1`. For Analysis and Delivery, select Deliver to Log Service and Enable Log Analysis Report. Keep the default settings for the other options.
Query statement	To query the traffic rate trends between ECS1 and other ECS instances, run the following query: (srcaddr:10.0.0.1 AND dstaddr:10.0.0.) OR (srcaddr:10.0.0. AND dstaddr:10.0.0.1 ) \| select -- Filter for traffic between ECS1 and other ECS instances. date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, -- Convert the UNIX timestamp to a readable time format. concat(srcaddr,'->', dstaddr) as src_to_dst, -- Concatenate the source and destination IP addresses into a session pair with the format 'source_ip->destination_ip'. sum(bytes*8/60) as bandwidth -- Convert bytes to bits and divide by the capture window of 1 minute to get the rate in bit/s. group by time,srcaddr,dstaddr -- Group by time, source IP, and destination IP. order by time asc -- Sort by time in ascending order. limit 100 -- Display the first 100 results.	To query the session traffic rate trends between the two VPCs, run the following query: (srcaddr:10.0.* AND dstaddr:172.16.) OR (srcaddr:172.16. AND dstaddr:10.0.) \| select -- Filter for sessions between the two VPCs. date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, -- Convert the UNIX timestamp to a readable time format. concat(srcaddr,'->', dstaddr) as src_to_dst, -- Concatenate the source and destination IP addresses into a session pair with the format 'source_ip->destination_ip'. sum(bytes8/60) as bandwidth -- Convert bytes to bits and divide by the capture window of 1 minute to get the rate in bit/s. group by time,srcaddr,dstaddr -- Group by time, source IP, and destination IP. order by time asc -- Sort by time in ascending order. limit 100 -- Display the first 100 results.
Preview	On the Query and Analysis Results page, select the Statistical Chart tab and set the chart type to Area Chart. Set the x-axis field to time, the y-axis field to bandwidth, and the aggregation column to src_to_dst. For the format unit, select bps,Kbps,Mbps(bit). The traffic rate from 10.0.0.1 to 10.0.0.2 is the highest, at approximately 1.4 Mbps. The traffic rate from 10.0.0.1 to 10.0.0.3 is the second highest, at approximately 700 Kbps. Other traffic accounts for a small proportion.	The visualization configuration for the query results is the same as in Scenario 2: select the Area Chart type and set the aggregation column to src_to_dst. The results show a traffic spike of approximately 6 Mbps from 10.0.0.1 to 172.16.0.1.

Analyze NAT gateway traffic

Assume you have multiple ECS instances in a region. All instances are deployed in the same vSwitch and access the internet using SNAT on an Internet NAT Gateway.

You recently notice a sudden increase in outbound traffic from the NAT gateway, which causes slow server responses. Use flow logs to identify the ECS instances that generate a high proportion of the traffic.

Create a flow log
- For Resource Instance, select the vSwitch2 where the Internet NAT Gateway is located.
- For Delivery Configuration, select Deliver to Log Service and Enable Log Analysis Report.
- Keep the default settings for the other options.

Methods for filtering specific traffic paths

To filter traffic on a specific path in this scenario, you specify different conditions in the query statement:

Diagram	No.	Filter method
	①	Filter traffic from an ECS to a NAT Gateway: `direction` is in, and `srcaddr` is the private IP address of the ECS.
	②	To filter traffic from the NAT gateway to the public network: `direction` is `out`, and `srcaddr` is the private IP address of the NAT gateway.
	③	Filter traffic from the internet to the NAT gateway: `direction` is in, and `dstaddr` is the private IP address of the NAT gateway.
	④	Filter traffic from the NAT gateway to the ECS instance: `direction` is out, and `dstaddr` is the private IP address of the ECS instance.

Analyze the flow log

Query statement

On the path from an ECS instance to the NAT gateway, analyze traffic to a specific public IP address:

direction: 'in' and srcaddr: 10.0.0.* and dstaddr: 120.26.XX.XX | select -- Filter for logs of ECS instances accessing a specific public IP address.
date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time, srcaddr,  -- Convert the UNIX timestamp to a readable time format.
sum(bytes*8/60) as bandwidth  -- Convert bytes to bits and divide by the capture window of 1 minute to get the rate in bit/s.
group by time,srcaddr -- Group by time and source IP address.
order by time asc  -- Sort by time in ascending order.
limit 100 -- Display the first 100 results.

Other common queries

On the path from the NAT gateway to an ECS instance, filter inbound traffic from a specific public IP address to all ECS instances:

direction: 'out' and dstaddr: 10.0.0.* and srcaddr: 120.26.XX.XX | select -- Filter for logs of ECS instances accessing a specific public IP address.
date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time,   -- Convert the UNIX timestamp to a readable time format.
dstaddr,
sum(bytes*8/60) as bandwidth  -- Convert bytes to bits and divide by the capture window of 1 minute to get the rate in bit/s.
group by time,dstaddr -- Group by time and destination IP address.
order by time asc  -- Sort by time in ascending order.
limit 100 -- Display the first 100 results.

On the path from an ECS instance to the NAT gateway, filter outbound traffic from ECS instances to all public IP addresses:

direction: 'in' and srcaddr: 10.0.0.*  | select -- Filter for logs of ECS instances accessing all public IP addresses.
date_format(from_unixtime(__time__ - __time__% 60), '%H:%i:%S') as time,  -- Convert the UNIX timestamp to a readable time format.
concat(srcaddr,'->', dstaddr), -- Concatenate the source and destination IP addresses into a session pair with the format 'source_ip->destination_ip'.
sum(bytes*8/60) as bandwidth  -- Convert bytes to bits and divide by the capture window of 1 minute to get the rate in bit/s.
group by time,srcaddr,dstaddr -- Group by time, source IP, and destination IP.
order by time asc  -- Sort by time in ascending order.
limit 100 -- Display the first 100 results.

Preview

The way to visualize the query results is similar to that in Scenario 2: select the area chart type, and set the aggregation column to srcaddr.

On the path to the NAT gateway, the traffic from 10.0.0.1 (ECS1) to the public IP address 120.26.XX.XX is the highest, at approximately 12 Kbps.

Analyze Express Connect traffic ratio

An enterprise uses two VPCs in an Alibaba Cloud region to deploy different services and connects its on-premises data center to Alibaba Cloud using an Express Connect circuit and CEN.

The IT department plans to use flow logs to monitor and analyze how traffic from different business applications in the VPCs uses the express connect circuit. This analysis helps with network resource planning and performance improvement.

Create flow logs

Create two flow logs and deliver the logs to the same Logstore. The key settings for each flow log are as follows:
- For Resource Instance, select VPC VPC1 and VPC2.
- For Sampling Path, select Transit Router.
- Set Delivery Configuration to Deliver to Log Service, select the same Logstore for the two flow logs, and Enable Log Analysis Report.
- Keep the default settings for the other options.
Analyze the flow logs
1. Query statement
  
  To analyze the ratio of traffic from different VPCs to the on-premises data center, run the following query:
```
action: ACCEPT and srcaddr: 192.168.* and dstaddr:10.1.* | 
WITH 
    vpc1_traffic AS (
        SELECT 
            date_trunc('minute',__time__) AS minute,
            SUM(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) AS total_vpc1_traffic
        FROM 
            log
        WHERE 
            srcaddr LIKE '192.168.20.%'
        GROUP BY 
            date_trunc('minute',__time__)
    ),
    vpc2_traffic AS (
        SELECT 
            date_trunc('minute',__time__) AS minute,
            SUM(bytes*8/(case WHEN "end"-start=0 THEN 1 else "end"-start end)) AS total_vpc2_traffic
        FROM 
            log
        WHERE 
            srcaddr LIKE '192.168.10.%'
        GROUP BY 
            date_trunc('minute',__time__)
    )
SELECT 
    COALESCE(vpc1_traffic.minute, vpc2_traffic.minute) AS minute,
    (COALESCE(vpc1_traffic.total_vpc1_traffic, 0) * 100/ NULLIF((COALESCE(vpc1_traffic.total_vpc1_traffic, 0) + COALESCE(vpc2_traffic.total_vpc2_traffic, 0)), 0)) AS vpc1_percentage, 
    (COALESCE(vpc2_traffic.total_vpc2_traffic, 0) * 100/ NULLIF((COALESCE(vpc1_traffic.total_vpc1_traffic, 0) + COALESCE(vpc2_traffic.total_vpc2_traffic, 0)), 0)) AS vpc2_percentage
FROM vpc1_traffic FULL OUTER JOIN vpc2_traffic ON vpc1_traffic.minute = vpc2_traffic.minute 
ORDER BY minute
```
  The following is an explanation of the SQL statement.
  - Filter conditions:
    
    srcaddr: 192.168.*, filtering logs whose source address starts with 192.168.*.
    
    dstaddr: 10.1.*, filters logs whose destination address starts with 10.1.*.
    
    action: ACCEPT. Filters logs where the value of the action field is ACCEPT.
  - Main query
    
    Use a FULL OUTER JOIN to join the vpc1_traffic and vpc2_traffic tables on the minute field.
    
    Calculates the traffic percentage for each VPC per minute:
    
    vpc1_percentage specifies the percentage of total traffic that is routed to VPC1.
    
    vpc2_percentage indicates the percentage of VPC2 traffic in the total traffic.
    
    The query results are sorted by minute in ascending order.
  - The WITH subquery:
    
    The SQL statement includes two subqueries, vpc1_traffic and vpc2_traffic. The following description uses the vpc1_traffic subquery as an example:
    
    Use the date_trunc function to reduce the precision of the Unix timestamp (the __time__ field) to the minute, and name it minute.
    
    Use the SUM function to calculate the total traffic rate in bit/s for a specific minute, and name it total_vpc1_traffic.
    
    Filters traffic records with a source address in the 192.168.20.* CIDR block, which belongs to VPC1.
    
    Groups the results by minute.
2. Preview
  
  The visualization configuration for the query results is similar to Scenario 2. Select the Area Chart type to show the trend of traffic proportions for different VPCs over time.
  
  The results show that during the period from 14:50 to 15:50, the proportion of traffic from VPC1 to the on-premises data center is higher.

More information

Flow log fields

The following table describes the fields of a flow log record.

If a field is not applicable, the field value is displayed as -.

Field	Description
version	The version of the flow log. The version of all log entries is `1`.
account-id	The ID of the Alibaba Cloud account.
eni-id	The ID of the elastic network interface.
vm-id	The ID of the ECS instance to which the elastic network interface is attached.
vswitch-id	The ID of the vSwitch to which the elastic network interface belongs.
vpc-id	The ID of the VPC to which the elastic network interface belongs.
type	The traffic type. Valid values: IPv4 or IPv6. The following regions support capturing Dual-stack IPv4/IPv6 traffic: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Shenzhen), Singapore, US (Silicon Valley), and US (Virginia).
protocol	The IANA protocol number for the traffic. For example, 1 for ICMP, 6 for TCP, and 17 for UDP.
srcaddr	The source IP address.
srcport	The source port.
dstaddr	The destination IP address.
dstport	The destination port.
direction	The direction of the traffic: in: Inbound traffic to the elastic network interface. out: Outbound traffic from the elastic network interface.
action	The action that a security group or network ACL performs on the traffic: ACCEPT: The traffic is allowed. REJECT: The traffic is rejected.
packets	The number of packets.
bytes	The number of bytes.
start	The time when the first packet was received in the capture window, in UNIX timestamp format.
end	The end time of the capture window for a persistent connection, or the time when a short-lived connection was closed. The value is a UNIX timestamp.
tcp-flags	The TCP flags, represented in decimal, which reflect the combination of flags such as SYN, ACK, and FIN in the TCP protocol. Within a capture window, a single flow log entry may correspond to multiple TCP packets. This value is the result of a `bitwise OR` operation on the flag fields of all related packets. For example, if a TCP session has two packets in a capture window with SYN (2) and SYN-ACK (18) flags, the TCP flag field recorded in the log is 18 (2 \| 18 = 18). The following are some TCP flags and their decimal values: FIN: 1 SYN: 2 RST: 4 PSH: 8 SYN-ACK: 18 URG: 32 For more information about TCP flags, such as the meaning of SYN, FIN, ACK, and RST, see RFC 793.
log-status	The log record status: OK: Data is recorded as expected. NODATA: The network interface sent or received no traffic during the capture window. This can occur in standby systems, during non-peak hours, or when configuration issues prevent traffic. SKIPDATA: Some flow log records were skipped during the capture window. This typically happens in high-traffic environments or during sudden traffic spikes that overload the internal system, preventing it from capturing all traffic.
traffic_path	The traffic path, indicated by a scenario code: 0 - Traffic captured in scenarios other than those listed below. 1 - Traffic that passes through other resources in the same VPC. 2 - Private traffic that accesses ECS instances in the same VPC. 3 - Traffic that passes through an elastic network interface. 4 - Traffic that passes through a high-availability virtual IP address. 5 - Traffic that accesses Alibaba Cloud services in the same region. 6 - Traffic that accesses cloud services through a gateway endpoint. 7 - Traffic that passes through a NAT gateway. 8 - Traffic that passes through a Transit Router. 9 - Traffic that passes through a VPN gateway. 10 - Traffic that accesses an Express Connect circuit through a Virtual Border Router. 11 - Traffic that accesses a VPC in the same region through CEN Basic Edition. 12 - Traffic that passes through CEN Basic Edition in scenarios other than those specified by 11, 18, 19, and 20. Examples include traffic that accesses cross-region cloud services or a Cloud Connect Network through CEN Basic Edition. 13 - Traffic to the internet through an IPv4 gateway. 14 - Traffic to the internet through an IPv6 gateway. 15 - Traffic to the internet through a public IP address. 17 - Traffic that passes through a VPC peering connection. 18 - Traffic that accesses a cross-region VPC through CEN Basic Edition. 19 - Traffic that accesses a Virtual Border Router in the same region through CEN Basic Edition. 20 - Traffic that accesses a cross-region Virtual Border Router through CEN Basic Edition. 21 - Traffic that passes through an Express Connect Router. 22 - Traffic that passes through a gateway load balancer endpoint.

The following sections provide examples of flow log records:

Accepted traffic record

In this example, the Alibaba Cloud primary account ID is 1210123456**, and the VPC flow log version is 1. During the one-minute interval from 17:10:20 to 17:11:20 on July 12, 2024, the elastic network interface (ENI) eni-bp166tg9uk1ryf** allows the following outbound traffic:

Over TCP (protocol number 6), 10 packets totaling 2,048 bytes were sent from source IP address 172.31.16.139, port 1332, to destination IP address 172.31.16.21, port 80. The log status is OK.

{
  "account-id": "1210123456**",
  "action": "ACCEPT",
  "bytes": "2048",
  "direction": "out",
  "dstaddr": "172.31.16.21",
  "dstport": "80",
  "end": "1720775480",
  "eni-id": "eni-bp166tg9uk1ryf**",
  "log-status": "OK",
  "packets": "10",
  "protocol": "6",
  "srcaddr": "172.31.16.139",
  "srcport": "1332",
  "start": "1720775420",
  "tcp-flags": "22",
  "traffic_path": "-",
  "version": "-",
  "vm-id": "1",
  "vpc-id": "-",
  "vswitch-id": "vpc-bp1qf0c43jb3maz******"
}

Rejected traffic record

In this example, for an Alibaba Cloud primary account (ID: 1210123456******) with VPC flow log version 1, the elastic network interface (ENI) eni-bp1ftp5sm9oszt****** rejects the following inbound traffic from 10:20:00 to 10:30:00 on July 15, 2024 (a 10-minute interval):

Over TCP (protocol number 6), 20 packets totaling 4,208 bytes were sent from source IP address 172.31.16.139, port 1332, to destination IP address 172.31.16.21, port 80. The log status is OK.

{
  "account-id": "1210123456******",
  "action": "REJECT",
  "bytes": "4208",
  "direction": "in",
  "dstaddr": "172.31.16.21",
  "dstport": "80",
  "end": "1721010600",
  "eni-id": "eni-bp1ftp5sm9oszt******",
  "log-status": "OK",
  "packets": "20",
  "protocol": "6",
  "srcaddr": "172.31.16.139",
  "srcport": "1332",
  "start": "1721010000",
  "tcp-flags": "22",
  "traffic_path": "-",
  "version": "-",
  "vm-id": "1",
  "vpc-id": "-",
  "vswitch-id": "vpc-bp1qf0c43jb3maz******"
}

No-data record

In this example, for the Alibaba Cloud primary account ID 1210123456****** and a version 1 VPC flow log, the elastic network interface (ENI) eni-bp1j7mmp34jlve****** recorded no traffic data (NODATA) from 10:52:20 to 10:55:20 on July 15, 2024, a 3-minute interval.

{
  "account-id": "1210123456******",
  "action": "-",
  "bytes": "-",
  "direction": "-",
  "dstaddr": "-",
  "dstport": "-",
  "end": "1721012120",
  "eni-id": "eni-bp1j7mmp34jlve******",
  "log-status": "NODATA",
  "packets": "-",
  "protocol": "-",
  "srcaddr": "-",
  "srcport": "-",
  "start": "1721011940",
  "tcp-flags": "-",
  "traffic_path": "-",
  "version": "-",
  "vm-id": "1",
  "vpc-id": "-",
  "vswitch-id": "vpc-bp1qf0c43jb3maz******"
}

Skipped-data record

In this example, the Alibaba Cloud primary account ID is 1210123456****** and the VPC flow log version is 1. During a 3-minute interval from 16:20:30 to 16:23:30 on July 12, 2024, data records for the elastic network interface (ENI) eni-bp1dfm4xnlpruv****** were skipped (SKIPDATA).

{
  "account-id": "1210123456******",
  "action": "-",
  "bytes": "-",
  "direction": "-",
  "dstaddr": "-",
  "dstport": "-",
  "end": "1720772610",
  "eni-id": "eni-bp1dfm4xnlpruv******",
  "log-status": "SKIPDATA",
  "packets": "-",
  "protocol": "-",
  "srcaddr": "-",
  "srcport": "-",
  "start": "1720772430",
  "tcp-flags": "-",
  "traffic_path": "-",
  "version": "-",
  "vm-id": "1",
  "vpc-id": "-",
  "vswitch-id": "vpc-bp1qf0c43jb3maz******"
}

Billing

Billable items

Fees are incurred for flow log generation and for storing logs in Simple Log Service. If you use Traffic Analyzer, additional fees for traffic processing and storage apply.

Flow log generation fees:

Bills are generated hourly, typically 3 to 4 hours after each billing cycle ends. The exact time of bill generation may vary.
Flow log generation fees are billed based on the monthly volume of logs generated in each region and use a tiered pricing model. Each primary account receives a free quota of 5 GB per month in each region.

Monthly log volume	Price (CNY/GB)
0 TB to 10 TB (inclusive)	2.5
10 TB to 30 TB (inclusive)	1.25
30 TB to 50 TB (inclusive)	0.5
More than 50 TB	0.25

Simple Log Service fees: Simple Log Service charges these fees after it receives the flow logs. These fees cover data writes and storage. For more information, see Data write and storage.

Simple Log Service offers two billing methods: pay-by-data-volume and pay-by-feature. When you create a flow log in the VPC console and choose to create a new Logstore, the pay-by-feature billing method is used by default.
Traffic Analyzer fees: Network Intelligence Service charges these fees after Traffic Analyzer receives the flow logs. These fees cover traffic analysis processing and storage. For more information, see Traffic analysis processing and storage.

Billing examples

Example 1

Assume that you enable the flow log feature at 00:00:00 on September 1, 2022, in a region. Between 00:00:00 on September 1, 2022, and 00:00:00 on October 1, 2022, you deliver a total of 3 GB of logs to Simple Log Service.

Each primary account has a free monthly quota of 5 GB for flow log generation. Therefore, your only cost for the month is the fees charged by Simple Log Service.
Example 2

Assume that you enable the flow log feature at 00:00:00 on September 1, 2022, in the China (Shanghai) region. Between 00:00:00 on September 1, 2022, and 00:00:00 on October 1, 2022, you deliver 100 GB of logs to Simple Log Service.

The flow log generation fee for the month is (100 - 5) × 2.5 = CNY 237.5. The total flow log fee for the month is CNY 237.5 + the Simple Log Service fees.
Example 3

Assume that you enable the flow log feature at 00:00:00 on September 1, 2022, in the China (Beijing) region. Between 00:00:00 on September 1, 2022, and 00:00:00 on October 1, 2022, you deliver 60 TB of logs to Simple Log Service.
The flow log generation fee is calculated based on the tiered pricing model:
- 0 TB to 10 TB (inclusive): (10 × 1024 - 5) × 2.5 = CNY 25,587.5
- 10 TB to 30 TB (inclusive): 20 × 1024 × 1.25 = CNY 25,600
- 30 TB to 50 TB (inclusive): 20 × 1024 × 0.5 = CNY 10,240
- More than 50 TB: 10 × 1024 × 0.25 = CNY 2,560
The total flow log generation fee for the month is 25,587.5 + 25,600 + 10,240 + 2,560 = CNY 63,987.5. The total flow log fee for the month is CNY 63,987.5 + the Simple Log Service fees.

Overdue payments and top-ups

Overdue payment policy

If your overdue payment is within the suspension protection limit, your service continues without interruption and your instances continue to run.

Alibaba Cloud provides a grace period for service suspension. This means that if you have an overdue payment for a pay-as-you-go resource, you can continue to use the service for a specific period or up to a certain amount. You are billed as normal during this grace period.
If your overdue payment exceeds the suspension protection limit, the service is automatically stopped. After the VPC flow log is stopped, billing also stops, and you cannot perform any operations on the VPC flow log.
If you top up your account and pay the outstanding amount within 7 days after the service is stopped, the service automatically resumes.
If the outstanding amount is not paid within 7 days after the service is stopped, the VPC flow log is automatically released. After the service is released, its configurations and data are permanently deleted.

Supported regions

Public cloud

Area	Regions
Asia Pacific - China	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), and China (Fuzhou - Local Region, Closing Down)
Asia Pacific - Others	Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)
Europe & Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)
Middle East	UAE (Dubai), and SAU (Riyadh - Partner Region)

Finance Cloud

Area	Regions
Asia Pacific	China North 2 Finance (Preview), China South 1 Finance, and China East 2 (Shanghai) Finance

Gov Cloud

Area	Regions
Asia Pacific	China North 2 Ali Gov 1

Quotas

Quota name	Description	Default limit	Adjustable
vpc_quota_flowlog_inst_nums_per_user	The maximum number of flow log instances that a user can create.	10	Yes. To request a quota increase, go to the Quota Management page or Quota Center.

FAQ

Flow log retention period

VPC automatically delivers flow logs to Simple Log Service, so the data retention policy of Simple Log Service applies.

If you select Enable Log Analysis Report when you create a VPC flow log, the default data retention period for the Logstore is 7 days. Otherwise, the default is 300 days.
You can go to the Simple Log Service console to view the data retention period of an existing Logstore and modify it as needed.

Network logs for PoIS compliance

By default, Alibaba Cloud VPC does not record network logs. To meet PoIS requirements, you can enable the VPC flow log feature to record and analyze traffic to and from elastic network interfaces for security and compliance monitoring.