Help Center/ Virtual Private Cloud/ User Guide/ VPC Flow Log/ VPC Flow Log
Updated on 2026-02-05 GMT+08:00
View PDF
Share

VPC Flow Log

VPC Flow Log

VPC flow logs help you collect traffic information about instances in a specified VPC, including inbound and outbound traffic. After creating a flow log, you can view the flow log records in the log group that you configured.

Flow logs can help you:
  • Monitor the traffic of security groups and network ACLs and optimize their rules.
  • Monitor the traffic of network instances and analyze network attacks.
  • Determine the direction of the traffic to and from network interfaces.

The collection of flow log data does not affect the throughput or latency of your network. You can create or delete flow logs as required, which does not affect your network performance.

Currently, VPC flow logs are available only in some regions. You can check which regions support this function on the console.

The VPC flow log function itself is free of charge, but you may be charged for other resources used. For example, if data is stored in Log Tank Service (LTS), you will be billed based on the LTS standards. For details, see the Log Tank Service User Guide.

VPC Flow Log Data

You can create a flow log for a network interface, subnet, or VPC. If you create a flow log for a subnet or a VPC, each network interface in the subnet or VPC is monitored.

The traffic of a monitored network interface is collected and flow log data is generated, including the network interface ID, source address, destination address, source port, destination port, and packet size of the traffic.

Table 1 VPC flow log field description

Field

Description

Example

Version

version
VPC flow log version. The value can be:
  • 1: Version 1
  • 2: Version 2

1

v1/v2

project-id

ID of the project that the object monitored by flow log belongs to.

5f67944957444bd6bb4fe3b367de8f3d

v1/v2

interface-id

ID of the network interface that the flow log data is generated for.

1d515d18-1b36-47dc-a983-bd6512aed4bd

v1/v2

srcaddr

Source address.

192.168.0.154

v1/v2

dstaddr

Destination address.

192.168.3.25

v1/v2

srcport

Source port.

38929

v1/v2

dstport

Destination port.

53

v1/v2

protocol

Internet Assigned Numbers Authority (IANA) protocol number. For details, see Assigned Internet Protocol Numbers.

17

v1/v2

packets

The number of packets transferred during the capture window.

1

v1/v2

bytes

The number of bytes transferred during the capture window.

96

v1/v2

start

The time, in Unix seconds, of the start of the capture window.

1548752136

v1/v2

end

The time, in Unix seconds, of the end of the capture window.

1548752736

v1/v2

action

The action that is associated with the traffic.

  • ACCEPT: The traffic was allowed by security groups or network ACLs.
  • REJECT: The traffic was denied by security groups or network ACLs.

ACCEPT

v1/v2

log-status

The logging status of the VPC flow log.

  • OK: Data is logged normally to the chosen destinations.
  • NODATA: There was no traffic to or from the network interface during the capture window.
  • SKIPDATA: Some flow log records were skipped during the capture window. This may be caused by an internal capacity constraint or an internal error.

Example:

When Filter is set to Accepted traffic, if there is accepted traffic, the value of log-status is OK. If there is no accepted traffic, the value of log-status is NODATA regardless of whether there is rejected traffic. If some accepted traffic is abnormally skipped, the value of log-status is SKIPDATA.

OK

v1/v2

direction

Direction of the traffic on the network interface.

  • ingress: Traffic to the network interface.
  • egress: Traffic from the network interface.

ingress

v2

tcp-flag

Status of a TCP connection.

  • syn_sent: The TCP connection is being established. This status is difficult to observe because it takes a short time to establish a TCP connection.
  • established: The TCP connection is established.
  • time-wait: The TCP connection is being closed.

established

v2

region-id

Region of the object monitored by flow log.

ab-cdef-3

v2

az-id

AZ of the object monitored by flow log.

ab-cdef-3a

v2

vpc-id

ID of the VPC that the flow log data belongs to.

80ee2ed7-605d-49b4-ac6b-6e581acd35a3

v2

network-id

ID of the VPC subnet that the flow log data belongs to.

93f4cb2d-0e0e-4e2d-a705-e3817bd7ca45

v2

Constraints

  • Currently, kAi1s, X1e, Ai1, Ai1s, kC1, kM1, kI1, X1, P2s, P2v, P2vs, Pi2, kC2, kM2, X2e, C3, H3, M3, C3ne, M3ne, S3, I3, Ir3, D3, E3, Sn3, G5, E6, C6, S6, T6, C6s, D6, G6, M6, C6sne, aC7, aI7, aM7, C7, M7, C7n, D7, E7, I7, I7n, Ir7, Ir7n, M7n, S7, S7n, C7e, C7h, C7t, D7i, aC8, aM8, C9, M9, aC9 and I9 ECSs support flow logs.

    For details about ECS types, see ECS Types.

  • Each account can have up to 10 VPC flow logs in a region.
  • By default, up to 400,000 flow log records can be generated for a single network interface in a collection period (10 minutes). Excess records will be discarded.
Parent Topic: VPC Flow Log