Viewing the Traffic of ECSs from the Same VPC

Solution Architecture

In this example, there are two subnets (Subnet-A01 and Subnet-A02) in a VPC (VPC-A). ECS-01 is running in Subnet-A01 and ECS-02 and ECS-03 are running in Subnet-A02. ECS-01 communicates with both ECS-02 and ECS-03. If something goes wrong to the communication between ECS-01 and ECS-02, the O&M engineer needs to check the traffic between the two ECSs. To locate issues, the O&M engineer needs to create a VPC flow log and collect the flow log of the network interface attached to ECS-01.

Figure 1 Viewing the traffic of ECSs in a VPC
Click to enlarge

Constraints

For details about the restrictions on flow logs, see Constraints.

Resource Planning

In this example, the VPC, subnets, flow log, and ECSs must be in the same region but can be in different AZs.

The following resource details are only for your reference. You can modify them if needed.

**Table 1** Resource planning
Resource	Quantity	Description
VPC and subnet	VPC: 1 Subnet: 2	Name: Set it as needed. In this example, VPC-A is used. IPv4 CIDR Block (VPC): Set it as needed. In this example, 192.168.0.0/16 is used. Subnet Name: Set it as needed. In this example, Subnet-A01 and Subnet-A02 are used. IPv4 CIDR Block (Subnet): Set it as needed. In this example, the CIDR block of Subnet-A01 is 192.168.0.0/24 and that of Subnet-A02 is 192.168.1.0/24.
ECS	2	Configure the two ECSs as follows: ECS Name: Set it as needed. In this example, the ECSs are named ECS-01 and ECS-02. ECS flavor: In this example, flow logs of the network interface attached to ECS-01 are collected. Select the ECS flavor that supports flow logs. For details, see Constraints. There are no such restrictions on selecting the flavor for ECS-02. Image: Select an image as needed. In this example, a public image (CentOS 8.0 64bit) is used. System Disk: In this example, a general-purpose SSD disk of 40 GiB is used. Data Disk: Set it as needed. In this example, no data disk is used. Network VPC: Select your required VPC. In this example, VPC-A is used. Subnet: Select your required subnet. In this example, select Subnet-A01 for ECS-01 and Subnet-A02 for ECS-02. Security Group: In this example, the two ECSs are associated with the same security group (Sg-X). Ensure that all rules in Table 2 are added. If the ECSs are associated with different security groups, you also need to add additional rules. For example, if ECS-01 is associated with Sg-X and ECS-02 is associated with Sg-A, add the rules in Table 3 to Sg-X and Sg-A to allow the two ECSs to communicate with each other. EIP: Select Not required. Private IP address: In this example, use 192.168.0.66 for ECS-01 and 192.168.1.31 for ECS-02.
VPC flow log	1	Name: Set it as needed. In this example, name it flowlog-A. Resource Type: Select NIC in this example. Resource: Set it as needed. In this example, select the network interface (IP address: 192.168.0.66) of ECS-01. Filter: Select All traffic in this example. Log Group: Select an existing or create a log group. The log group of this example is as follows: Log Group Name: Set it as needed. In this example, lts-group-A is used. Log Retention (Days): Set it as needed. In this example, 30 is used. Log Stream: Select an existing or create a log stream. The log stream of this example is as follows: Log Group Name: In this example, the log group name is lts-group-A. Log Stream Name: Set it as needed. In this example, lts-topic-A is used. Log Storage: You are advised to enable this function for log search and analysis. Log Retention (Days): Set it as needed. In this example, 30 is used.

**Table 2** Security group **Sg-X** rules
Direction	Action	Type	Protocol & Port	Source/Destination	Description
Inbound	Allow	IPv4	TCP: 22	Source: 0.0.0.0/0	Allows remote logins to Linux ECSs over SSH port 22.
Inbound	Allow	IPv4	TCP: 3389	Source: 0.0.0.0/0	Allows remote logins to Windows ECSs over RDP port 3389.
Inbound	Allow	IPv4	All	Source: current security group (Sg-X)	Allows the ECSs in Sg-X to communicate with each other using IPv4 addresses.
Inbound	Allow	IPv6	All	Source: current security group (Sg-X)	Allows the ECSs in Sg-X to communicate with each other using IPv6 addresses.
Outbound	Allow	IPv4	All	Destination: 0.0.0.0/0	Allows ECSs in Sg-X to access the external networks using IPv4 addresses.
Outbound	Allow	IPv6	All	Destination: ::/0	Allows ECSs in Sg-X to access the external networks using IPv6 addresses.

If the source of an inbound rule is set to 0.0.0.0/0, all external IP addresses are allowed to remotely log in to your instances. Exposing port 22 or 3389 to the public network will leave your instances vulnerable to network risks. To address this issue, set the source to a trusted IP address, for example, the IP address of your local PC.

**Table 3** Rules of security groups **Sg-X** and **Sg-A**
Security Group	Direction	Action	Type	Protocol & Port	Source	Description
Sg-X	Inbound	Allow	IPv4	All	Security group Sg-A	Allows IPv4 traffic from ECSs in Sg-A to reach ECSs in Sg-X.
Sg-A	Inbound	Allow	IPv4	All	Security group Sg-X	Allows IPv4 traffic from ECSs in Sg-X to reach ECSs in Sg-A.

Procedure

Figure 2 shows the process for viewing the traffic of ECSs in a VPC.

Figure 2 Viewing the traffic of ECSs in a VPC
Click to enlarge

Step 1: Create Cloud Resources

Create a VPC with two subnets.
For details, see Creating a VPC and Subnet.
Create two ECSs.
For details, see Purchasing a Custom ECS.

Step 2: Create a VPC Flow Log

Create a log group and log stream on the LTS console.
For details about how to create a log group, see Creating a Log Group.

For details about how to create a log stream, see Creating a Log Stream.
Create a VPC flow log.
For details, see Creating a VPC Flow Log.

Step 3: View the VPC Flow Log

The flow log collects the information about the traffic flowing through the network interface attached to ECS-01.

Remotely log in to ECS-01.
For details, see How Do I Log In to My ECS?

Ping ECS-02 from ECS-01 and collect logs:

ping <private-IP-address-of-ECS-02>

Example command:

ping 192.168.1.31

Information similar to the following is displayed. You can view the flow log records in about 10 minutes. Do not stop the ping command during flow log collection.

[root@ecs-01 ~]# ping 192.168.1.31
PING 192.168.1.31 (192.168.1.31) 56(84) bytes of data.
64 bytes from 192.168.1.31: icmp_seq=1 ttl=64 time=0.292 ms
64 bytes from 192.168.1.31: icmp_seq=2 ttl=64 time=0.186 ms
64 bytes from 192.168.1.31: icmp_seq=3 ttl=64 time=0.162 ms
...

Wait for about 10 minutes and view the VPC flow log information by referring to Viewing a VPC Flow Log.
You can enter the IP address (192.168.1.31) of ECS-02 in the search box to quickly filter the logs of the communication between ECS-01 and ECS-02.

Figure 3 Viewing logs
The flow log record is in the following format:
```
<version> <project-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>
```
- Example log: 1 f0512a6441dc47189f5e03a428f48267 ef676eb6-0a0a-4939-85c9-9f8db1d1937c 192.168.0.66 192.168.1.31 8 0 1 585 57330 1739877133 1739877733 ACCEPT OK
- Log description: The VPC flow log version is 1. The log shows that 585 echo request packets (type=8,code=0) were sent from the source (192.168.0.66) to the destination (192.168.1.31) via the network interface ef676eb6-0a0a-4939-85c9-9f8db1d1937c using ICMP (protocol=1) during 19:12:13 to 19:22:13 (10 minutes), on February 18, 2025. The size of all packets is 57,330 bytes.
  For details about flow log data, see VPC Flow Log Data.

Step 4: Configure Cloud Structuring Parsing and Analyze Visualized Logs for the VPC Flow Log

LTS allows you to search for and analyze collected logs and displays log analysis results in a visualized manner.

Configure cloud structuring parsing.

Table 4 shows the parameter settings in this example. For details, see Cloud Structuring Parsing.

Figure 4 Configuring cloud structuring parsing
Click to enlarge

**Table 4** Parameters for configuring cloud structuring parsing
Step	Operation
1	Set the structuring mode to Delimiter.
2	Enter the VPC flow log: 1 f0512a6441dc47189f5e03a428f48267 ef676eb6-0a0a-4939-85c9-9f8db1d1937c 192.168.0.66 192.168.1.31 8 0 1 585 57330 1739877133 1739877733 ACCEPT OK
3	Select Space as the delimiter.
4	Click Intelligent Extraction.
5	In the intelligent extraction field list, change the field name to the flow log parameters: version, project-id, interface-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, and log-status

Analyze the logs based on the cloud structuring parsing.
The following shows two visualized log analysis methods:
- Visualize logs in statistical charts. Statistical charts, such as tables, bar charts, and line charts, are rendered by LTS based on SQL query syntax.
  1. On the Log Analysis tab, enter the required statement in the search box by referring to Using SQL Analysis Syntax to obtain the required logs.
    The following takes the traffic of ECS-01 every hour as an example.
```
SELECT TIME_FORMAT(TIME_CEIL(__time, 'PT1H'), 'yyyy-MM-dd HH:mm:ss') as "time", count(1) as pv group by "time"
```
  2. On the right of the page, configure the time and other information.
    In this example, you can view the hourly traffic data within a day. For more information about the statistical charts, see Statistical Charts.
    
    Figure 5 Traffic line chart
- Visualize logs in dashboards. The dashboard is a real-time data visualization tool provided by LTS.
  1. Ingest VPC logs to LTS by referring to Ingesting VPC Logs to LTS.
  2. After VPC logs are ingested, choose Dashboards > VPC dashboard templates > VPC Flow Logs on the LTS console.
    Wait for a few minutes and view the log data. For more information about the dashboard, see VPC Dashboard Template.
    
    Figure 6 VPC flow log dashboard