Use VPC Flow Logs
VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes. These logs can be used for network monitoring, forensics, real-time security analysis, and expense optimization.
This page assumes you are familiar with the concepts described in VPC Flow Logs.
Enable VPC Flow Logs
When you enable VPC Flow Logs, you enable logging for all VMs in a subnet. However, you can reduce the amount of information written to logging. For details on the parameters you can control, see Log sampling and aggregation.
To customize metadata fields or configure log filtering, use the gcloud CLI or API.
Enable VPC Flow Logs when you create a subnet
Console
In the Google Cloud console, go to the VPC networks page.
Click the network where you want to add a subnet.
Click Add subnet.
For Flow logs, select On.
If you want to adjust log sampling and aggregation, click Configure logs and adjust any of the following:
- The Aggregation interval.
- Whether to include metadata in the final log entries. By default, Include metadata includes all fields.
- The Sample rate.
100%means that all entries are kept.
Populate other fields as appropriate.
Click Add.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Run the following command:
gcloud compute networks subnets create SUBNET_NAME \ --enable-flow-logs \ [--logging-aggregation-interval=AGGREGATION_INTERVAL] \ [--logging-flow-sampling=SAMPLE_RATE] \ [--logging-filter-expr=FILTER_EXPRESSION] \ [--logging-metadata=LOGGING_METADATA] \ [--logging-metadata-fields=METADATA_FIELDS] \ [other flags as needed]
Replace the following:
AGGREGATION_INTERVAL: the aggregation interval for flow logs in that subnet. The interval can be set to any of the following: 5-sec (default), 30-sec, 1-min, 5-min, 10-min, or 15-min.SAMPLE_RATE: the flow sampling rate. Flow sampling can be set from0.0(no sampling) to1.0(all logs). Default is0.5.FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For details, see Log filtering.LOGGING_METADATA: the metadata annotations that you want to include in the logs:include-allto include all metadata annotationsexclude-allto exclude all metadata annotations (default)customto include a custom list of metadata fields that you specify inMETADATA_FIELDS.
METADATA_FIELDS: a comma-separated list of metadata fields you want to include in the logs. For example,src_instance,dst_instance. Can only be set ifLOGGING_METADATAis set tocustom.
API
Enable VPC Flow Logs when you create a new subnet.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
{
"logConfig": {
"aggregationInterval": "AGGREGATION_INTERVAL",
"flowSampling": SAMPLING_RATE,
"filterExpr": EXPRESSION,
"metadata": METADATA_SETTING,
"metadataFields": METADATA_FIELDS,
"enable": true
},
"ipCidrRange": "IP_RANGE",
"network": "NETWORK_URL",
"name": "SUBNET_NAME"
}
Replace the placeholders with valid values:
PROJECT_IDis the ID of the project where the subnet will be created.REGIONis the region where the subnet will be created.AGGREGATION_INTERVALsets the aggregation interval for flow logs in the subnet. The interval can be set to any of the following:INTERVAL_5_SEC,INTERVAL_30_SEC,INTERVAL_1_MIN,INTERVAL_5_MIN,INTERVAL_10_MIN, orINTERVAL_15_MIN.SAMPLING_RATEis the flow sampling rate. Flow sampling can be set from0.0(no sampling) to1.0(all logs). Default is.0.5.EXPRESSIONis the filter expression you use to filter which logs are actually written. The expression has a limit of 2,048 characters. For details, see Log filtering.METADATA_SETTINGspecifies whether all metadata is logged (INCLUDE_ALL_METADATA), no metadata is logged (EXCLUDE_ALL_METADATA), or only specific metadata is logged (CUSTOM_METADATA). If this field is set toCUSTOM_METADATA, also populate themetadataFieldsfield. Default isEXCLUDE_ALL_METADATA. Refer to metadata annotations for details.METADATA_FIELDSare the metadata fields you wish to capture when you have setmetadata: CUSTOM_METADATA. This is a comma-separated list of metadata fields, such assrc_instance, src_vpc.project_id.IP_RANGEis the primary internal IP address range of the subnet.NETWORK_URLis the VPC network URL where the subnet will be created.SUBNET_NAMEis a name for the subnet.
For more information, refer to the
subnetworks.insert
method.
Terraform
You can use a Terraform module to create a custom mode VPC network and subnets.
The following example creates three subnets as follows:
subnet-01has VPC Flow Logs disabled. When you create a subnet, VPC Flow Logs are disabled unless you explicitly enable them.subnet-02has VPC Flow Logs enabled with the default flow log settings.subnet-03has VPC Flow Logs enabled with some custom settings.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
Enable VPC Flow Logs for an existing subnet
Console
In the Google Cloud console, go to the VPC networks page.
Click the subnet that you want to update.
Click Edit.
For Flow logs, select On.
If you want to adjust log sampling and aggregation, click Configure logs and adjust any of the following:
- The Aggregation interval.
- Whether to include metadata in the final log entries. By default, Include metadata includes all fields.
- The Sample rate.
100%means that all entries are kept.
Click Save.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Run the following command:
gcloud compute networks subnets update SUBNET_NAME \ --enable-flow-logs \ [--logging-aggregation-interval=AGGREGATION_INTERVAL] \ [--logging-flow-sampling=SAMPLE_RATE] \ [--logging-filter-expr=FILTER_EXPRESSION] \ [--logging-metadata=LOGGING_METADATA] \ [--logging-metadata-fields=METADATA_FIELDS] \ [other flags as needed]
Replace the following:
AGGREGATION_INTERVAL: the aggregation interval for flow logs in that subnet. The interval can be set to any of the following: 5-sec (default), 30-sec, 1-min, 5-min, 10-min, or 15-min.SAMPLE_RATE: the flow sampling rate. Flow sampling can be set from0.0(no sampling) to1.0(all logs). Default is0.5.FILTER_EXPRESSIONis an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For details, see Log filtering.LOGGING_METADATA: the metadata annotations that you want to include in the logs:include-allto include all metadata annotationsexclude-allto exclude all metadata annotations (default)customto include a custom list of metadata fields that you specify inMETADATA_FIELDS.
METADATA_FIELDS: a comma-separated list of metadata fields you want to include in the logs. For example,src_instance,dst_instance. Can only be set ifLOGGING_METADATAis set tocustom.
API
Enable VPC Flow Logs for an existing subnet.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
{
"logConfig": {
"enable": true
...other logging fields.
},
"fingerprint": "SUBNETWORK_FINGERPRINT"
}
Replace the placeholders with valid values:
PROJECT_IDis the ID of the project where the subnet is located.REGIONis the region where the subnet is located.SUBNET_NAMEis the name of the existing subnet.SUBNET_FINGERPRINTis the fingerprint ID for the existing subnet, which is provided when you describe a subnet.- For the other logging fields, see Enabling VPC Flow Logging when you create a subnet.
For more information, refer to the
subnetworks.patch
method.
View estimated log volume for existing subnets
The Google Cloud console provides an estimate of your log volume for existing subnets, which you can then use to estimate the cost of enabling flow logs. The estimate is based on flows captured at 5-second intervals for the subnet over the previous 7 days. Also, the size of each log depends on whether you enable metadata annotations.
Console
In the Google Cloud console, go to the VPC networks page.
Click the subnet that you want to estimate costs for.
Click Edit.
For Flow logs, select On.
Click Configure logs.
View Estimated logs generated per day to see the estimate.
Click Cancel so that none of your changes are saved.
View which subnets have VPC Flow Logs enabled
You can check which subnets in a network have VPC Flow Logs enabled.
Console
In the Google Cloud console, go to the VPC networks page.
View the Flow logs column to see if logging is on or off.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Run the following command:
gcloud compute networks subnets list \ --project PROJECT_ID \ --network="NETWORK" \ --format="csv(name,region,logConfig.enable)"
Replace the following:
PROJECT_ID: the ID of the project you are querying.NETWORK: the name of the network containing the subnets.
Update VPC Flow Logs parameters
You can modify log sampling parameters. See Log sampling and aggregation for details on the parameters you can control.
To customize metadata fields or configure log filtering, use the gcloud CLI or API.
Console
In the Google Cloud console, go to the VPC networks page.
Click the subnet that you want to update.
Click Edit.
If you want to adjust log sampling and aggregation, click Configure logs and adjust any of the following:
- The Aggregation interval.
- Whether to include metadata in the final log entries. By default, Include metadata includes all fields.
- The Sample rate.
100%means that all entries are kept.
Click Save.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Run the following command:
gcloud compute networks subnets update SUBNET_NAME \ [--logging-aggregation-interval=AGGREGATION_INTERVAL] \ [--logging-flow-sampling=SAMPLE_RATE] \ [--logging-filter-expr=FILTER_EXPRESSION] \ [--logging-metadata=LOGGING_METADATA] \ [--logging-metadata-fields=METADATA_FIELDS] \
Replace the following:
AGGREGATION_INTERVAL: the aggregation interval for flow logs in that subnet. The interval can be set to any of the following: 5-sec (default), 30-sec, 1-min, 5-min, 10-min, or 15-min.SAMPLE_RATE: the flow sampling rate. Flow sampling can be set from0.0(no sampling) to1.0(all logs). Default is0.5.FILTER_EXPRESSIONis an expression that defines what logs you want to keep. The expression has a limit of 2,048 characters. For details, see Log filtering.LOGGING_METADATA: the metadata annotations that you want to include in the logs:include-allto include all metadata annotationsexclude-allto exclude all metadata annotations (default)customto include a custom list of metadata fields that you specify inMETADATA_FIELDS.
METADATA_FIELDS: a comma-separated list of metadata fields you want to include in the logs. For example,src_instance,dst_instance. Can only be set ifLOGGING_METADATAis set tocustom.
API
Modify the log sampling fields to update VPC Flow Logs behaviors.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
{
"logConfig": {
...fields to modify
},
"fingerprint": "SUBNETWORK_FINGERPRINT"
}
Replace the placeholders with valid values:
PROJECT_IDis the ID of the project where the subnet is located.REGIONis the region where the subnet is located.SUBNET_NAMEis the name of the existing subnet.SUBNET_FINGERPRINTis the fingerprint ID for the existing subnet, which is provided when you describe a subnet.- For the fields that you can modify, see Enabling VPC Flow Logging when you create a subnet.
For more information, refer to the
subnetworks.patch
method.
Disable VPC Flow Logs for a subnet
Console
In the Google Cloud console, go to the VPC networks page.
Click the subnet that you want to update.
Click Edit.
For Flow logs, select Off.
Click Save.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Run the following command:
gcloud compute networks subnets update SUBNET_NAME \ --no-enable-flow-logs
API
Disable VPC Flow Logs on a subnet to stop collecting log records.
PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
{
"logConfig": {
"enable": false
},
"fingerprint": "SUBNETWORK_FINGERPRINT"
}
Replace the placeholders with valid values:
PROJECT_IDis the ID of the project where the subnet is located.REGIONis the region where the subnet is located.SUBNET_NAMEis the name of the existing subnet.SUBNET_FINGERPRINTis the fingerprint ID for the existing subnet, which is provided when you describe a subnet.
For more information, refer to the
subnetworks.patch
method.
Access logs by using Logging
You can view VPC Flow Logs by using the Logs Explorer. To use the following queries, you need your project's project ID.
Configure IAM
To configure access control for logging, see the access control guide for Logging.
Access all flow logs
Console
In the Google Cloud console, go to the Logs Explorer page.
Click Resource.
In the Select resource list, click Subnetwork, and then click Apply.
Click Log name.
In the Select log names list, click vpc_flows, and then click Apply.
Alternatively:
Console
In the Google Cloud console, go to the Logs Explorer page.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field. Replace
PROJECT_IDwith your project ID.resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"
Click Run query.
Access logs for a specific subnet
Console
In the Google Cloud console, go to the Logs Explorer page.
Click Resource.
In the Select resource list, click Subnetwork.
In the Subnetwork ID list, select the subnet, and then click Apply.
In the Select log names list, click vpc_flows, and then click Apply.
Alternatively:
Console
In the Google Cloud console, go to the Logs Explorer page.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field. Replace
PROJECT_IDwith your project ID andSUBNET_NAMEwith your subnetwork.resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" resource.labels.subnetwork_name="SUBNET_NAME"
Click Run query.
Access logs for a specific VM
Console
In the Google Cloud console, go to the Logs Explorer page.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field. Replace
PROJECT_IDwith your project ID andVM_NAMEwith the name of your VM.resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" jsonPayload.src_instance.vm_name="VM_NAME"
Click Run query.
Access logs for traffic to a specific subnet range
Console
In the Google Cloud console, go to the Logs Explorer page.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field. Replace
PROJECT_IDwith your project ID andSUBNET_RANGEwith a CIDR range such as192.168.1.0/24.resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" ip_in_net(jsonPayload.connection.dest_ip, SUBNET_RANGE)
Click Run query.
Access logs for a specific GKE cluster
Console
In the Google Cloud console, go to the Logs Explorer page.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field. Replace
PROJECT_IDwith your project ID andSUBNET_NAMEwith the name of your subnetwork.resource.type="k8s_cluster" logName="projects/PROJECT_ID/logs/vpc_flows" resource.labels.cluster_name="CLUSTER_NAME"
Click Run query.
Access logs for only egress traffic from a subnet
Console
In the Google Cloud console, go to the Logs Explorer page.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field. Replace
PROJECT_IDwith the ID of your project andSUBNET_NAMEwith the name of the subnet to view egress traffic from.logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" AND jsonPayload.reporter="SRC" AND jsonPayload.src_vpc.subnetwork_name="SUBNET_NAME" AND (jsonPayload.dest_vpc.subnetwork_name!="SUBNET_NAME" OR NOT jsonPayload.dest_vpc.subnetwork_name:*)
Click Run query.
Access logs for all egress traffic from a VPC network
Console
In the Google Cloud console, go to the Logs Explorer page.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field. Replace
PROJECT_IDwith the ID of your project andVPC_NAMEwith the name of your VPC network.logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" AND jsonPayload.reporter="SRC" AND jsonPayload.src_vpc.vpc_name="VPC_NAME" AND (jsonPayload.dest_vpc.vpc_name!="VPC_NAME" OR NOT jsonPayload.dest_vpc:*)
Click Run query.
Access logs for specific ports and protocols
For an individual destination port
Console
In the Google Cloud console, go to the Logs Explorer page.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field. Replace
PROJECT_IDwith your project ID,PORTwith the destination port, andPROTOCOLwith the protocol.resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" jsonPayload.connection.dest_port=PORT jsonPayload.connection.protocol=PROTOCOL
Click Run query.
For more than one destination port
Console
In the Google Cloud console, go to the Logs Explorer page.
If you don't see the query editor field in the Query pane, click the Show query toggle.
Paste the following into the query editor field. Replace
PROJECT_IDwith your project ID,PORT1andPORT2with the destination ports, andPROTOCOLwith the protocol.resource.type="gce_subnetwork" logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" jsonPayload.connection.dest_port=(PORT1 OR PORT2) jsonPayload.connection.protocol=PROTOCOL
Click Run query.
Route logs to BigQuery, Pub/Sub, and custom targets
You can route flow logs from Logging to a destination of your choice as described in the Routing and storage overview in the Logging documentation. Refer to the previous section for example filters.
Troubleshooting
No vpc_flows appear in Logging for the gce_subnetwork resource
- Confirm that logging is enabled for the given subnet.
- VPC flows are only supported for VPC networks. If you have a legacy network, you will not see any logs.
- In Shared VPC networks, logs only appear in the host project, not the service projects. Make sure you look for the logs in the host project.
- Logging exclusion filters block specified logs.
Make sure there are no exclusion rules that discard VPC Flow Logs.
- Go to Resource usage.
- Click the Exclusions tab.
- Make sure there are no exclusion rules that might discard VPC Flow Logs.
No RTT or byte values on some of the logs
- RTT measurements may be missing if not enough packets were sampled to capture RTT. This is more likely to happen for low volume connections.
- RTT values are available only for TCP flows.
- Some packets are sent with no payload. If header-only packets were sampled, the bytes value will be 0.
Some flows are missing
- Only TCP, UDP, ICMP, ESP, and GRE protocols are supported. VPC Flow Logs does not support any other protocols.
- Logs are sampled. Some packets in very low volume flows might be missed.
Missing GKE annotations in some logs
Make sure that your GKE cluster is a supported version.
Missing logs for some GKE flows
Make sure Intranode visibility is enabled in the cluster. Otherwise, flows between Pods on the same node are not logged.
Flow logs appear to be disabled even though you enabled them
When you're configuring a proxy-only subnet for internal Application Load Balancers and you're using the
gcloud compute networks subnetscommand to enable VPC Flow Logs, the command appears to succeed, but flow logs aren't actually enabled. The--enable-flow-logsflag doesn't take effect when you also include the--purpose=INTERNAL_HTTPS_LOAD_BALANCERflag.When you use the Google Cloud console or the API to enable flow logs, you see the error message: "Invalid value for field 'resource.enableFlowLogs': 'true'. Invalid field set in subnetwork with purpose INTERNAL_HTTPS_LOAD_BALANCER."
Because proxy-only subnets have no VMs, VPC Flow Logs is not supported. This is intended behavior.
What's next
- View Logging documentation
- View Logging sinks documentation