Configure VPC Flow Logs

This page explains how to configure VPC Flow Logs. It assumes that you are familiar with the concepts described in VPC Flow Logs and About VPC Flow Logs records.

Before you begin

Configure at least one of the following:

The Network Management API lets you configure VPC Flow Logs for organizations, Virtual Private Cloud (VPC) networks, subnets, VLAN attachments for Cloud Interconnect, and Cloud VPN tunnels. To use the Network Management API, do the following:
1. Enable the Network Management API in your Google Cloud project.
  
  Enable Network Management API
2. Make sure that you have the Network Management Admin role (roles/networkmanagement.admin), granted as follows:
  - Organization level (required if you want to configure VPC Flow Logs for an organization)
  - Project level (required if you want to configure VPC Flow Logs for a VPC network, subnet, VLAN attachment, or Cloud VPN tunnel)
3. Additionally, if you want to configure VPC Flow Logs for an organization, make sure you have the resourcemanager.organizations.get permission.
The Compute Engine API lets you configure VPC Flow Logs for subnets. Configurations created with the Compute Engine API can't be managed with the Network Management API. To use the Compute Engine API, do the following:
1. Enable the Compute Engine API in your Google Cloud project.
  
  Enable Compute Engine API
2. Make sure that you have one of the following roles on the project:
  - Compute Admin role (roles/compute.admin)
  - Compute Network Admin role (roles/compute.networkAdmin)

Set up the Google Cloud CLI

Skip this step if you don't plan to use the gcloud CLI to configure VPC Flow Logs.

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

Enable VPC Flow Logs

You enable VPC Flow Logs for a resource by creating a VPC Flow Logs configuration. VPC Flow Logs lets you create configurations at the organization and project levels:

An organization-level configuration enables flow logs for all subnets, VLAN attachments, and Cloud VPN tunnels in all VPC networks in the organization. These configurations enable cross-project annotations by default.
A project-level configuration lets you enable flow logs for the following resources:
- A specific VPC network, which includes all subnets, VLAN attachments, and Cloud VPN tunnels in the network
- A specific subnet, VLAN attachment, or Cloud VPN tunnel

You can add more than one VPC Flow Logs configuration per resource. Each configuration generates a separate set of flow logs. If you associate a resource with multiple VPC Flow Logs configurations and their scope overlaps, your logging information might contain duplicate logs. For more information, see Supported configurations.

You can also modify the amount of information written to logging. For more information about the parameters that you can control, see Log sampling and processing.

Enable VPC Flow Logs for a subnet

When you enable VPC Flow Logs for a subnet, you enable logging for all VMs in the subnet.

Enable VPC Flow Logs for a subnet (Network Management API)

This section describes how to enable VPC Flow Logs for a subnet by using the Network Management API.

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
In the Subnets in current project tab, select one or more subnets and then click Manage flow logs.
In Manage flow logs, click Add new configuration.
In the Configurations — Subnets (Preview) section, click Add a configuration.
For Name, enter a name for the new VPC Flow Logs configuration.
Optional: Adjust the Aggregation interval and any of the settings in the Advanced settings section:
- Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
- Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
- The Secondary sampling rate. 100% means that all entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
Click Save.

gcloud

To enable VPC Flow Logs for a subnet, use the gcloud beta network-management vpc-flow-logs-configs create command.

You enable VPC Flow Logs by creating a VPC Flow Logs configuration. You can create the configuration with all of its parameters set to their default values, or you can customize the default values.

In the gcloud CLI, set your project to the Google Cloud project ID of the subnet and run one of the following commands:

To create a default VPC Flow Logs configuration, run the following command:

gcloud beta network-management vpc-flow-logs-configs create CONFIG_NAME \
    --location=global \
    --subnet=SUBNET

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

For example, to customize the aggregation interval, filtering, secondary sampling rate, and metadata parameters when creating a VPC Flow Logs configuration, run the following command:
```
gcloud beta network-management vpc-flow-logs-configs create CONFIG_NAME \
    --location=global \
    --subnet=SUBNET \
    --aggregation-interval=AGGREGATION_INTERVAL \
    --filter-expr=FILTER_EXPRESSION \
    --flow-sampling=SAMPLING_RATE \
    --metadata=LOGGING_METADATA
```
Replace the following:
- CONFIG_NAME: a name for the configuration.
- SUBNET: the subnet that you want to log. Must be specified in the following format: projects/PROJECT_ID/regions/REGION/subnetworks/NAME, where:
  - PROJECT_ID is the ID of the Google Cloud project that contains the subnet. The configuration must be created in this project.
  - REGION is the region of the subnet.
  - NAME is the name of the subnet.
To set the optional parameters in a custom configuration, replace the following:
- AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to interval-5-sec(default), interval-30-sec, interval-1-min, interval-5-min,interval-10-min, or interval-15-min.
- FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
- SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
- LOGGING_METADATA: the metadata annotations that you want to include in the logs:
  - Use include-all-metadata to include all metadata annotations (default).
  - Use exclude-all-metadata to exclude all metadata annotations.
  - Use custom-metadata to include a custom list of metadata fields. To specify the metadata fields, use the --metadata-fields flag:
    - --metadata-fields=METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to custom-metadata.

API

To enable VPC Flow Logs for a subnet, use the projects.locations.vpcFlowLogsConfigs.create method.

You enable VPC Flow Logs by creating a VPC Flow Logs configuration. You can create the configuration with all of its parameters set to their default values, or you can customize the default values.

To create a default VPC Flow Logs configuration, include the following parameters in your API request:

POST https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "subnet": "SUBNET"
}

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

For example, to customize the aggregation interval, filtering, secondary sampling rate, and metadata parameters when creating a VPC Flow Logs configuration, include the following parameters in your API request:

POST https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "subnet": "SUBNET",
  "aggregationInterval": "AGGREGATION_INTERVAL",
  "filterExpr": "FILTER_EXPRESSION",
  "flowSampling": SAMPLING_RATE,
  "metadata": "LOGGING_METADATA"
}

Replace the following:

PROJECT_ID: the Google Cloud project ID of the subnet.
CONFIG_NAME: a name for the configuration.
SUBNET: the subnet that you want to log. Must be specified in the following format: projects/PROJECT_ID/regions/REGION/subnetworks/NAME, where:
- PROJECT_ID is the project ID of the subnet.
- REGION is the region of the subnet.
- NAME is the name of the subnet.

To set the optional parameters in a custom configuration, replace the following:

AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to INTERVAL_5_SEC (default), INTERVAL_30_SEC, INTERVAL_1_MIN, INTERVAL_5_MIN, INTERVAL_10_MIN, or INTERVAL_15_MIN.
FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
LOGGING_METADATA: the metadata annotations that you want to include in the logs:
- Use INCLUDE_ALL_METADATA to include all metadata annotations (default).
- Use EXCLUDE_ALL_METADATA to exclude all metadata annotations.
- Use CUSTOM_METADATA to include a custom list of metadata fields. To specify the metadata fields, use the metadataFields parameter:
  - metadataFields: METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to CUSTOM_METADATA.

Enable VPC Flow Logs for a subnet (Compute Engine API)

This section describes how to enable VPC Flow Logs for a subnet by using the Compute Engine API. You can enable VPC Flow Logs when you create a subnet or for an existing subnet.

Enable VPC Flow Logs when you create a subnet

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
Click the network where you want to add a subnet.
Click Add subnet.
For Flow logs, select On.
Optional: Adjust the Aggregation interval and any of the following settings in the Advanced settings section:
- Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
- Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
- The Secondary sampling rate. 50% means that half of entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
Populate other fields as appropriate.
Click Add.

gcloud

Run the following command:

gcloud compute networks subnets create SUBNET_NAME \
    --enable-flow-logs \
    [--logging-aggregation-interval=AGGREGATION_INTERVAL] \
    [--logging-flow-sampling=SAMPLING_RATE] \
    [--logging-filter-expr=FILTER_EXPRESSION] \
    [--logging-metadata=LOGGING_METADATA] \
    [--logging-metadata-fields=METADATA_FIELDS] \
    [other flags as needed]

Replace the following:

AGGREGATION_INTERVAL: the aggregation interval for flow logs in that subnet. The interval can be set to any of the following: 5-sec (default), 30-sec, 1-min, 5-min, 10-min, or 15-min.
SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from 0.0 (no sampling) to 1.0 (all logs). Default is 0.5. For more information, see Log sampling and processing.
FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For details, see Log filtering.
LOGGING_METADATA: the metadata annotations that you want to include in the logs:
- Use include-all to include all metadata annotations.
- Use exclude-all to exclude all metadata annotations (default).
- Use custom to include a custom list of metadata fields that you specify in METADATA_FIELDS.
Note: If a subnet had flow logging enabled at any time before March 1, 2021, and if LOGGING_METADATA was never explicitly configured, the default value for LOGGING_METADATA is include-all.
METADATA_FIELDS: a comma-separated list of metadata fields you want to include in the logs. For example, src_instance,dst_instance. Can be set only if LOGGING_METADATA is set to custom.

API

Enable VPC Flow Logs when you create a new subnet.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
{
  "logConfig": {
    "aggregationInterval": "AGGREGATION_INTERVAL",
    "flowSampling": SAMPLING_RATE,
    "filterExpr": EXPRESSION,
    "metadata": METADATA_SETTING,
    "metadataFields": METADATA_FIELDS,
    "enable": true
  },
  "ipCidrRange": "IP_RANGE",
  "network": "NETWORK_URL",
  "name": "SUBNET_NAME"
}

Replace the following:

PROJECT_ID: the ID of the project where the subnet will be created.
REGION: the region where the subnet will be created.
AGGREGATION_INTERVAL: the aggregation interval for flow logs in the subnet. The interval can be set to any of the following: INTERVAL_5_SEC, INTERVAL_30_SEC, INTERVAL_1_MIN, INTERVAL_5_MIN, INTERVAL_10_MIN, or INTERVAL_15_MIN.
SAMPLING_RATE: the flow sampling rate. Flow sampling can be set from 0.0 (no sampling) to 1.0 (all logs). Default is .0.5.
EXPRESSION: the filter expression you use to filter which logs are actually written. The expression has a limit of 2,048 characters. For details, see Log filtering.
METADATA_SETTING: the metadata annotations that you want to include in the logs:
- Use INCLUDE_ALL_METADATA to include all metadata annotations.
- Use EXCLUDE_ALL_METADATA to exclude all metadata annotations (default).
- Use CUSTOM_METADATA to include a custom list of metadata fields that you specify in METADATA_FIELDS.
Note: If a subnet had flow logging enabled at any time before March 1, 2021, and if METADATA_SETTING was never explicitly configured, the default value for METADATA_SETTING is INCLUDE_ALL_METADATA.
METADATA_FIELDS: the metadata fields you want to capture when you have set metadata: CUSTOM_METADATA. This is a comma-separated list of metadata fields, such as src_instance, src_vpc.project_id.
IP_RANGE: the primary internal IP address range of the subnet.
NETWORK_URL: the Virtual Private Cloud network URL where the subnet will be created.
SUBNET_NAME: a name for the subnet.

For more information, refer to the subnetworks.insert method.

Terraform

You can use a Terraform module to create a custom mode VPC network and subnets.

The following example creates three subnets as follows:

subnet-01 has VPC Flow Logs disabled. When you create a subnet, VPC Flow Logs are disabled unless you explicitly enable them.
subnet-02 has VPC Flow Logs enabled with the default flow log settings.
subnet-03 has VPC Flow Logs enabled with some custom settings.

module "test-vpc-module" {
  source       = "terraform-google-modules/network/google"
  version      = "~> 10.0"
  project_id   = var.project_id # Replace this with your project ID in quotes
  network_name = "my-custom-mode-network"
  mtu          = 1460

  subnets = [
    {
      subnet_name   = "subnet-01"
      subnet_ip     = "10.10.10.0/24"
      subnet_region = "us-west1"
    },
    {
      subnet_name           = "subnet-02"
      subnet_ip             = "10.10.20.0/24"
      subnet_region         = "us-west1"
      subnet_private_access = "true"
      subnet_flow_logs      = "true"
    },
    {
      subnet_name               = "subnet-03"
      subnet_ip                 = "10.10.30.0/24"
      subnet_region             = "us-west1"
      subnet_flow_logs          = "true"
      subnet_flow_logs_interval = "INTERVAL_10_MIN"
      subnet_flow_logs_sampling = 0.7
      subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
      subnet_flow_logs_filter   = "false"
    }
  ]
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Enable VPC Flow Logs for an existing subnet

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
Click the subnet that you want to update.
Click Edit.
For Flow logs, select On.
Optional: Adjust the Aggregation interval and any of the following settings in the Advanced settings section:
- Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
- Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
- The Secondary sampling rate. 50% means that half of entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
Click Save.

gcloud

Run the following command:

gcloud compute networks subnets update SUBNET_NAME \
    --enable-flow-logs \
    [--logging-aggregation-interval=AGGREGATION_INTERVAL] \
    [--logging-flow-sampling=SAMPLING_RATE] \
    [--logging-filter-expr=FILTER_EXPRESSION] \
    [--logging-metadata=LOGGING_METADATA] \
    [--logging-metadata-fields=METADATA_FIELDS] \
    [other flags as needed]

Replace the following:

AGGREGATION_INTERVAL: the aggregation interval for flow logs in that subnet. The interval can be set to any of the following: 5-sec (default), 30-sec, 1-min, 5-min, 10-min, or 15-min.
SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from 0.0 (no sampling) to 1.0 (all logs). Default is 0.5. For more information, see Log sampling and processing.
FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For details, see Log filtering.
LOGGING_METADATA: the metadata annotations that you want to include in the logs:
- Use include-all to include all metadata annotations.
- Use exclude-all to exclude all metadata annotations (default).
- Use custom to include a custom list of metadata fields that you specify in METADATA_FIELDS.
Note: If a subnet had flow logging enabled at any time before March 1, 2021, and if LOGGING_METADATA was never explicitly configured, the default value for LOGGING_METADATA is include-all.
METADATA_FIELDS: a comma-separated list of metadata fields you want to include in the logs. For example, src_instance,dst_instance. Can be set only if LOGGING_METADATA is set to custom.

API

Enable VPC Flow Logs for an existing subnet.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
{
  "logConfig": {
    "enable": true
    ...other logging fields.
  },
  "fingerprint": "SUBNET_FINGERPRINT"
}

Replace the following:

PROJECT_ID: the ID of the project where the subnet is located.
REGION: the region where the subnet is located.
SUBNET_NAME: the name of the existing subnet.
SUBNET_FINGERPRINT: the fingerprint ID for the existing subnet, which is provided when you describe a subnet.
For the other logging fields, see Enabling VPC Flow Logging when you create a subnet.

For more information, refer to the subnetworks.patch method.

Enable VPC Flow Logs for a VLAN attachment

Console

In the Google Cloud console, go to the Interconnect page.

Go to Interconnect
In the VLAN attachments tab, select one or more VLAN attachments and then click Manage flow logs in the selection bar at the top of the list.
In Manage flow logs, click Add new configuration.
For Name, enter a name for the new VPC Flow Logs configuration.
Optional: Adjust the Aggregation interval and any of the settings in the Advanced settings section:
- Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
- Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
- The Secondary sampling rate. 100% means that all entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
Click Save.

gcloud

To enable VPC Flow Logs for a VLAN attachment, use the gcloud network-management vpc-flow-logs-configs create command.

You enable VPC Flow Logs by creating a VPC Flow Logs configuration. You can create the configuration with all of its parameters set to their default values, or you can customize the default values.

In the gcloud CLI, set your project to the Google Cloud project ID of the VLAN attachment and run one of the following commands:

To create a default VPC Flow Logs configuration, run the following command:

gcloud network-management vpc-flow-logs-configs create CONFIG_NAME \
    --location=global \
    --interconnect-attachment=VLAN_ATTACHMENT

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

For example, to customize the aggregation interval, filtering, secondary sampling rate, and metadata parameters when creating a VPC Flow Logs configuration, run the following command:
```
gcloud network-management vpc-flow-logs-configs create CONFIG_NAME \
    --location=global \
    --interconnect-attachment=VLAN_ATTACHMENT \
    --aggregation-interval=AGGREGATION_INTERVAL \
    --filter-expr=FILTER_EXPRESSION \
    --flow-sampling=SAMPLING_RATE \
    --metadata=LOGGING_METADATA
```
Replace the following:
- CONFIG_NAME: a name for the configuration.
- VLAN_ATTACHMENT: the VLAN attachment that you want to log. Must be specified in the following format: projects/PROJECT_ID/regions/REGION/interconnectAttachments/NAME, where:
  - PROJECT_ID is the ID of the Google Cloud project that contains the VLAN attachment. The configuration must be created in this project.
  - REGION is the region of the VLAN attachment.
  - NAME is the name of the VLAN attachment.
To set the optional parameters in a custom configuration, replace the following:
- AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to interval-5-sec(default), interval-30-sec, interval-1-min, interval-5-min,interval-10-min, or interval-15-min.
- FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
- SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
- LOGGING_METADATA: the metadata annotations that you want to include in the logs:
  - Use include-all-metadata to include all metadata annotations (default).
  - Use exclude-all-metadata to exclude all metadata annotations.
  - Use custom-metadata to include a custom list of metadata fields. To specify the metadata fields, use the --metadata-fields flag:
    - --metadata-fields=METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to custom-metadata.

Terraform

You can use a Terraform module to create a VPC Flow Logs configuration for a VLAN attachment.

The following code block creates a default VPC Flow Logs configuration.

resource "google_network_management_vpc_flow_logs_config" "vpc_flow_logs_config" {
  vpc_flow_logs_config_id = "vpcflowlogs-config"
  location                = "global"
  interconnect_attachment = google_compute_interconnect_attachment.attachment.id
}

The preceding example assumes that the name of the google_compute_interconnect_attachment resource is attachment. For a full example of this configuration, see the terraform-docs-samples repository.

The following code block creates a VPC Flow Logs configuration where:

The aggregation interval is set to INTERVAL_10_MIN.
The secondary flow sampling rate is set to 0.7.
The metadata to include in the logs is set to INCLUDE_ALL_METADATA.
The configuration state is set to ENABLED.

resource "google_network_management_vpc_flow_logs_config" "vpc_flow_logs_config" {
  vpc_flow_logs_config_id = "vpcflowlogs-config"
  location                = "global"
  interconnect_attachment = google_compute_interconnect_attachment.attachment.id
  aggregation_interval    = "INTERVAL_10_MIN"
  description             = "VPC Flow Logs over an Interconnect Attachment."
  flow_sampling           = 0.7
  metadata                = "INCLUDE_ALL_METADATA"
  state                   = "ENABLED"
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

API

To enable VPC Flow Logs for a VLAN attachment, use the projects.locations.vpcFlowLogsConfigs.create method.

You enable VPC Flow Logs by creating a VPC Flow Logs configuration. You can create the configuration with all of its parameters set to their default values, or you can customize the default values.

To create a default VPC Flow Logs configuration, include the following parameters in your API request:

POST https://networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "interconnectAttachment": "VLAN_ATTACHMENT"
}

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

POST https://networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "interconnectAttachment": "VLAN_ATTACHMENT",
  "aggregationInterval": "AGGREGATION_INTERVAL",
  "filterExpr": "FILTER_EXPRESSION",
  "flowSampling": SAMPLING_RATE,
  "metadata": "LOGGING_METADATA"
}

Replace the following:

PROJECT_ID: the Google Cloud project ID of the VLAN attachment.
CONFIG_NAME: a name for the configuration.
VLAN_ATTACHMENT: the VLAN attachment that you want to log. Must be specified in the following format: projects/PROJECT_ID/regions/REGION/interconnectAttachments/NAME, where:
- PROJECT_ID is the project ID of the VLAN attachment.
- REGION is the region of the VLAN attachment.
- NAME is the name of the VLAN attachment.

To set the optional parameters in a custom configuration, replace the following:

AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to INTERVAL_5_SEC (default), INTERVAL_30_SEC, INTERVAL_1_MIN, INTERVAL_5_MIN, INTERVAL_10_MIN, or INTERVAL_15_MIN.
FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
LOGGING_METADATA: the metadata annotations that you want to include in the logs:
- Use INCLUDE_ALL_METADATA to include all metadata annotations (default).
- Use EXCLUDE_ALL_METADATA to exclude all metadata annotations.
- Use CUSTOM_METADATA to include a custom list of metadata fields. To specify the metadata fields, use the metadataFields parameter:
  - metadataFields: METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to CUSTOM_METADATA.

Enable VPC Flow Logs for a Cloud VPN tunnel

Console

In the Google Cloud console, go to the VPN page.

Go to VPN
In the Cloud VPN tunnels tab, select one or more Cloud VPN tunnels and then click Manage flow logs in the selection bar at the top of the list.
In Manage flow logs, click Add new configuration.
For Name, enter a name for the new VPC Flow Logs configuration.
Optional: Adjust the Aggregation interval and any of the settings in the Advanced settings section:
- Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
- Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
- The Secondary sampling rate. 100% means that all entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
Click Save.

gcloud

To enable VPC Flow Logs for a Cloud VPN tunnel, use the gcloud network-management vpc-flow-logs-configs create command.

You enable VPC Flow Logs by creating a VPC Flow Logs configuration. You can create the configuration with all of its parameters set to their default values, or you can customize the default values.

In the gcloud CLI, set your project to the Google Cloud project ID of the Cloud VPN tunnel and run one of the following commands:

To create a default VPC Flow Logs configuration, run the following command:

gcloud network-management vpc-flow-logs-configs create CONFIG_NAME \
    --location=global \
    --vpn-tunnel=VPN_TUNNEL

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

For example, to customize the aggregation interval, filtering, secondary sampling rate, and metadata parameters when creating a VPC Flow Logs configuration, run the following command:
```
gcloud network-management vpc-flow-logs-configs create CONFIG_NAME \
    --location=global \
    --vpn-tunnel=VPN_TUNNEL \
    --aggregation-interval=AGGREGATION_INTERVAL \
    --filter-expr=FILTER_EXPRESSION \
    --flow-sampling=SAMPLING_RATE \
    --metadata=LOGGING_METADATA
```
Replace the following:
- CONFIG_NAME: a name for the configuration.
- VPN_TUNNEL: the Cloud VPN tunnel that you want to log. Must be specified in the following format: projects/PROJECT_ID/regions/REGION/vpnTunnels/NAME, where:
  - PROJECT_ID is the ID of the Google Cloud project that contains the Cloud VPN tunnel. The configuration must be created in this project.
  - REGION is the region of the Cloud VPN tunnel.
  - NAME is the name of the Cloud VPN tunnel.
To set the optional parameters in a custom configuration, replace the following:
- AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to interval-5-sec(default), interval-30-sec, interval-1-min, interval-5-min,interval-10-min, or interval-15-min.
- FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
- SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
- LOGGING_METADATA: the metadata annotations that you want to include in the logs:
  - Use include-all-metadata to include all metadata annotations (default).
  - Use exclude-all-metadata to exclude all metadata annotations.
  - Use custom-metadata to include a custom list of metadata fields. To specify the metadata fields, use the --metadata-fields flag:
    - --metadata-fields=METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to custom-metadata.

Terraform

You can use a Terraform module to create a VPC Flow Logs configuration for a Cloud VPN tunnel.

The following code block creates a default VPC Flow Logs configuration.

resource "google_network_management_vpc_flow_logs_config" "vpc_flow_logs_config" {
  vpc_flow_logs_config_id = "vpcflowlogs-config"
  location                = "global"
  vpn_tunnel              = google_compute_vpn_tunnel.tunnel.id
}

The preceding example assumes that the name of the google_compute_vpn_tunnel resource is tunnel. For a full example of this configuration, see the terraform-docs-samples repository.

The following code block creates a VPC Flow Logs configuration where:

The aggregation interval is set to INTERVAL_10_MIN.
The secondary flow sampling rate is set to 0.7.
The metadata to include in the logs is set to INCLUDE_ALL_METADATA.
The configuration state is set to ENABLED.

resource "google_network_management_vpc_flow_logs_config" "vpc_flow_logs_config" {
  vpc_flow_logs_config_id = "vpcflowlogs-config"
  location                = "global"
  vpn_tunnel              = google_compute_vpn_tunnel.tunnel.id
  aggregation_interval    = "INTERVAL_10_MIN"
  description             = "VPC Flow Logs over a VPN Gateway."
  flow_sampling           = 0.7
  metadata                = "INCLUDE_ALL_METADATA"
  state                   = "ENABLED"
}

The preceding example assumes that the name of the google_compute_vpn_tunnel resource is tunnel. For a full example of this configuration, see the terraform-docs-samples repository.

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

API

To enable VPC Flow Logs for a Cloud VPN tunnel, use the projects.locations.vpcFlowLogsConfigs.create method.

You enable VPC Flow Logs by creating a VPC Flow Logs configuration. You can create the configuration with all of its parameters set to their default values, or you can customize the default values.

To create a default VPC Flow Logs configuration, include the following parameters in your API request:

POST https://networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "vpnTunnel": "VPN_TUNNEL"
}

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

POST https://networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "vpnTunnel": "VPN_TUNNEL",
  "aggregationInterval": "AGGREGATION_INTERVAL",
  "filterExpr": "FILTER_EXPRESSION",
  "flowSampling": SAMPLING_RATE,
  "metadata": "LOGGING_METADATA"
}

Replace the following:

PROJECT_ID: the Google Cloud project ID of the Cloud VPN tunnel.
CONFIG_NAME: a name for the configuration.
VPN_TUNNEL: the Cloud VPN tunnel that you want to log. Must be specified in the following format: projects/PROJECT_ID/regions/REGION/vpnTunnels/NAME, where:
- PROJECT_ID is the project ID of the Cloud VPN tunnel.
- REGION is the region of the Cloud VPN tunnel.
- NAME is the name of the Cloud VPN tunnel.

To set the optional parameters in a custom configuration, replace the following:

AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to INTERVAL_5_SEC (default), INTERVAL_30_SEC, INTERVAL_1_MIN, INTERVAL_5_MIN, INTERVAL_10_MIN, or INTERVAL_15_MIN.
FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
LOGGING_METADATA: the metadata annotations that you want to include in the logs:
- Use INCLUDE_ALL_METADATA to include all metadata annotations (default).
- Use EXCLUDE_ALL_METADATA to exclude all metadata annotations.
- Use CUSTOM_METADATA to include a custom list of metadata fields. To specify the metadata fields, use the metadataFields parameter:
  - metadataFields: METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to CUSTOM_METADATA.

Enable VPC Flow Logs for a VPC network

To enable VPC Flow Logs for all subnets, VLAN attachments, and Cloud VPN tunnels in a VPC network, do the following.

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
In the Networks in current project tab, select one or more networks and then click Manage flow logs at the top of the list.
In Manage flow logs, click Add new configuration.
For Name, enter a name for the new VPC Flow Logs configuration.
Optional: Adjust the Aggregation interval and any of the settings in the Advanced settings section:
- Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
- Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
- The Secondary sampling rate. 100% means that all entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
Click Save.

gcloud

To enable VPC Flow Logs for a VPC network, use the gcloud beta network-management vpc-flow-logs-configs create command.

You enable VPC Flow Logs by creating a VPC Flow Logs configuration. You can create the configuration with all of its parameters set to their default values, or you can customize the default values.

In the gcloud CLI, set your project to the Google Cloud project ID of the VPC network and run one of the following commands:

To create a default VPC Flow Logs configuration, run the following command:

gcloud beta network-management vpc-flow-logs-configs create CONFIG_NAME \
    --location=global \
    --network=NETWORK

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

For example, to customize the aggregation interval, filtering, secondary sampling rate, and metadata parameters when creating a VPC Flow Logs configuration, run the following command:
```
gcloud beta network-management vpc-flow-logs-configs create CONFIG_NAME \
    --location=global \
    --network=NETWORK \
    --aggregation-interval=AGGREGATION_INTERVAL \
    --filter-expr=FILTER_EXPRESSION \
    --flow-sampling=SAMPLING_RATE \
    --metadata=LOGGING_METADATA
```
Replace the following:
- CONFIG_NAME: a name for the configuration.
- NETWORK: the VPC network that you want to log. Must be specified in the following format: projects/PROJECT_ID/global/networks/NAME, where:
  - PROJECT_ID is the ID of the Google Cloud project that contains the VPC network. The configuration must be created in this project.
  - NAME is the name of the VPC network.
To set the optional parameters in a custom configuration, replace the following:
- AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to interval-5-sec(default), interval-30-sec, interval-1-min, interval-5-min,interval-10-min, or interval-15-min.
- FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
- SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
- LOGGING_METADATA: the metadata annotations that you want to include in the logs:
  - Use include-all-metadata to include all metadata annotations (default).
  - Use exclude-all-metadata to exclude all metadata annotations.
  - Use custom-metadata to include a custom list of metadata fields. To specify the metadata fields, use the --metadata-fields flag:
    - --metadata-fields=METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to custom-metadata.

API

To enable VPC Flow Logs for a VPC network, use the projects.locations.vpcFlowLogsConfigs.create method.

You enable VPC Flow Logs by creating a VPC Flow Logs configuration. You can create the configuration with all of its parameters set to their default values, or you can customize the default values.

To create a default VPC Flow Logs configuration, include the following parameters in your API request:

POST https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "network": "NETWORK"
}

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

POST https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "network": "NETWORK",
  "aggregationInterval": "AGGREGATION_INTERVAL",
  "filterExpr": "FILTER_EXPRESSION",
  "flowSampling": SAMPLING_RATE,
  "metadata": "LOGGING_METADATA"
}

Replace the following:

PROJECT_ID: the Google Cloud project ID of the VPC network.
CONFIG_NAME: a name for the configuration.
NETWORK: the VPC network that you want to log. Must be specified in the following format: projects/PROJECT_ID/global/networks/NAME, where:
- PROJECT_ID is the project ID of the VPC network.
- NAME is the name of the VPC network.

To set the optional parameters in a custom configuration, replace the following:

AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to INTERVAL_5_SEC (default), INTERVAL_30_SEC, INTERVAL_1_MIN, INTERVAL_5_MIN, INTERVAL_10_MIN, or INTERVAL_15_MIN.
FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
LOGGING_METADATA: the metadata annotations that you want to include in the logs:
- Use INCLUDE_ALL_METADATA to include all metadata annotations (default).
- Use EXCLUDE_ALL_METADATA to exclude all metadata annotations.
- Use CUSTOM_METADATA to include a custom list of metadata fields. To specify the metadata fields, use the metadataFields parameter:
  - metadataFields: METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to CUSTOM_METADATA.

Enable VPC Flow Logs for an organization

To enable VPC Flow Logs for all subnets, VLAN attachments, and Cloud VPN tunnels in all VPC networks in an organization, do the following.

Console

In the Google Cloud console, go to the VPC Flow Logs page.

Go to VPC Flow Logs
Click Add VPC Flow Logs configuration and then click Add a configuration for the organization.
For Name, enter a name for the new VPC Flow Logs configuration.
Optional: Adjust the Aggregation interval and any of the settings in the Advanced settings section:
- Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
- Whether to include cross-project annotations. By default, Cross-project metadata annotations is selected. For more information, see Cross-project annotations.
- Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
- The Secondary sampling rate. 100% means that all entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
Click Save.

gcloud

To enable VPC Flow Logs for an organization, use the gcloud beta network-management vpc-flow-logs-configs create command.

You enable VPC Flow Logs by creating a VPC Flow Logs configuration. You can create the configuration with all of its parameters set to their default values, or you can customize the default values.

To create a default VPC Flow Logs configuration, run the following command:

gcloud beta network-management vpc-flow-logs-configs create CONFIG_NAME \
    --location=global \
    --organization=ORGANIZATION

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

For example, to customize the aggregation interval, filtering, secondary sampling rate, and metadata parameters when creating a VPC Flow Logs configuration, run the following command:
```
gcloud beta network-management vpc-flow-logs-configs create CONFIG_NAME \
    --location=global \
    --organization=ORGANIZATION \
    --aggregation-interval=AGGREGATION_INTERVAL \
    --filter-expr=FILTER_EXPRESSION \
    --flow-sampling=SAMPLING_RATE \
    --metadata=LOGGING_METADATA \
    --cross-project-metadata=CROSS_PROJECT_METADATA
```
Replace the following:
- CONFIG_NAME: a name for the configuration
- ORGANIZATION: the ID of the organization
To set the optional parameters in a custom configuration, replace the following:
- AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to interval-5-sec(default), interval-30-sec, interval-1-min, interval-5-min,interval-10-min, or interval-15-min.
- FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
- SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
- LOGGING_METADATA: the metadata annotations that you want to include in the logs:
  - Use include-all-metadata to include all metadata annotations (default).
  - Use exclude-all-metadata to exclude all metadata annotations.
  - Use custom-metadata to include a custom list of metadata fields. To specify the metadata fields, use the --metadata-fields flag:
    - --metadata-fields=METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to custom-metadata.
- CROSS_PROJECT_METADATA: cross-project annotations. Can be set to cross-project-metadata-enabled (default) or cross-project-metadata-disabled. For more information, see Cross-project annotations.

API

To enable VPC Flow Logs for an organization, use the organizations.locations.vpcFlowLogsConfigs.create method.

You enable VPC Flow Logs by creating a VPC Flow Logs configuration. You can create the configuration with all of its parameters set to their default values, or you can customize the default values.

To create a default VPC Flow Logs configuration, include the following parameters in your API request:

POST -H "x-goog-user-project:PROJECT_ID" https://networkmanagement.googleapis.com/v1beta1/organizations/ORGANIZATION_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

POST -H "x-goog-user-project:PROJECT_ID" https://networkmanagement.googleapis.com/v1beta1/organizations/ORGANIZATION_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "aggregationInterval": "AGGREGATION_INTERVAL",
  "filterExpr": "FILTER_EXPRESSION",
  "flowSampling": SAMPLING_RATE,
  "metadata": "LOGGING_METADATA",
  "crossProjectMetadata": "CROSS_PROJECT_METADATA"
}

Replace the following:

PROJECT_ID: the ID of the quota project. API requests are counted against this project. The quota value for the Network Management API is set to 1,200 requests per minute, for both the project- and organization-level quota.
ORGANIZATION_ID: the ID of the organization.
CONFIG_NAME: a name for the configuration.

To set the optional parameters in a custom configuration, replace the following:

AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to INTERVAL_5_SEC (default), INTERVAL_30_SEC, INTERVAL_1_MIN, INTERVAL_5_MIN, INTERVAL_10_MIN, or INTERVAL_15_MIN.
FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
LOGGING_METADATA: the metadata annotations that you want to include in the logs:
- Use INCLUDE_ALL_METADATA to include all metadata annotations (default).
- Use EXCLUDE_ALL_METADATA to exclude all metadata annotations.
- Use CUSTOM_METADATA to include a custom list of metadata fields. To specify the metadata fields, use the metadataFields parameter:
  - metadataFields: METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to CUSTOM_METADATA.

CROSS_PROJECT_METADATA: cross-project annotations. Can be set to CROSS_PROJECT_METADATA_ENABLED (default) or CROSS_PROJECT_METADATA_DISABLED. For more information, see Cross-project annotations.

When VPC Flow Logs is enabled for an organization, flow logs are written and billed to the Google Cloud project of the resource that reports flow logs. For more information, see Pricing and billing.

View VPC Flow Logs configuration status

You can check which resources have VPC Flow Logs enabled by viewing their VPC Flow Logs configurations.

View VPC Flow Logs configurations

Console

To view all VPC Flow Logs configurations, do the following:

In the Google Cloud console, go to the VPC Flow Logs page.

Go to VPC Flow Logs
In the Organization-level configurations and Project-level configurations sections, view your active and paused configurations. If the status of a VPC Flow Logs configuration for a resource is On, it means that logging is turned on.

You can also view VPC Flow Logs configurations in the Flow log configs column on the resource page. For example, to view which VPC networks and subnets have VPC Flow Logs configurations:

Go to the VPC networks page.

Go to VPC networks
Click the Networks in current project or Subnets in current project tab and in the Flow log configs column, view your active and paused VPC Flow Logs configurations.

gcloud

To view VPC Flow Logs configurations, use the gcloud network-management vpc-flow-logs-configs list and gcloud network-management vpc-flow-logs-configs describe commands.

View organization-level configurations (Preview)

To view all VPC Flow Logs configurations for an organization, run the following command:

gcloud beta network-management vpc-flow-logs-configs list --location=global \
    --organization=ORGANIZATION

To view a specific VPC Flow Logs configuration, run the following command:
```
gcloud beta network-management vpc-flow-logs-configs describe CONFIG_NAME \
    --location=global \
    --organization=ORGANIZATION
```
Replace the following:
- ORGANIZATION: the ID of the organization
- CONFIG_NAME: the name of the configuration

View project-level configurations

To view all VPC Flow Logs configurations in a project, run the following command:
```
gcloud network-management vpc-flow-logs-configs list --location=global
```
To view a specific VPC Flow Logs configuration, run the following command:
```
gcloud network-management vpc-flow-logs-configs describe CONFIG_NAME \
    --location=global
```
Replace CONFIG_NAME with the name of the VPC Flow Logs configuration that you want to view.

To view VPC Flow Logs configurations for VPC networks and subnets, use the beta version of these commands.

API

View organization-level configurations (Preview)

To view all VPC Flow Logs configurations for an organization, use the organizations.locations.vpcFlowLogsConfigs.list method:

GET -H "x-goog-user-project:PROJECT_ID" https://networkmanagement.googleapis.com/v1beta1/organizations/ORGANIZATION_ID/locations/global/vpcFlowLogsConfigs

To view a specific VPC Flow Logs configuration for an organization, use the organizations.locations.vpcFlowLogsConfigs.get method:
```
GET -H "x-goog-user-project:PROJECT_ID" https://networkmanagement.googleapis.com/v1beta1/organizations/ORGANIZATION_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME
```
Replace the following:
- PROJECT_ID: the ID of the quota project. API requests are counted against this project.
- ORGANIZATION_ID: the ID of the organization.
- CONFIG_NAME: the name of the configuration.
If you don't have the necessary permissions to perform the preceding tasks at the organization level, you can use the following request to view all VPC Flow Logs configurations for the organization:
```
GET https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs:queryOrgVpcFlowLogsConfigs
```
Replace PROJECT_ID with the ID of the project.

View project-level configurations

To view all VPC Flow Logs configurations in a project, use the projects.locations.vpcFlowLogsConfigs.list method:
```
GET https://networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs
```
To view a specific VPC Flow Logs configuration, use the projects.locations.vpcFlowLogsConfigs.get method:
```
GET https://networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME
```
Replace the following:
- PROJECT_ID: the ID of the project
- CONFIG_NAME: the name of the VPC Flow Logs configuration
To view VPC Flow Logs configurations for VPC networks and subnets, use the v1beta1 version of these requests.

View which subnets in a network have VPC Flow Logs enabled

This section describes how to view which VPC Flow Logs configurations for subnets are managed by the Compute Engine API. To view all VPC Flow Logs configurations, see View VPC Flow Logs configurations.

Console

In the Google Cloud console, go to the VPC Flow Logs page.

Go to VPC Flow Logs
In the Project-level configurations section, click the Subnets (Compute Engine API) tab and view which subnets in the project have VPC Flow Logs enabled.

These configurations are managed by the Compute Engine API. Configurations that are managed by the Network Management API are displayed in the Subnets tab.

gcloud

To view which subnets in a VPC network have VPC Flow Logs enabled, run the following command:

gcloud compute networks subnets list \
    --project PROJECT_ID \
    --network="NETWORK" \
    --format="csv(name,region,logConfig.enable)"

Replace the following:

PROJECT_ID: the ID of the project you are querying
NETWORK: the name of the network containing the subnets

Update VPC Flow Logs configuration

You can update a VPC Flow Logs configuration. For more information about the parameters that you can modify, see Log sampling and processing.

Update an organization-level configuration

Updating a VPC Flow Logs configuration for an organization (Preview) applies the modified configuration to all subnets, VLAN attachments, and Cloud VPN tunnels in all VPC networks in the organization.

Console

In the Google Cloud console, go to the VPC Flow Logs page.

Go to VPC Flow Logs
In the Organization-level configurations section, select one or more configurations that you want to update and click Edit.
Adjust any of the following:
- The Aggregation interval. By default, the aggregation interval is set to 5 sec.
- Whether to set the Status of the VPC Flow Logs configuration to on or off. The On status means that the selected VPC Flow Logs configuration is active and generates flow logs.
- Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
- Whether to include cross-project annotations. By default, Cross-project metadata annotations is selected. For more information, see Cross-project annotations.
- Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
- The Secondary sampling rate. 100% means that all entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
Click Save.

gcloud

Use the gcloud beta network-management vpc-flow-logs-configs update command. The square brackets [] in the following commands indicate optional parameters.

To update a VPC Flow Logs configuration for an organization, run the following command:

gcloud beta network-management vpc-flow-logs-configs update CONFIG_NAME \
    --location=global \
    --organization=ORGANIZATION \
    [--aggregation-interval=AGGREGATION_INTERVAL] \
    [--filter-expr=FILTER_EXPRESSION] \
    [--flow-sampling=SAMPLING_RATE] \
    [--metadata=LOGGING_METADATA] \
    [--cross-project-metadata=CROSS_PROJECT_METADATA] \
    [--state=STATE]

For example, to update the aggregation interval parameter, run the following command:

gcloud beta network-management vpc-flow-logs-configs update CONFIG_NAME \
    --location=global \
    --organization=ORGANIZATION \
    --aggregation-interval=AGGREGATION_INTERVAL

Replace the following:

ORGANIZATION: the ID of the organization.
CONFIG_NAME: the name of the configuration that you want to update. The configuration is located in the same Google Cloud project as the resource for which the configuration is used.

To update the optional parameters, replace the following:

AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to interval-5-sec(default), interval-30-sec, interval-1-min, interval-5-min,interval-10-min, or interval-15-min.
FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
LOGGING_METADATA: the metadata annotations that you want to include in the logs:
- Use include-all-metadata to include all metadata annotations (default).
- Use exclude-all-metadata to exclude all metadata annotations.
- Use custom-metadata to include a custom list of metadata fields. To specify the metadata fields, use the --metadata-fields flag:
  - --metadata-fields=METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to custom-metadata.
CROSS_PROJECT_METADATA: cross-project annotations. Can be set to cross-project-metadata-enabled (default) or cross-project-metadata-disabled. For more information, see Cross-project annotations.
STATE: the state of the configuration. Can be enabled (default) or disabled.

API

Use the organizations.locations.vpcFlowLogsConfigs.patch method. For information about the fields that you can modify, see REST Resource: projects.locations.vpcFlowLogsConfigs.

To update a VPC Flow Logs configuration for an organization, include the following parameters in your API request:

PATCH -H "x-goog-user-project:PROJECT_ID" https://networkmanagement.googleapis.com/v1beta1/organizations/ORGANIZATION_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME?updateMask=FIELDS
{
  ...fields to modify
}

Replace the following:

PROJECT_ID: the ID of the quota project. API requests are counted against this project. The quota value for the Network Management API is set to 1,200 requests per minute, for both the project- and organization-level quota.
ORGANIZATION_ID: the ID of the organization for which the configuration is used.
CONFIG_NAME: the name of the configuration that you want to update.
FIELDS: the name of the field or fields that you want to update, comma-separated—for example, aggregationInterval,flowSampling,metadata.

For example, to update the aggregationInterval field for a configuration my-config in my-organization, use the following API request:

PATCH -H "x-goog-user-project:PROJECT_ID" https://networkmanagement.googleapis.com/v1beta1/organizations/my-organization/locations/global/vpcFlowLogsConfigs/my-config?updateMask=aggregationInterval
{
  aggregationInterval:AGGREGATION_INTERVAL
}

Replace the following:

PROJECT_ID: the ID of the quota project. API requests are counted against this project.
AGGREGATION_INTERVAL with any of the supported values for this parameter.

Update a project-level configuration

Project-level configurations include configurations for VPC networks (Preview), subnets (Preview), VLAN attachments, and Cloud VPN tunnels. Updating a VPC Flow Logs configuration for a VPC network applies the modified configuration to all subnets, VLAN attachments, and Cloud VPN tunnels in the network.

To update a VPC Flow Logs configuration managed by the Compute Engine API, see Update configuration parameters for subnets.

Console

In the Google Cloud console, go to the VPC Flow Logs page.

Go to VPC Flow Logs
In the Project-level configurations section, select one or more configurations that you want to update and click Edit.
Adjust any of the following:
- The Aggregation interval. By default, the aggregation interval is set to 5 sec.
- Whether to set the Status of the VPC Flow Logs configuration to on or off. The On status means that the selected VPC Flow Logs configuration is active and generates flow logs.
- Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
- Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
- The Secondary sampling rate. 100% means that all entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
Click Save.

You can also use the Manage flow logs menu in the following locations to edit your VPC Flow Logs configurations:

The Networks in current project and Subnets in current project tabs on the VPC networks page
The VLAN attachments tab on the Interconnect page
The VPN tunnels tab on the VPN page

gcloud

Use the gcloud network-management vpc-flow-logs-configs update and gcloud beta network-management vpc-flow-logs-configs update commands. The square brackets [] in the following commands indicate optional parameters.

To update a VPC Flow Logs configuration for a VPC network or subnet (Preview), run the following command:

gcloud beta network-management vpc-flow-logs-configs update CONFIG_NAME \
    --location=global \
    [--network=NETWORK | --subnet=SUBNET] \
    [--aggregation-interval=AGGREGATION_INTERVAL] \
    [--filter-expr=FILTER_EXPRESSION] \
    [--flow-sampling=SAMPLING_RATE] \
    [--metadata=LOGGING_METADATA] \
    [--state=STATE]

To update a VPC Flow Logs configuration for a VLAN attachment or Cloud VPN tunnel, run the following command:

gcloud network-management vpc-flow-logs-configs update CONFIG_NAME \
    --location=global \
    [--interconnect-attachment=VLAN_ATTACHMENT | --vpn-tunnel=VPN_TUNNEL] \
    [--aggregation-interval=AGGREGATION_INTERVAL] \
    [--filter-expr=FILTER_EXPRESSION] \
    [--flow-sampling=SAMPLING_RATE] \
    [--metadata=LOGGING_METADATA] \
    [--state=STATE]

For example, to update the aggregation interval parameter for a VLAN attachment or Cloud VPN tunnel, run the following command:

gcloud network-management vpc-flow-logs-configs update CONFIG_NAME \
    --location=global \
    --aggregation-interval=AGGREGATION_INTERVAL

Replace the following:

CONFIG_NAME: the name of the configuration that you want to update. The configuration is located in the same Google Cloud project as the resource for which the configuration is used.

To update the optional parameters, replace the following:

NETWORK, SUBNET, VLAN_ATTACHMENT, or VPN_TUNNEL: the name of the target resource. Only one resource can be specified per configuration. Use this option to update the name of the target resource. Must be specified in the following format:
- VPC network: projects/PROJECT_ID/global/networks/NAME
- Subnet: projects/PROJECT_ID/regions/REGION/subnetworks/NAME
- VLAN attachment: projects/PROJECT_ID/regions/REGION/interconnectAttachments/NAME
- Cloud VPN tunnel: projects/PROJECT_ID/regions/REGION/vpnTunnels/NAME
- Replace the following:
  - PROJECT_ID: the ID of the Google Cloud project that contains the resource.
  - REGION: the region of the resource.
  - NAME: the name of the resource.
AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. This parameter can be set to interval-5-sec(default), interval-30-sec, interval-1-min, interval-5-min,interval-10-min, or interval-15-min.
FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
SAMPLING_RATE: the secondary flow sampling rate. This parameter can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
LOGGING_METADATA: the metadata annotations that you want to include in the logs:
- Use include-all-metadata to include all metadata annotations (default).
- Use exclude-all-metadata to exclude all metadata annotations.
- Use custom-metadata to include a custom list of metadata fields. To specify the metadata fields, use the --metadata-fields flag:
  - --metadata-fields=METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to custom-metadata.
STATE: the state of the configuration. Can be enabled (default) or disabled.

API

Use the projects.locations.vpcFlowLogsConfigs.patch and projects.locations.vpcFlowLogsConfigs.patch (v1beta1) methods . For information about the fields that you can modify, see REST Resource: projects.locations.vpcFlowLogsConfigs.

To update a VPC Flow Logs configuration for a VPC network or subnet (Preview), include the following parameters in your API request:

PATCH https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME?updateMask=FIELDS
{
  ...fields to modify
}

To update a VPC Flow Logs configuration for a VLAN attachment or a Cloud VPN tunnel, include the following parameters in your API request:

PATCH https://networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME?updateMask=FIELDS
{
  ...fields to modify
}

Replace the following:

PROJECT_ID: the ID of the Google Cloud project that contains the VPC Flow Logs configuration. This ID is the same as the project ID of the resource for which the configuration is used.
CONFIG_NAME: the name of the configuration that you want to update.
FIELDS: the name of the field or fields that you want to update, comma-separated—for example, aggregationInterval,flowSampling,metadata.

For example, to update the aggregationInterval field for a configuration my-config in my-project, use the following API request:

PATCH https://networkmanagement.googleapis.com/v1/projects/my-project/locations/global/vpcFlowLogsConfigs/my-config?updateMask=aggregationInterval
{
  aggregationInterval:AGGREGATION_INTERVAL
}

Replace AGGREGATION_INTERVAL with any of the supported values for this parameter.

Update configuration parameters for subnets

This section describes how to update a VPC Flow Logs configuration managed by the Compute Engine API.

To view which VPC Flow Logs configurations are managed by the Compute Engine API, see View which subnets in a network have VPC Flow Logs enabled.

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
Under Subnets in current project, click the subnet that you want to update.
Click Edit.
Optional: Adjust any of the following settings:
- The Aggregation interval. By default, the aggregation interval is set to 5 sec.
- Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
- Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
- The Secondary sampling rate. 50% means that half of entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
Click Save.

Alternatively, you can update your VPC Flow Logs configuration parameters by using the Manage flow logs menu under Subnets in current project on the VPC networks page.

gcloud

Run the following command:

gcloud compute networks subnets update SUBNET_NAME \
    [--logging-aggregation-interval=AGGREGATION_INTERVAL] \
    [--logging-flow-sampling=SAMPLING_RATE] \
    [--logging-filter-expr=FILTER_EXPRESSION] \
    [--logging-metadata=LOGGING_METADATA] \
    [--logging-metadata-fields=METADATA_FIELDS] \

Replace the following:

AGGREGATION_INTERVAL: the aggregation interval for flow logs in that subnet. The interval can be set to any of the following: 5-sec (default), 30-sec, 1-min, 5-min, 10-min, or 15-min.
SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from 0.0 (no sampling) to 1.0 (all logs). Default is 0.5. For more information, see Log sampling and processing.
FILTER_EXPRESSION: an expression that defines what logs you want to keep. The expression has a limit of 2,048 characters. For details, see Log filtering.
LOGGING_METADATA: the metadata annotations that you want to include in the logs:
- Use include-all to include all metadata annotations.
- Use exclude-all to exclude all metadata annotations (default).
- Use custom to include a custom list of metadata fields that you specify in METADATA_FIELDS.
Note: If a subnet had flow logging enabled at any time before March 1, 2021, and if LOGGING_METADATA was never explicitly configured, the default value for LOGGING_METADATA is include-all.
METADATA_FIELDS: a comma-separated list of metadata fields you want to include in the logs. For example, src_instance,dst_instance. Can be set only if LOGGING_METADATA is set to custom.

API

Modify the log sampling fields to update VPC Flow Logs behaviors.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
{
  "logConfig": {
    ...fields to modify
  },
  "fingerprint": "SUBNET_FINGERPRINT"
}

Replace the following:

PROJECT_ID: the ID of the project where the subnet is located.
REGION: the region where the subnet is located.
SUBNET_NAME: the name of the existing subnet.
SUBNET_FINGERPRINT: the fingerprint ID for the existing subnet, which is provided when you describe a subnet.
For the fields that you can modify, see Enable VPC Flow Logs when you create a subnet.

For more information, refer to the subnetworks.patch method.

Stop logs collection

You can pause logs collection for a resource by turning off all of its active VPC Flow Logs configurations.

If you no longer need a VPC Flow Logs configuration, you can delete the configuration. Logs collection is stopped and the configuration is deleted.

To stop logs collection and delete a VPC Flow Logs configuration managed by the Compute Engine API, see disable VPC Flow Logs for a subnet.

Turn off a VPC Flow Logs configuration

Console

In the Google Cloud console, go to the VPC Flow Logs page.

Go to VPC Flow Logs
In the Organization-level configurations or Project-level configurations sections, select one or more VPC Flow Logs configurations that you want to turn off and change the configuration status to Turn off.

If your selection includes both active and inactive configurations, in the Change configuration status menu, click Turn all off.

gcloud

To pause logs collection for a VPC Flow Logs configuration, use the gcloud network-management vpc-flow-logs-configs update and gcloud beta network-management vpc-flow-logs-configs update commands.

Pause an organization-level configuration (Preview)

gcloud beta network-management vpc-flow-logs-configs update CONFIG_NAME \
    --location=global \
    --organization=ORGANIZATION \
    --state=disabled

Replace the following:

CONFIG_NAME: the name of the configuration
ORGANIZATION: the ID of the organization

Pause a project-level configuration

gcloud network-management vpc-flow-logs-configs update CONFIG_NAME \
    --location=global \
    --state=disabled

Replace CONFIG_NAME with the name of the configuration.

To pause a VPC Flow Logs configuration for a VPC network or subnet, use the beta version of this command.

API

Pause an organization-level configuration (Preview)

To pause logs collection, use the organizations.locations.vpcFlowLogsConfigs.patch method.

PATCH -H "x-goog-user-project:PROJECT_ID" https://networkmanagement.googleapis.com/v1beta1/organizations/ORGANIZATION_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME?updateMask=state
{
  "state": "DISABLED"
}

Replace the following:

PROJECT_ID: the ID of the quota project. API requests are counted against this project.
ORGANIZATION_ID: the ID of the organization.
CONFIG_NAME: the name of the configuration.

Pause a project-level configuration

To pause logs collection, use the projects.locations.vpcFlowLogsConfigs.patch method.

PATCH https://networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME?updateMask=state
{
  "state": "DISABLED"
}

Replace the following:

PROJECT_ID: the ID of the Google Cloud project that contains the configuration. This ID is the same as the project ID of the resource for which the configuration is used.
CONFIG_NAME: the name of the configuration.

To pause a VPC Flow Logs configuration for a VPC network or subnet, use the v1beta1 version of this request.

Delete a VPC Flow Logs configuration

Console

In the Google Cloud console, go to the VPC Flow Logs page.

Go to VPC Flow Logs
In the Organization-level configurations or Project-level configurations sections, select one or more VPC Flow Logs configurations that you want to delete and click Delete.

gcloud

To delete a VPC Flow Logs configuration, use the gcloud network-management vpc-flow-logs-configs delete and gcloud beta network-management vpc-flow-logs-configs delete commands.

Delete an organization-level configuration (Preview)

gcloud beta network-management vpc-flow-logs-configs delete CONFIG_NAME \
    --location=global \
    --organization=ORGANIZATION

Replace the following:

CONFIG_NAME: the name of the configuration
ORGANIZATION: the ID of the organization

Delete a project-level configuration

gcloud network-management vpc-flow-logs-configs delete CONFIG_NAME \
    --location=global

Replace CONFIG_NAME with the name of the configuration that you want to delete.

To delete a VPC Flow Logs configuration for a VPC network or subnet, use the beta version of this command.

API

Delete an organization-level configuration (Preview)

To delete a VPC Flow Logs configuration, use the organizations.locations.vpcFlowLogsConfigs.delete method.

DELETE -H "x-goog-user-project:PROJECT_ID" https://networkmanagement.googleapis.com/v1beta1/organizations/ORGANIZATION_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME

Replace the following:

PROJECT_ID: the ID of the quota project. API requests are counted against this project.
ORGANIZATION_ID: the ID of the organization.
CONFIG_NAME: the name of the configuration.

Delete a project-level configuration

To delete a VPC Flow Logs configuration, use the projects.locations.vpcFlowLogsConfigs.delete method.

DELETE https://networkmanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME

Replace the following:

PROJECT_ID: the ID of the Google Cloud project that contains the configuration
CONFIG_NAME: the name of the configuration

To delete a VPC Flow Logs configuration for a VPC network or subnet, use the v1beta1 version of this request.

Disable VPC Flow Logs for a subnet

This section describes how to delete a VPC Flow Logs configuration managed by the Compute Engine API. When you disable VPC Flow Logs for a subnet, logs collection is stopped and the configuration is deleted.

Console

In the Google Cloud console, go to the VPC networks page.

Go to VPC networks
Click the subnet that you want to update.
Click Edit.
For Flow logs, select Off.
Click Save.

gcloud

Run the following command:

gcloud compute networks subnets update SUBNET_NAME \
    --no-enable-flow-logs

API

Disable VPC Flow Logs on a subnet to stop collecting log records.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
{
  "logConfig": {
    "enable": false
  },
  "fingerprint": "SUBNET_FINGERPRINT"
}

Replace the following:

PROJECT_ID: the ID of the project where the subnet is located
REGION: the region where the subnet is located
SUBNET_NAME: the name of the existing subnet
SUBNET_FINGERPRINT: the fingerprint ID for the existing subnet, which is provided when you describe a subnet

For more information, refer to the subnetworks.patch method.

Troubleshooting

Flow logs for subnets appear to be disabled even though you enabled them

When you're configuring a proxy-only subnet for internal Application Load Balancers and you're using the gcloud compute networks subnets command to enable VPC Flow Logs, the command appears to succeed, but flow logs aren't actually enabled. The --enable-flow-logs flag doesn't take effect when you also include the --purpose=INTERNAL_HTTPS_LOAD_BALANCER flag.

When you use the Google Cloud console or the API to enable flow logs, you see the error message: "Invalid value for field 'resource.enableFlowLogs': 'true'. Invalid field set in subnetwork with purpose INTERNAL_HTTPS_LOAD_BALANCER."

Because proxy-only subnets have no VMs, VPC Flow Logs isn't supported. This is intended behavior.

What's next

Access flow logs