Configure VPC Flow Logs

This page describes how to configure VPC Flow Logs. It assumes you are familiar with the concepts described in VPC Flow Logs and About VPC Flow Logs records.

Before you begin

VPC Flow Logs lets you configure flow logs for Virtual Private Cloud (VPC) subnets, VLAN attachments for Cloud Interconnect (Preview), and Cloud VPN tunnels (Preview).

Before configuring VPC Flow Logs, complete the following tasks:

  • If you want to configure VPC Flow Logs for a subnet, do the following:

    1. Enable the Compute Engine API in your Google Cloud project.

      Enable Compute Engine API

    2. Make sure that you have one of the following roles on the project:

  • If you want to configure VPC Flow Logs for a VLAN attachment or a Cloud VPN tunnel, do the following:

    1. Enable the Network Management API in your Google Cloud project.

      Enable Network Management API

    2. Make sure that you have the following role on the project: Network Management Admin role (roles/networkmanagement.admin)

  • Optional: If you want to use the Google Cloud CLI to configure VPC Flow Logs, do the following:

    • In the Google Cloud console, activate Cloud Shell.

      Activate Cloud Shell

      At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

Enable VPC Flow Logs

You enable VPC Flow Logs per subnet, VLAN attachment, or Cloud VPN tunnel. When you enable VPC Flow Logs for a subnet, you enable logging for all VMs in the subnet.

You can modify the amount of information written to logging. For details on the parameters that you can control, see Log sampling and processing. To customize metadata fields, use the gcloud CLI or API.

Enable VPC Flow Logs for a subnet

You can enable VPC Flow Logs when you create a subnet or for an existing subnet.

Enable VPC Flow Logs when you create a subnet

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the network where you want to add a subnet.

  3. Click Add subnet.

  4. For Flow logs, select On.

  5. Optional: Adjust the Aggregation interval and any of the following settings in the Advanced settings section:

    • Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
    • Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
    • The Secondary sampling rate. 50% means that half of entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
  6. Populate other fields as appropriate.

  7. Click Add.

gcloud

Run the following command:

gcloud compute networks subnets create SUBNET_NAME \
    --enable-flow-logs \
    [--logging-aggregation-interval=AGGREGATION_INTERVAL] \
    [--logging-flow-sampling=SAMPLING_RATE] \
    [--logging-filter-expr=FILTER_EXPRESSION] \
    [--logging-metadata=LOGGING_METADATA] \
    [--logging-metadata-fields=METADATA_FIELDS] \
    [other flags as needed]

Replace the following:

  • AGGREGATION_INTERVAL: the aggregation interval for flow logs in that subnet. The interval can be set to any of the following: 5-sec (default), 30-sec, 1-min, 5-min, 10-min, or 15-min.
  • SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from 0.0 (no sampling) to 1.0 (all logs). Default is 0.5. For more information, see Log sampling and processing.
  • FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For details, see Log filtering.
  • LOGGING_METADATA: the metadata annotations that you want to include in the logs:

    • Use include-all to include all metadata annotations.
    • Use exclude-all to exclude all metadata annotations (default).
    • Use custom to include a custom list of metadata fields that you specify in METADATA_FIELDS.
  • METADATA_FIELDS: a comma-separated list of metadata fields you want to include in the logs. For example, src_instance,dst_instance. Can be set only if LOGGING_METADATA is set to custom.

API

Enable VPC Flow Logs when you create a new subnet.

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks
{
  "logConfig": {
    "aggregationInterval": "AGGREGATION_INTERVAL",
    "flowSampling": SAMPLING_RATE,
    "filterExpr": EXPRESSION,
    "metadata": METADATA_SETTING,
    "metadataFields": METADATA_FIELDS,
    "enable": true
  },
  "ipCidrRange": "IP_RANGE",
  "network": "NETWORK_URL",
  "name": "SUBNET_NAME"
}

Replace the following:

  • PROJECT_ID: the ID of the project where the subnet will be created.
  • REGION: the region where the subnet will be created.
  • AGGREGATION_INTERVAL: the aggregation interval for flow logs in the subnet. The interval can be set to any of the following: INTERVAL_5_SEC, INTERVAL_30_SEC, INTERVAL_1_MIN, INTERVAL_5_MIN, INTERVAL_10_MIN, or INTERVAL_15_MIN.
  • SAMPLING_RATE: the flow sampling rate. Flow sampling can be set from 0.0 (no sampling) to 1.0 (all logs). Default is .0.5.
  • EXPRESSION: the filter expression you use to filter which logs are actually written. The expression has a limit of 2,048 characters. For details, see Log filtering.
  • METADATA_SETTING: the metadata annotations that you want to include in the logs:

    • Use INCLUDE_ALL_METADATA to include all metadata annotations.
    • Use EXCLUDE_ALL_METADATA to exclude all metadata annotations (default).
    • Use CUSTOM_METADATA to include a custom list of metadata fields that you specify in METADATA_FIELDS.
  • METADATA_FIELDS: the metadata fields you want to capture when you have set metadata: CUSTOM_METADATA. This is a comma-separated list of metadata fields, such as src_instance, src_vpc.project_id.

  • IP_RANGE: the primary internal IP address range of the subnet.

  • NETWORK_URL: the Virtual Private Cloud network URL where the subnet will be created.

  • SUBNET_NAME: a name for the subnet.

For more information, refer to the subnetworks.insert method.

Terraform

You can use a Terraform module to create a custom mode VPC network and subnets.

The following example creates three subnets as follows:

  • subnet-01 has VPC Flow Logs disabled. When you create a subnet, VPC Flow Logs are disabled unless you explicitly enable them.
  • subnet-02 has VPC Flow Logs enabled with the default flow log settings.
  • subnet-03 has VPC Flow Logs enabled with some custom settings.
module "test-vpc-module" {
  source       = "terraform-google-modules/network/google"
  version      = "~> 10.0"
  project_id   = var.project_id # Replace this with your project ID in quotes
  network_name = "my-custom-mode-network"
  mtu          = 1460

  subnets = [
    {
      subnet_name   = "subnet-01"
      subnet_ip     = "10.10.10.0/24"
      subnet_region = "us-west1"
    },
    {
      subnet_name           = "subnet-02"
      subnet_ip             = "10.10.20.0/24"
      subnet_region         = "us-west1"
      subnet_private_access = "true"
      subnet_flow_logs      = "true"
    },
    {
      subnet_name               = "subnet-03"
      subnet_ip                 = "10.10.30.0/24"
      subnet_region             = "us-west1"
      subnet_flow_logs          = "true"
      subnet_flow_logs_interval = "INTERVAL_10_MIN"
      subnet_flow_logs_sampling = 0.7
      subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
      subnet_flow_logs_filter   = "false"
    }
  ]
}

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

Enable VPC Flow Logs for an existing subnet

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the subnet that you want to update.

  3. Click Edit.

  4. For Flow logs, select On.

  5. Optional: Adjust the Aggregation interval and any of the following settings in the Advanced settings section:

    • Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
    • Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
    • The Secondary sampling rate. 50% means that half of entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
  6. Click Save.

gcloud

Run the following command:

gcloud compute networks subnets update SUBNET_NAME \
    --enable-flow-logs \
    [--logging-aggregation-interval=AGGREGATION_INTERVAL] \
    [--logging-flow-sampling=SAMPLING_RATE] \
    [--logging-filter-expr=FILTER_EXPRESSION] \
    [--logging-metadata=LOGGING_METADATA] \
    [--logging-metadata-fields=METADATA_FIELDS] \
    [other flags as needed]

Replace the following:

  • AGGREGATION_INTERVAL: the aggregation interval for flow logs in that subnet. The interval can be set to any of the following: 5-sec (default), 30-sec, 1-min, 5-min, 10-min, or 15-min.
  • SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from 0.0 (no sampling) to 1.0 (all logs). Default is 0.5. For more information, see Log sampling and processing.
  • FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For details, see Log filtering.
  • LOGGING_METADATA: the metadata annotations that you want to include in the logs:

    • Use include-all to include all metadata annotations.
    • Use exclude-all to exclude all metadata annotations (default).
    • Use custom to include a custom list of metadata fields that you specify in METADATA_FIELDS.
  • METADATA_FIELDS: a comma-separated list of metadata fields you want to include in the logs. For example, src_instance,dst_instance. Can be set only if LOGGING_METADATA is set to custom.

API

Enable VPC Flow Logs for an existing subnet.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
{
  "logConfig": {
    "enable": true
    ...other logging fields.
  },
  "fingerprint": "SUBNETWORK_FINGERPRINT"
}

Replace the following:

  • PROJECT_ID: the ID of the project where the subnet is located.
  • REGION: the region where the subnet is located.
  • SUBNET_NAME: the name of the existing subnet.
  • SUBNET_FINGERPRINT: the fingerprint ID for the existing subnet, which is provided when you describe a subnet.
  • For the other logging fields, see Enabling VPC Flow Logging when you create a subnet.

For more information, refer to the subnetworks.patch method.

Enable VPC Flow Logs for a VLAN attachment

Console

  1. In the Google Cloud console, go to the Interconnect page.

    Go to Interconnect

  2. In the VLAN attachments tab, select one or more VLAN attachments and then click Manage flow logs in the selection bar at the top of the list.

  3. In Manage flow logs, click Add new configuration.

  4. Enter a Name for the new VPC Flow Logs configuration.

  5. Optional: Adjust the Aggregation interval and any of the settings in the Advanced settings section:

    • Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
    • Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
    • The Secondary sampling rate. 100% means that all entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
  6. Click Save.

gcloud

To create a VPC Flow Logs configuration for a VLAN attachment, use the gcloud beta network-management vpc-flow-logs-configs create command. You can create a VPC Flow Logs configuration with all of its parameters set to their default values, or you can customize the default values when creating the configuration.

In the gcloud CLI, set your project to the Google Cloud project ID of the VLAN attachment and run one of the following commands:

  • To create a default VPC Flow Logs configuration, run the following command:

    gcloud beta network-management vpc-flow-logs-configs create CONFIG_NAME \
        --location=global \
        --interconnect-attachment=VLAN_ATTACHMENT
    
  • To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

    For example, to customize the aggregation interval, filtering, secondary sampling rate, and metadata parameters when creating a VPC Flow Logs configuration, run the following command:

    gcloud beta network-management vpc-flow-logs-configs create CONFIG_NAME \
        --location=global \
        --interconnect-attachment=VLAN_ATTACHMENT \
        --aggregation-interval=AGGREGATION_INTERVAL \
        --filter-expr=FILTER_EXPRESSION \
        --flow-sampling=SAMPLING_RATE \
        --metadata=LOGGING_METADATA
    

    Replace the following:

    • CONFIG_NAME: a name for the VPC Flow Logs configuration.
    • VLAN_ATTACHMENT: the VLAN attachment that you want to log. Must be specified in the following format: projects/PROJECT_ID/regions/REGION/interconnectAttachments/NAME. Replace the following:
      • PROJECT_ID: the ID of the Google Cloud project that contains the VLAN attachment. The VPC Flow Logs configuration must be created in this project.
      • REGION: the region of the VLAN attachment.
      • NAME: the name of the VLAN attachment.

    To set the optional parameters in a custom configuration, replace the following:

    • AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. The interval can be set to any of the following: interval-5-sec(default), interval-30-sec, interval-1-min, interval-5-min,interval-10-min, or interval-15-min.
    • FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
    • SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
    • LOGGING_METADATA: the metadata annotations that you want to include in the logs:
      • Use include-all-metadata to include all metadata annotations (default).
      • Use exclude-all-metadata to exclude all metadata annotations.
      • Use custom-metadata to include a custom list of metadata fields. To specify the metadata fields, use the --metadata-fields parameter:
        • --metadata-fields=METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to custom-metadata.

API

To create a VPC Flow Logs configuration for a VLAN attachment, use the projects.locations.vpcFlowLogsConfigs.create method. You can create a VPC Flow Logs configuration with all of its parameters set to their default values, or you can customize the default values when creating the configuration.

To create a default VPC Flow Logs configuration, include the following parameters in your API call:

POST https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "interconnectAttachment": "VLAN_ATTACHMENT"
}

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

For example, to customize the aggregation interval, filtering, secondary sampling rate, and metadata parameters when creating a VPC Flow Logs configuration, include the following parameters in your API call:

POST https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "interconnectAttachment": "VLAN_ATTACHMENT",
  "aggregationInterval": "AGGREGATION_INTERVAL",
  "filterExpr": "FILTER_EXPRESSION",
  "flowSampling": SAMPLING_RATE,
  "metadata": "LOGGING_METADATA"
}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project where you want to create the VPC Flow Logs configuration. Must be in the same project as the VLAN attachment.
  • CONFIG_NAME: a name for the VPC Flow Logs configuration.
  • VLAN_ATTACHMENT: the VLAN attachment that you want to log. Must be in the following format: projects/PROJECT_ID/regions/REGION/interconnectAttachments/NAME.
    • PROJECT_ID: the ID of the Google Cloud project that contains the VLAN attachment.
    • REGION: the region of the VLAN attachment.
    • NAME: the name of the VLAN attachment.
To set the optional parameters in a custom configuration, replace the following:
  • AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. The interval can be set to any of the following: INTERVAL_5_SEC (default), INTERVAL_30_SEC, INTERVAL_1_MIN, INTERVAL_5_MIN, INTERVAL_10_MIN, or INTERVAL_15_MIN.
  • FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
  • SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
  • LOGGING_METADATA: the metadata annotations that you want to include in the logs:
    • Use INCLUDE_ALL_METADATA to include all metadata annotations (default).
    • Use EXCLUDE_ALL_METADATA to exclude all metadata annotations.
    • Use CUSTOM_METADATA to include a custom list of metadata fields. To specify the metadata fields, use the metadataFields parameter:
      • metadataFields: METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to CUSTOM_METADATA.

You can add more than one VPC Flow Logs configuration for a single VLAN attachment. Each VPC Flow Logs configuration generates a separate set of flow logs.

Enable VPC Flow Logs for a Cloud VPN tunnel

Console

  1. In the Google Cloud console, go to the VPN page.

    Go to VPN

  2. In the Cloud VPN tunnels tab, select one or more Cloud VPN tunnels and then click Manage flow logs in the selection bar at the top of the list.

  3. In Manage flow logs, click Add new configuration.

  4. Enter a Name for the new VPC Flow Logs configuration.

  5. Optional: Adjust the Aggregation interval and any of the settings in the Advanced settings section:

    • Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
    • Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
    • The Secondary sampling rate. 100% means that all entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
  6. Click Save.

gcloud

To create a VPC Flow Logs configuration for a Cloud VPN tunnel, use the gcloud beta network-management vpc-flow-logs-configs create command. You can create a VPC Flow Logs configuration with all of its parameters set to their default values, or you can customize the default values when creating the configuration.

In the gcloud CLI, set your project to the Google Cloud project ID of the Cloud VPN tunnel and run one of the following commands:

  • To create a default VPC Flow Logs configuration, run the following command:

    gcloud beta network-management vpc-flow-logs-configs create CONFIG_NAME \
        --location=global \
        --vpn-tunnel=VPN_TUNNEL
    
  • To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

    For example, to customize the aggregation interval, filtering, secondary sampling rate, and metadata parameters when creating a VPC Flow Logs configuration, run the following command:

    gcloud beta network-management vpc-flow-logs-configs create CONFIG_NAME \
        --location=global \
        --vpn-tunnel=VPN_TUNNEL \
        --aggregation-interval=AGGREGATION_INTERVAL \
        --filter-expr=FILTER_EXPRESSION \
        --flow-sampling=SAMPLING_RATE \
        --metadata=LOGGING_METADATA
    

    Replace the following:

    • CONFIG_NAME: a name for the VPC Flow Logs configuration.
    • VPN_TUNNEL: the Cloud VPN tunnel that you want to log. Must be specified in the following format: projects/PROJECT_ID/regions/REGION/vpnTunnels/NAME. Replace the following:
      • PROJECT_ID: the ID of the Google Cloud project that contains the Cloud VPN tunnel. The VPC Flow Logs configuration must be created in this project.
      • REGION: the region of the Cloud VPN tunnel.
      • NAME: the name of the Cloud VPN tunnel.

    To set the optional parameters in a custom configuration, replace the following:

    • AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. The interval can be set to any of the following: interval-5-sec(default), interval-30-sec, interval-1-min, interval-5-min,interval-10-min, or interval-15-min.
    • FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
    • SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
    • LOGGING_METADATA: the metadata annotations that you want to include in the logs:
      • Use include-all-metadata to include all metadata annotations (default).
      • Use exclude-all-metadata to exclude all metadata annotations.
      • Use custom-metadata to include a custom list of metadata fields. To specify the metadata fields, use the --metadata-fields parameter:
        • --metadata-fields=METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to custom-metadata.

API

To create a VPC Flow Logs configuration for a Cloud VPN tunnel, use the projects.locations.vpcFlowLogsConfigs.create method. You can create a VPC Flow Logs configuration with all of its parameters set to their default values, or you can customize the default values when creating the configuration.

To create a default VPC Flow Logs configuration, include the following parameters in your API call:

POST https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "vpnTunnel": "VPN_TUNNEL"
}

To create a custom VPC Flow Logs configuration, specify each parameter that you want to customize.

For example, to customize the aggregation interval, filtering, secondary sampling rate, and metadata parameters when creating a VPC Flow Logs configuration, include the following parameters in your API call:

POST https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs?vpc_flow_logs_config_id=CONFIG_NAME
{
  "vpnTunnel": "VPN_TUNNEL",
  "aggregationInterval": "AGGREGATION_INTERVAL",
  "filterExpr": "FILTER_EXPRESSION",
  "flowSampling": SAMPLING_RATE,
  "metadata": "LOGGING_METADATA"
}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project where you want to create the VPC Flow Logs configuration. Must be in the same project as the Cloud VPN tunnel.
  • CONFIG_NAME: a name for the VPC Flow Logs configuration.
  • VPN_TUNNEL: the Cloud VPN tunnel that you want to log. Must be in the following format: projects/PROJECT_ID/regions/REGION/vpnTunnels/NAME.
    • PROJECT_ID: the ID of the Google Cloud project that contains the Cloud VPN tunnel.
    • REGION: the region of the Cloud VPN tunnel.
    • NAME: the name of the Cloud VPN tunnel.
To set the optional parameters in a custom configuration, replace the following:
  • AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. The interval can be set to any of the following: INTERVAL_5_SEC (default), INTERVAL_30_SEC, INTERVAL_1_MIN, INTERVAL_5_MIN, INTERVAL_10_MIN, or INTERVAL_15_MIN.
  • FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
  • SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
  • LOGGING_METADATA: the metadata annotations that you want to include in the logs:
    • Use INCLUDE_ALL_METADATA to include all metadata annotations (default).
    • Use EXCLUDE_ALL_METADATA to exclude all metadata annotations.
    • Use CUSTOM_METADATA to include a custom list of metadata fields. To specify the metadata fields, use the metadataFields parameter:
      • metadataFields: METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to CUSTOM_METADATA.

You can add more than one VPC Flow Logs configuration for a single Cloud VPN tunnel. Each VPC Flow Logs configuration generates a separate set of flow logs.

View VPC Flow Logs configuration status

You can view the following:

  • Which subnets have VPC Flow Logs enabled
  • Which VLAN attachments and Cloud VPN tunnels have VPC Flow Logs enabled (Preview)

View which subnets in a network have VPC Flow Logs enabled

You can check which subnets in a VPC network have VPC Flow Logs enabled. To view all subnets in a Google Cloud project that have VPC Flow Logs enabled, see View VPC Flow Logs configurations.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the VPC network where you want to view the subnets.

  3. Click the Subnets tab and view the Flow logs column to see if logging is on or off.

gcloud

Run the following command:

gcloud compute networks subnets list \
    --project PROJECT_ID \
    --network="NETWORK" \
    --format="csv(name,region,logConfig.enable)"

Replace the following:

  • PROJECT_ID: the ID of the project you are querying.
  • NETWORK: the name of the network containing the subnets.

View which attachments and tunnels in a project have VPC Flow Logs enabled

You can check which VLAN attachments and Cloud VPN tunnels in a Google Cloud project have VPC Flow Logs enabled. To view all VPC Flow Logs configurations for VLAN attachments and Cloud VPN tunnels in a Google Cloud project, see View VPC Flow Logs configurations.

Console

In the Google Cloud console, do the following:

  • To view which VLAN attachments have VPC Flow Logs enabled:

    1. Go to the Interconnect page.

      Go to Interconnect

    2. Click the VLAN attachments tab and view the Flow logs column to see if logging is on or off.

  • To view which Cloud VPN tunnels have VPC Flow Logs enabled:

    1. Go to the VPN page.

      Go to VPN

    2. Click the Cloud VPN tunnels tab and view the Flow logs column to see if logging is on or off.

View VPC Flow Logs configurations

When you configure VPC Flow Logs for a subnet, VLAN attachment, or a Cloud VPN tunnel, Google Cloud creates a VPC Flow Logs configuration for your subnet, VLAN attachment, or VPN tunnel using the configuration values that you have set. A single VLAN attachment or Cloud VPN tunnel can have one or more VPC Flow Logs configurations. A subnet that has VPC Flow Logs enabled can have only one VPC Flow Logs configuration.

You can view which VLAN attachments and Cloud VPN tunnels have flow logs turned on or off by checking the status of their VPC Flow Logs configurations. If the status of a VPC Flow Logs configuration is on, it means that flow logs for the VLAN attachment or Cloud VPN tunnel that uses this configuration are turned on. VPC Flow Logs configurations for subnets can't be turned off, only deleted.

Console

  1. In the Google Cloud console, go to the VPC Flow Logs page.

    Go to VPC Flow Logs

  2. Click the Subnets, VLAN attachments, or VPN tunnels tab.

    • Subnets lists subnets that have an active VPC Flow Logs configuration.
    • VLAN attachments lists VLAN attachments for Cloud Interconnect that have active or paused VPC Flow Logs configurations.
    • VPN tunnels lists Cloud VPN tunnels that have active or paused VPC Flow Logs configurations.

gcloud

To view VPC Flow Logs configurations for VLAN attachments and Cloud VPN tunnels, use the gcloud beta network-management vpc-flow-logs-configs list and gcloud beta network-management vpc-flow-logs-configs describe commands.

Run one of the following commands:

  • To view all VPC Flow Logs configurations in a Google Cloud project, run:

    gcloud beta network-management vpc-flow-logs-configs list --location=global
    
  • To view a single VPC Flow Logs configuration, run:

    gcloud beta network-management vpc-flow-logs-configs describe CONFIG_NAME \
        --location=global
    

    Replace CONFIG_NAME with the name of the VPC Flow Logs configuration that you want to view.

API

To view all VPC Flow Logs configurations for VLAN attachments and Cloud VPN tunnels in a Google Cloud project, use the projects.locations.vpcFlowLogsConfigs.list method:

GET https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs

To view a single VPC Flow Logs configuration, use the projects.locations.vpcFlowLogsConfigs.get method:

GET https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project that contains the VPC Flow Logs configuration or configurations that you want to view.
  • CONFIG_NAME: the name of the VPC Flow Logs configuration.

Update VPC Flow Logs configuration

You can modify log sampling parameters. For information about the parameters that you can control, see Log sampling and processing. To customize metadata fields, use the gcloud CLI or API.

Update configuration parameters for subnets

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Under Subnets in current project, click the subnet that you want to update.

  3. Click Edit.

  4. Optional: Adjust any of the following settings:

    • The Aggregation interval. By default, the aggregation interval is set to 5 sec.
    • Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
    • Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
    • The Secondary sampling rate. 50% means that half of entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
  5. Click Save.

Alternatively, you can update your VPC Flow Logs configuration parameters by using the  Manage flow logs menu under Subnets in current project on the VPC networks page.

gcloud

Run the following command:

gcloud compute networks subnets update SUBNET_NAME \
    [--logging-aggregation-interval=AGGREGATION_INTERVAL] \
    [--logging-flow-sampling=SAMPLING_RATE] \
    [--logging-filter-expr=FILTER_EXPRESSION] \
    [--logging-metadata=LOGGING_METADATA] \
    [--logging-metadata-fields=METADATA_FIELDS] \

Replace the following:

  • AGGREGATION_INTERVAL: the aggregation interval for flow logs in that subnet. The interval can be set to any of the following: 5-sec (default), 30-sec, 1-min, 5-min, 10-min, or 15-min.
  • SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from 0.0 (no sampling) to 1.0 (all logs). Default is 0.5. For more information, see Log sampling and processing.
  • FILTER_EXPRESSION: an expression that defines what logs you want to keep. The expression has a limit of 2,048 characters. For details, see Log filtering.
  • LOGGING_METADATA: the metadata annotations that you want to include in the logs:

    • Use include-all to include all metadata annotations.
    • Use exclude-all to exclude all metadata annotations (default).
    • Use custom to include a custom list of metadata fields that you specify in METADATA_FIELDS.
  • METADATA_FIELDS: a comma-separated list of metadata fields you want to include in the logs. For example, src_instance,dst_instance. Can be set only if LOGGING_METADATA is set to custom.

API

Modify the log sampling fields to update VPC Flow Logs behaviors.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
{
  "logConfig": {
    ...fields to modify
  },
  "fingerprint": "SUBNETWORK_FINGERPRINT"
}

Replace the following:

  • PROJECT_ID: the ID of the project where the subnet is located.
  • REGION: the region where the subnet is located.
  • SUBNET_NAME: the name of the existing subnet.
  • SUBNET_FINGERPRINT: the fingerprint ID for the existing subnet, which is provided when you describe a subnet.
  • For the fields that you can modify, see Enabling VPC Flow Logging when you create a subnet.

For more information, refer to the subnetworks.patch method.

Update configuration parameters for VLAN attachments and Cloud VPN tunnels

Console

  1. In the Google Cloud console, go to the VPC Flow Logs page.

    Go to VPC Flow Logs

  2. Select the VLAN attachments or VPN tunnels tab:

    • To update VPC Flow Logs parameters for VLAN attachments, select VLAN attachments.
    • To update VPC Flow Logs parameters for Cloud VPN tunnels, select VPN tunnels.
  3. Select one or more VPC Flow Logs configurations that you want to update and click Edit.

  4. Optional: Adjust any of the following:

    • The Aggregation interval. By default, the aggregation interval is set to 5 sec.
    • Whether to set the Status of the VPC Flow Logs configuration to on or off. The On status means that the selected VPC Flow Logs configuration is active and generates flow logs.
    • Whether to configure log filtering. By default, Keep only logs that match a filter is deselected.
    • Whether to include metadata in the final log entries. By default, Metadata annotations includes all fields.
    • The Secondary sampling rate. 100% means that all entries generated by the primary flow log sampling process are kept. The primary flow log sampling rate isn't configurable. For more information, see Log sampling and processing.
  5. Click Save.

Alternatively, you can update your VPC Flow Logs configuration parameters by using the  Manage flow logs menu in the VLAN attachments tab on the Interconnect page and in the VPN tunnels tab on the VPN page.

gcloud

To update a VPC Flow Logs configuration for a VLAN attachment or a Cloud VPN tunnel, use the gcloud beta network-management vpc-flow-logs-configs update command.

Run the gcloud beta network-management vpc-flow-logs-configs update command with one or more of the following optional parameters:

gcloud beta network-management vpc-flow-logs-configs update CONFIG_NAME \
    --location=global \
    [--interconnect-attachment=VLAN_ATTACHMENT | --vpn-tunnel=VPN_TUNNEL] \
    [--aggregation-interval=AGGREGATION_INTERVAL] \
    [--filter-expr=FILTER_EXPRESSION] \
    [--flow-sampling=SAMPLING_RATE] \
    [--metadata=LOGGING_METADATA] \
    [--state=STATE]

For example, to update the aggregation interval parameter, run the following command:

gcloud beta network-management vpc-flow-logs-configs update CONFIG_NAME \
    --location=global \
    --aggregation-interval=AGGREGATION_INTERVAL

Replace the following:

  • CONFIG_NAME: the name of the VPC Flow Logs configuration that you want to update. The configuration is located in the same Google Cloud project as the VLAN_ATTACHMENT or VPN_TUNNEL for which the configuration is used.

To update the optional parameters, replace the following:

  • VLAN_ATTACHMENT or VPN_TUNNEL:
    • To update a VPC Flow Logs configuration for a VLAN attachment, specify the VLAN attachment in the following format: projects/PROJECT_ID/regions/REGION/interconnectAttachments/NAME.
    • To update a VPC Flow Logs configuration for a Cloud VPN tunnel, specify the Cloud VPN tunnel in the following format: projects/PROJECT_ID/regions/REGION/vpnTunnels/NAME.
    • Replace the following:
      • PROJECT_ID: the ID of the Google Cloud project that contains the VLAN attachment or Cloud VPN tunnel.
      • REGION: the region of the VLAN attachment or Cloud VPN tunnel.
      • NAME: the name of the VLAN attachment or Cloud VPN tunnel.
  • AGGREGATION_INTERVAL: the aggregation interval for flow logs generated by this configuration. The interval can be set to any of the following: interval-5-sec(default), interval-30-sec, interval-1-min, interval-5-min,interval-10-min, or interval-15-min.
  • FILTER_EXPRESSION: an expression that defines which logs you want to keep. The expression has a limit of 2,048 characters. For more information, see Log filtering.
  • SAMPLING_RATE: the secondary flow sampling rate. Secondary flow sampling can be set from greater than 0.0 to 1.0 (all logs, default). For more information, see Log sampling and processing.
  • LOGGING_METADATA: the metadata annotations that you want to include in the logs:
    • Use include-all-metadata to include all metadata annotations (default).
    • Use exclude-all-metadata to exclude all metadata annotations.
    • Use custom-metadata to include a custom list of metadata fields. To specify the metadata fields, use the --metadata-fields parameter:
      • --metadata-fields=METADATA_FIELDS: replace METADATA_FIELDS with a comma-separated list of metadata fields that you want to include in the logs. For example, src_instance,dst_instance. Can be set only if metadata is set to custom-metadata.
  • STATE: the state of the VPC Flow Logs configuration. Can be enabled (default) or disabled.

API

To update a VPC Flow Logs configuration, use the projects.locations.vpcFlowLogsConfigs.patch method. For information about the fields that you can modify, see REST Resource: projects.locations.vpcFlowLogsConfigs.

Update a VPC Flow Logs configuration for a VLAN attachment or a Cloud VPN tunnel:

PATCH https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME?updateMask=FIELDS
{
  ...fields to modify
}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project that contains the VPC Flow Logs configuration. This ID is the same as the project ID of the VLAN attachment or Cloud VPN tunnel for which the configuration is used.
  • CONFIG_NAME: the name of the VPC Flow Logs configuration that you want to update.
  • FIELDS: the name of the field or fields that you want to update, comma-separated. For example, aggregationInterval,flowSampling,metadata.

For example, to update the aggregationInterval field for a VPC Flow Logs configuration my-config in my-project, use the following API call:

PATCH https://networkmanagement.googleapis.com/v1beta1/projects/my-project/locations/global/vpcFlowLogsConfigs/my-config?updateMask=aggregationInterval
{
  aggregationInterval:AGGREGATION_INTERVAL
}

Replace AGGREGATION_INTERVAL with any of the supported values for this parameter.

Stop logs collection

You can disable VPC Flow Logs for a subnet, which stops logs collection and deletes its VPC Flow Logs configuration.

You can pause logs collection for a VLAN attachment or Cloud VPN tunnel by turning off all of its active VPC Flow Logs configurations. You can't pause logs collection for a subnet.

If you no longer need a VPC Flow Logs configuration, you can delete the configuration. Logs collection is stopped and the configuration is deleted.

Disable VPC Flow Logs for a subnet

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the subnet that you want to update.

  3. Click Edit.

  4. For Flow logs, select Off.

  5. Click Save.

gcloud

Run the following command:

gcloud compute networks subnets update SUBNET_NAME \
    --no-enable-flow-logs

API

Disable VPC Flow Logs on a subnet to stop collecting log records.

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAME
{
  "logConfig": {
    "enable": false
  },
  "fingerprint": "SUBNETWORK_FINGERPRINT"
}

Replace the following:

  • PROJECT_ID: the ID of the project where the subnet is located.
  • REGION: the region where the subnet is located.
  • SUBNET_NAME: the name of the existing subnet.
  • SUBNET_FINGERPRINT: the fingerprint ID for the existing subnet, which is provided when you describe a subnet.

For more information, refer to the subnetworks.patch method.

Turn off a VPC Flow Logs configuration

Console

  1. In the Google Cloud console, go to the VPC Flow Logs page.

    Go to VPC Flow Logs

  2. Select the VLAN attachments or VPN tunnels tab:

    • To turn off a VPC Flow Logs configuration for a VLAN attachment, select VLAN attachments.
    • To turn off a VPC Flow Logs configuration for a Cloud VPN tunnel, select VPN tunnels.
  3. Select one or more VPC Flow Logs configurations that you want to turn off and change the configuration status to Turn off or Turn all off. The Turn all off option in the Change configuration status menu appears only if your selection includes both active and inactive VPC Flow Logs configurations.

gcloud

To pause logs collection for a VPC Flow Logs configuration, use the gcloud beta network-management vpc-flow-logs-configs update command.

Run the following command:

gcloud beta network-management vpc-flow-logs-configs update CONFIG_NAME \
    --location=global \
    --state=disabled

Replace CONFIG_NAME with the name of the VPC Flow Logs configuration that you want to update. The configuration is located in the same Google Cloud project as the VLAN attachment or Cloud VPN tunnel for which the configuration is used.

API

To pause logs collection for a VPC Flow Logs configuration, use the projects.locations.vpcFlowLogsConfigs.patch method.

Pause logs collection for a VPC Flow Logs configuration:

PATCH https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME?updateMask=state
{
  "state": "DISABLED"
}

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project that contains the VPC Flow Logs configuration. This ID is the same as the project ID of the VLAN attachment or Cloud VPN tunnel for which the configuration is used.
  • CONFIG_NAME: the name of the VPC Flow Logs configuration that you want to update.

Delete a VPC Flow Logs configuration

Console

  1. In the Google Cloud console, go to the VPC Flow Logs page.

    Go to VPC Flow Logs

  2. Select the Subnets, VLAN attachments, or VPN tunnels tab:

    • To delete a VPC Flow Logs configuration for a subnet, select Subnets.
    • To delete a VPC Flow Logs configuration for a VLAN attachment, select VLAN attachments.
    • To delete a VPC Flow Logs configuration for a Cloud VPN tunnel, select VPN tunnels.
  3. Select one or more VPC Flow Logs configurations that you want to delete and click Delete.

gcloud

To delete a VPC Flow Logs configuration for a VLAN attachment or a Cloud VPN tunnel, use the gcloud beta network-management vpc-flow-logs-configs delete command.

Run the following command:

gcloud beta network-management vpc-flow-logs-configs delete CONFIG_NAME \
    --location=global

Replace CONFIG_NAME with the name of the VPC Flow Logs configuration that you want to delete.

API

To delete a VPC Flow Logs configuration for a VLAN attachment or a Cloud VPN tunnel, use the projects.locations.vpcFlowLogsConfigs.delete method:

DELETE https://networkmanagement.googleapis.com/v1beta1/projects/PROJECT_ID/locations/global/vpcFlowLogsConfigs/CONFIG_NAME

Replace the following:

  • PROJECT_ID: the ID of the Google Cloud project that contains the VPC Flow Logs configuration that you want to delete.
  • CONFIG_NAME: the name of the VPC Flow Logs configuration.

Troubleshooting

Flow logs for subnets appear to be disabled even though you enabled them

  • When you're configuring a proxy-only subnet for internal Application Load Balancers and you're using the gcloud compute networks subnets command to enable VPC Flow Logs, the command appears to succeed, but flow logs aren't actually enabled. The --enable-flow-logs flag doesn't take effect when you also include the --purpose=INTERNAL_HTTPS_LOAD_BALANCER flag.

    When you use the Google Cloud console or the API to enable flow logs, you see the error message: "Invalid value for field 'resource.enableFlowLogs': 'true'. Invalid field set in subnetwork with purpose INTERNAL_HTTPS_LOAD_BALANCER."

    Because proxy-only subnets have no VMs, VPC Flow Logs isn't supported. This is intended behavior.

What's next