# Enable VPC Flow Logs (Network Management API)

The Network Management API lets you configure VPC Flow Logs for organizations, Virtual Private Cloud (VPC) networks, subnets, VLAN attachments for Cloud Interconnect, and Cloud VPN tunnels.

{% hint style="info" %}
**📘Before you begin:**

This guide assumes you have permissions with the `Network Management Admin` role (`roles/networkmanagement.admin`), granted as follows:

* Organization level (required if you want to configure VPC Flow Logs for an organization)
* Project level (required if you want to configure VPC Flow Logs for a VPC network, subnet, VLAN attachment, or Cloud VPN tunnel)
  {% endhint %}

*The following instructions are based on Google documentation here, which may be useful to refer to if needed:* [*https://docs.cloud.google.com/vpc/docs/using-flow-logs*](https://docs.cloud.google.com/vpc/docs/using-flow-logs)

## Prerequisites <a href="#prerequisites" id="prerequisites"></a>

1. Navigate to [\<https://console.cloud.google.com/apis/api/networkmanagement.googleapis.com>](https://console.cloud.google.com/apis/api/networkmanagement.googleapis.com), and click "Enable".

![](https://1075194167-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7upncbzIm3grJePXaOO9%2Fuploads%2Fgit-blob-b5f9c687b9e21a53ee1b093b56f7cb0215ca30be%2F3f9ed87135074f709418eeae8b3236bd713c7016c850b97a9490b61a19866620.png?alt=media)

2. In the Google Cloud console, go to the [VPC networks page](https://console.cloud.google.com/networking/networks/list).

![](https://1075194167-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7upncbzIm3grJePXaOO9%2Fuploads%2Fgit-blob-5416f60a1b548d0e86c1a87ddce2979365ac3d95%2F743543ddfb8a25829beabc6a8c9794e7ec13706ff13bc8610f1c428796e8a457.png?alt=media)

{% hint style="info" %}
**📘Options for Flow Log Enablement**

VPC Flow logs can be enabled at the following levels:

1. Subnet
2. VPC
3. Organization (requires the `resourcemanager.organizations.get` permission.)

The lowest level policy configured will supercede the higher policy.
{% endhint %}

## Option 1. Enabling VPC Flow Logs at the Subnet Level <a href="#option-1-enabling-vpc-flow-logs-at-the-subnet-level" id="option-1-enabling-vpc-flow-logs-at-the-subnet-level"></a>

1. On the **Subnets in current project** tab, select one or more subnets and then click **Manage flow logs**.

![](https://1075194167-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7upncbzIm3grJePXaOO9%2Fuploads%2Fgit-blob-9d6a3da1421159abd112827788808bb219d6020e%2F5285207cb76d88afccee429e0182792261d480033cceffcb3de25964a8e53c74.png?alt=media)

2. In **Manage flow logs**, click **Add new configuration.** This will configure a new VPC flow log configuration.
3. Do one of the following:
   1. If you selected one subnet, in the **Configurations — Subnets** section, click **Add a configuration**.

      ![](https://1075194167-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7upncbzIm3grJePXaOO9%2Fuploads%2Fgit-blob-1f0100218c3465a11a8709275514c8ec45a2e9e8%2Fcfb81b633e628eaac65690b7e3aa605a32c88f74c65a285df3847d6d3db57660.png?alt=media)
   2. If you selected multiple subnets, in the **Configure VPC Flow Logs** section, select **Network Management API**.

      ![](https://1075194167-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7upncbzIm3grJePXaOO9%2Fuploads%2Fgit-blob-05ccd2d5c452b05484e0e2a3e9571c26307d7656%2Ffc3cfc991219ea4930529ab0850975179d2c2ede9067c109918c23172cb52c27.png?alt=media)
4. For **Name**, enter a name for the new VPC Flow Logs configuration.
5. Change the **Aggregation Interval** to `1 minute`.
6. Optional: Adjust the **Description** and any of the settings in the **Advanced settings** section:
   1. **Log filtering**: By default, **Keep only logs that match a filter** is deselected.
   2. **Include metadata in the final log entries**: By default, **Metadata annotations** includes all fields.
   3. **Secondary sampling rate**: `100%` means that all entries generated by the primary flow log sampling process are kept.
7. Click **Save**.

## Option 2. Enabling VPC Flow Logs for VPC Networks <a href="#option-2-enabling-vpc-flow-logs-for-vpc-networks" id="option-2-enabling-vpc-flow-logs-for-vpc-networks"></a>

1. On the **Networks in current project** tab, select one or more networks and then click **Manage flow logs**.

   ![](https://1075194167-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7upncbzIm3grJePXaOO9%2Fuploads%2Fgit-blob-efe78d009d679f07a6518effc6bf03608c1fdf32%2Fb9d020f2d98f2036658313ab7dc58ce87b7c05f88d468d6165da4390587d0fae.png?alt=media)
2. In **Manage flow logs**, click **Add new configuration.** This will configure a new VPC flow log configuration.

   ![](https://1075194167-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7upncbzIm3grJePXaOO9%2Fuploads%2Fgit-blob-117a6a3cdc895c949765ae3050e3bf8cf4d50557%2F1af1a44ed6f368365053233d190247c6f6b013b2e6c9be48afc07ff8a20071e4.png?alt=media)
3. In the popup window, under **Configurations - VPC networks** click on **Add a configuration**.

   ![](https://1075194167-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7upncbzIm3grJePXaOO9%2Fuploads%2Fgit-blob-4d581880ac7778b031bf303f16a9955541620c32%2Fd69a24ee0c07e824260d8d781b43361644fd9f63358aa02ea928396c2aa6760c.png?alt=media)
4. For **Name**, enter a name for the new VPC Flow Logs configuration.
5. Change the **Aggregation Interval** to `1 minute`.
6. Optional: Adjust the **Description** and any of the settings in the **Advanced settings** section:
   1. **Log filtering**: By default, **Keep only logs that match a filter** is deselected.
   2. **Include metadata in the final log entries**: By default, **Metadata annotations** includes all fields.
   3. **Secondary sampling rate**: `100%` means that all entries generated by the primary flow log sampling process are kept.
7. Click **Save**.

## Option 3. Configuring VPC Flow Logs at the Organization Level <a href="#option-3-configuring-vpc-flow-logs-at-the-organization-level" id="option-3-configuring-vpc-flow-logs-at-the-organization-level"></a>

Configurations created at an organizational level will apply to all VPCs within that organization.

1. Navigate to the [VPC Flow Logs](https://console.cloud.google.com/networking/vpc-flow-logs) configuration page.

   ![](https://1075194167-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7upncbzIm3grJePXaOO9%2Fuploads%2Fgit-blob-d671cafacd81fbf1d34e9ad8620653cbb8c242ec%2F8b7f203e012844732f3260da01d0eb5994e0ac6cd14a7deb009dad4c41ae8b28.png?alt=media)
2. Click **Add VPC Flow Logs configuration** and then click **Add a configuration for the organization**.

   ![](https://1075194167-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7upncbzIm3grJePXaOO9%2Fuploads%2Fgit-blob-27a47f4f6f90cb821d22c3566e115bf781b4815d%2F9799285f79946ee5392e6addfb215ba2052a98634e0f2192944bf8e5288877c8.png?alt=media)
3. For **Name**, enter a name for the new VPC Flow Logs configuration.
4. Change the **Aggregation Interval** to `1 minute`.
5. Optional: Adjust the **Description** and any of the settings in the **Advanced settings** section:
6. Optional: Adjust the **Description** and any of the settings in the **Advanced settings** section:
   1. **Log filtering**: By default, **Keep only logs that match a filter** is deselected.
   2. **Include metadata in the final log entries**: By default, **Metadata annotations** includes all fields.
   3. **Secondary sampling rate**: `100%` means that all entries generated by the primary flow log sampling process are kept.
7. Click **Save**.