4 Mins Read

AWS VPC Traffic Mirroring for Secrets, Visibility, and Security Management

Voiced by Amazon Polly

VPC Traffic Mirroring: An overview

Unlock deep insights into your AWS infrastructure with VPC Traffic Mirroring. This feature enables seamless network traffic capture and analysis within your Virtual Private Cloud (VPC). By mirroring data from Elastic Network Interfaces to dedicated monitoring instances, you gain unparalleled visibility for troubleshooting, security monitoring, and performance optimization. Elevate your AWS experience by harnessing the power of VPC Traffic Mirroring for a robust and secure cloud environment.


Network monitoring tools that work with VPC Traffic Mirroring

In conjunction with AWS VPC Traffic Mirroring, leveraging open-source monitoring tools like Zeek and Suricata elevates network analysis and security. Zeek excels in protocol analysis, extracting essential metadata, while Suricata, with its powerful rule-based engine, enhances intrusion detection capabilities. This combination empowers AWS users to monitor, analyze, and secure network traffic. It provides a robust open-source solution for optimizing the AWS VPC environment with comprehensive insights and threat detection.


Customized Cloud Solutions to Drive your Business Success

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Key Concepts of VPC Traffic Mirroring

AWS Traffic Mirroring is a pivotal feature in AWS that facilitates detailed analysis and monitoring of the network traffic in the Virtual Private Cloud (VPC). Here are key concepts to grasp:

  1. Mirror Source: This is the network resource (like an Elastic Network Interface) whose inbound and outbound traffic is duplicated for analysis. Mirroring can be applied at the instance or subnet level.
  2. Mirror Target: The instance to which mirrored traffic is sent for analysis. It runs monitoring tools, allowing you to inspect, analyze, or store the duplicated traffic.
  3. Filtering: AWS VPC Traffic Mirroring supports filters to selectively mirror specific traffic based on defined criteria like IP addresses, protocols, and ports, providing flexibility in capturing relevant data.
  4. Session: A configuration defining the flow of mirrored traffic. It includes the source, target, and filter configurations.
  5. Analyzer: The instance running monitoring tools (e.g., Zeek, Suricata) to analyze mirrored traffic for troubleshooting, security analysis, and performance monitoring.


Steps to implement VPC Traffic Mirroring Policy

Now follow the steps to implement VPC Traffic Mirroring using the open-source tool Suricata.

  1. Log in to the AWS Console and access the target EC2 instance terminal (in my demo, I am using a Linux instance), where you want to install the Suricata tool.
  2. Now execute the commands below in the EC2 instance to install Suricata. (Works with Amazon Linux2)You capture and check the path /var/log/suricata/fast.log”
  3. Now, create the Mirror Target. Open VPC Console, then from the left pane under the Traffic Mirroring option, select ‘Mirror targets’, click the ‘Create traffic mirror target’ button, configure as shown in the figure below, and click ‘Create.’
  4. The next step is to create a Mirror Filter. From the same VPC console again, Go to the left pane; under the option, Traffic Mirroring, select ‘Mirror filters’ and then click ‘Create traffic mirror filter.’ Then, configure and create a filter for inbound traffic, as shown in the figure below, and click ‘Create.’
  5. The final step is to create the Mirror Session. In the VPC console, from the left pane under Traffic Mirroring, select the option ‘Mirror sessions’ and then click ‘Create traffic mirror session.’ now configure and create the mirror session as shown in the figure below and then click ‘Create.’

    This step will create the Mirror session, and all the TCP and ICMP traffic gets mirrored from the source instance network interface to the target instance network interface, where it is monitored using the open-source tool Suricata or by monitoring port 4789.

    Important that ingress UDP traffic (port 4789) should be allowed in the security groups for source and target instances.


Tests and Results

Let us do some testing and see the results.

 The screenshot below is for the Client machine and Web Server.


Now, let’s curl the Server IP address from the Client machine and check the mirroring of the packets on the monitoring instance. The figure below shows the curl command execution and the mirror target instance output. Run the below command before curling from the client machine.

sudo tcpdump -nnni eth0 udp port 4789


Now, you will ping the Web Server from the Client machine and check the packets captured on the Target or Monitoring instance. The below figure shows the same.

You can also view the logs that are generated for the above Tests from the target instance within /var/log/suricata/fast.log”



AWS VPC Traffic Mirroring emerges as a game-changer, providing unparalleled insights into network activities. Its robust features, seamless integration with open-source tools, and a focus on enhanced security empower users to navigate the cloud confidently, optimize performance, troubleshoot efficiently, and fortify network defenses.


Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

Established in 2012, CloudThat is a leading Cloud Training and Cloud Consulting services provider in India, USA, Asia, Europe, and Africa. Being a pioneer in the Cloud domain, CloudThat has special expertise in catering to mid-market and enterprise clients in all the major Cloud service providers like AWS, Microsoft, GCP, VMware, Databricks, HP, and more. Uniquely positioned to be a single source for both training and consulting for cloud technologies like Cloud Migration, Data Platforms, DevOps, IoT, and the latest technologies like AI/ML, it is a top-tier partner with AWS and Microsoft, winning more than 8 awards combined in 11 years. Recently, it was recognized as the ‘Think Big’ partner from AWS and won the Microsoft Superstars FY 2023 award in Asia & India. Leveraging their position as a leader in the market, CloudThat has trained 650k+ professionals in 500+ cloud certifications and delivered 300+ consulting projects for 100+ corporates in 28+ countries.

WRITTEN BY Abhijit Dilip Powar



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!