AWS

4 Mins Read

AWS VPC Traffic Mirroring for Secrets, Visibility, and Security Management

VPC Traffic Mirroring: An overview

Unlock deep insights into your AWS infrastructure with VPC Traffic Mirroring. This feature enables seamless network traffic capture and analysis within your Virtual Private Cloud (VPC). By mirroring data from Elastic Network Interfaces to dedicated monitoring instances, you gain unparalleled visibility for troubleshooting, security monitoring, and performance optimization. Elevate your AWS experience by harnessing the power of VPC Traffic Mirroring for a robust and secure cloud environment.

 

Network monitoring tools that work with VPC Traffic Mirroring

In conjunction with AWS VPC Traffic Mirroring, leveraging open-source monitoring tools like Zeek and Suricata elevates network analysis and security. Zeek excels in protocol analysis, extracting essential metadata, while Suricata, with its powerful rule-based engine, enhances intrusion detection capabilities. This combination empowers AWS users to monitor, analyze, and secure network traffic. It provides a robust open-source solution for optimizing the AWS VPC environment with comprehensive insights and threat detection.

 

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Key Concepts of VPC Traffic Mirroring

AWS Traffic Mirroring is a pivotal feature in AWS that facilitates detailed analysis and monitoring of the network traffic in the Virtual Private Cloud (VPC). Here are key concepts to grasp:

  1. Mirror Source: This is the network resource (like an Elastic Network Interface) whose inbound and outbound traffic is duplicated for analysis. Mirroring can be applied at the instance or subnet level.
  2. Mirror Target: The instance to which mirrored traffic is sent for analysis. It runs monitoring tools, allowing you to inspect, analyze, or store the duplicated traffic.
  3. Filtering: AWS VPC Traffic Mirroring supports filters to selectively mirror specific traffic based on defined criteria like IP addresses, protocols, and ports, providing flexibility in capturing relevant data.
  4. Session: A configuration defining the flow of mirrored traffic. It includes the source, target, and filter configurations.
  5. Analyzer: The instance running monitoring tools (e.g., Zeek, Suricata) to analyze mirrored traffic for troubleshooting, security analysis, and performance monitoring.

 

Steps to implement VPC Traffic Mirroring Policy

Now follow the steps to implement VPC Traffic Mirroring using the open-source tool Suricata.

  1. Log in to the AWS Console and access the target EC2 instance terminal (in my demo, I am using a Linux instance), where you want to install the Suricata tool.
  2. Now execute the commands below in the EC2 instance to install Suricata. (Works with Amazon Linux2)You capture and check the path /var/log/suricata/fast.log”
  3. Now, create the Mirror Target. Open VPC Console, then from the left pane under the Traffic Mirroring option, select ‘Mirror targets’, click the ‘Create traffic mirror target’ button, configure as shown in the figure below, and click ‘Create.’
  4. The next step is to create a Mirror Filter. From the same VPC console again, Go to the left pane; under the option, Traffic Mirroring, select ‘Mirror filters’ and then click ‘Create traffic mirror filter.’ Then, configure and create a filter for inbound traffic, as shown in the figure below, and click ‘Create.’
  5. The final step is to create the Mirror Session. In the VPC console, from the left pane under Traffic Mirroring, select the option ‘Mirror sessions’ and then click ‘Create traffic mirror session.’ now configure and create the mirror session as shown in the figure below and then click ‘Create.’

    This step will create the Mirror session, and all the TCP and ICMP traffic gets mirrored from the source instance network interface to the target instance network interface, where it is monitored using the open-source tool Suricata or by monitoring port 4789.

    Important that ingress UDP traffic (port 4789) should be allowed in the security groups for source and target instances.

 

Tests and Results

Let us do some testing and see the results.

 The screenshot below is for the Client machine and Web Server.

Test-1

Now, let’s curl the Server IP address from the Client machine and check the mirroring of the packets on the monitoring instance. The figure below shows the curl command execution and the mirror target instance output. Run the below command before curling from the client machine.

sudo tcpdump -nnni eth0 udp port 4789

Test-2

Now, you will ping the Web Server from the Client machine and check the packets captured on the Target or Monitoring instance. The below figure shows the same.

You can also view the logs that are generated for the above Tests from the target instance within /var/log/suricata/fast.log”

 

Conclusion

AWS VPC Traffic Mirroring emerges as a game-changer, providing unparalleled insights into network activities. Its robust features, seamless integration with open-source tools, and a focus on enhanced security empower users to navigate the cloud confidently, optimize performance, troubleshoot efficiently, and fortify network defenses.

 

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

Established in 2012, CloudThat is a leading Cloud Training and Cloud Consulting services provider in India, USA, Asia, Europe, and Africa. Being a pioneer in the Cloud domain, CloudThat has special expertise in catering to mid-market and enterprise clients in all the major Cloud service providers like AWS, Microsoft, GCP, VMware, Databricks, HP, and more. Uniquely positioned to be a single source for both training and consulting for cloud technologies like Cloud Migration, Data Platforms, DevOps, IoT, and the latest technologies like AI/ML, it is a top-tier partner with AWS and Microsoft, winning more than 8 awards combined in 11 years. Recently, it was recognized as the ‘Think Big’ partner from AWS and won the Microsoft Superstars FY 2023 award in Asia & India. Leveraging their position as a leader in the market, CloudThat has trained 650k+ professionals in 500+ cloud certifications and delivered 300+ consulting projects for 100+ corporates in 28+ countries.

WRITTEN BY Abhijit Dilip Powar

Share

PREV

NEXT

Comments

    Click to Comment

Related Resources

Upcoming Webinar

Demystifying Generative BI: A Deep Dive with Amazon QuickSight

By divya

Apr 25, 2024

Power Platforms

How to Employ Pipelines in Power Platform to Elevate

By Daliya V K

Apr 23, 2024

Case Study

Advanced HRMS Chatbot using AWS GenAI for Enhanced User

By gopi

Apr 22, 2024

Case Study

Automated Email Replies for a FinTech Firm Enhancing Customer

By gopi

Apr 22, 2024

Case Study

Scaler Achieves Near Real-Time Audio Transcription, Driving Productivity with

By gopi

Apr 22, 2024

Azure

A Comprehensive Study Plan for AZ-104 Certification the Key

By CloudThat

Apr 22, 2024

Azure

How to Prepare for the Exam AZ-900 Microsoft Azure

By CloudThat

Apr 22, 2024

Big Data, Cloud Computing

How to Secure Microsoft Fabric Data Warehouse?

By Pankaj Choudhary

Apr 19, 2024

Case Study

Real-time Threat Prevention and Maximizing Protection by Leveraging AWS

By gopi

Apr 16, 2024

Case Study

Effective Threat Protection with AWS WAF Configuration Resulting in

By gopi

Apr 16, 2024

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!