Voiced by Amazon Polly |
VPC Traffic Mirroring: An overview
Unlock deep insights into your AWS infrastructure with VPC Traffic Mirroring. This feature enables seamless network traffic capture and analysis within your Virtual Private Cloud (VPC). By mirroring data from Elastic Network Interfaces to dedicated monitoring instances, you gain unparalleled visibility for troubleshooting, security monitoring, and performance optimization. Elevate your AWS experience by harnessing the power of VPC Traffic Mirroring for a robust and secure cloud environment.
Customized Cloud Solutions to Drive your Business Success
- Cloud Migration
- Devops
- AIML & IoT
Network monitoring tools that work with VPC Traffic Mirroring
In conjunction with AWS VPC Traffic Mirroring, leveraging open-source monitoring tools like Zeek and Suricata elevates network analysis and security. Zeek excels in protocol analysis, extracting essential metadata, while Suricata, with its powerful rule-based engine, enhances intrusion detection capabilities. This combination empowers AWS users to monitor, analyze, and secure network traffic. It provides a robust open-source solution for optimizing the AWS VPC environment with comprehensive insights and threat detection.
Key Concepts of VPC Traffic Mirroring
AWS Traffic Mirroring is a pivotal feature in AWS that facilitates detailed analysis and monitoring of the network traffic in the Virtual Private Cloud (VPC). Here are key concepts to grasp:
- Mirror Source: This is the network resource (like an Elastic Network Interface) whose inbound and outbound traffic is duplicated for analysis. Mirroring can be applied at the instance or subnet level.
- Mirror Target: The instance to which mirrored traffic is sent for analysis. It runs monitoring tools, allowing you to inspect, analyze, or store the duplicated traffic.
- Filtering: AWS VPC Traffic Mirroring supports filters to selectively mirror specific traffic based on defined criteria like IP addresses, protocols, and ports, providing flexibility in capturing relevant data.
- Session: A configuration defining the flow of mirrored traffic. It includes the source, target, and filter configurations.
- Analyzer: The instance running monitoring tools (e.g., Zeek, Suricata) to analyze mirrored traffic for troubleshooting, security analysis, and performance monitoring.
Steps to implement VPC Traffic Mirroring Policy
Now follow the steps to implement VPC Traffic Mirroring using the open-source tool Suricata.
- Log in to the AWS Console and access the target EC2 instance terminal (in my demo, I am using a Linux instance), where you want to install the Suricata tool.
- Now execute the commands below in the EC2 instance to install Suricata. (Works with Amazon Linux2)
You capture and check the path “/var/log/suricata/fast.log”
- Now, create the Mirror Target. Open VPC Console, then from the left pane under the Traffic Mirroring option, select ‘Mirror targets’, click the ‘Create traffic mirror target’ button, configure as shown in the figure below, and click ‘Create.’
- The next step is to create a Mirror Filter. From the same VPC console again, Go to the left pane; under the option, Traffic Mirroring, select ‘Mirror filters’ and then click ‘Create traffic mirror filter.’ Then, configure and create a filter for inbound traffic, as shown in the figure below, and click ‘Create.’
- The final step is to create the Mirror Session. In the VPC console, from the left pane under Traffic Mirroring, select the option ‘Mirror sessions’ and then click ‘Create traffic mirror session.’ now configure and create the mirror session as shown in the figure below and then click ‘Create.’
This step will create the Mirror session, and all the TCP and ICMP traffic gets mirrored from the source instance network interface to the target instance network interface, where it is monitored using the open-source tool Suricata or by monitoring port 4789.
Important that ingress UDP traffic (port 4789) should be allowed in the security groups for source and target instances.
Tests and Results
Let us do some testing and see the results.
The screenshot below is for the Client machine and Web Server.
Test-1
Now, let’s curl the Server IP address from the Client machine and check the mirroring of the packets on the monitoring instance. The figure below shows the curl command execution and the mirror target instance output. Run the below command before curling from the client machine.
sudo tcpdump -nnni eth0 udp port 4789
Test-2
Now, you will ping the Web Server from the Client machine and check the packets captured on the Target or Monitoring instance. The below figure shows the same.
You can also view the logs that are generated for the above Tests from the target instance within “/var/log/suricata/fast.log”
Conclusion
AWS VPC Traffic Mirroring emerges as a game-changer, providing unparalleled insights into network activities. Its robust features, seamless integration with open-source tools, and a focus on enhanced security empower users to navigate the cloud confidently, optimize performance, troubleshoot efficiently, and fortify network defenses.
Reference links
https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html
https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-getting-started.html
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.

WRITTEN BY Abhijit Dilip Powar
Comments