AWS VPC Traffic Mirroring

Anil Augustine Chalissery
6 min readMar 30, 2022

--

In this post we will explore how to gain insight into your network traffic using Amazon VPC Traffic Mirroring. We will learn how to copy network traffic from an elastic network interface (ENI) from your EC2 instances into your VPCs and send it to the security and monitoring appliances.

Before we begin we briefly go over what a network can look like and what are different native traffic monitoring capabilities available within AWS cloud.

What is Traffic Mirroring?

Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for:

  • Content inspection
  • Threat monitoring
  • Troubleshooting

Traffic Mirroring concepts

The following are the key concepts for Traffic Mirroring:

  • Source — A network interface with the type instance.
  • Target — The destination for mirrored traffic.
  • Filter — A set of rules that defines the traffic that is copied in a traffic mirror session.
  • Session — An entity that describes Traffic Mirroring from a source to a target using filters.

Get started with Traffic Mirroring

Now we will setup traffic mirroring for a desired source and look at the captured packet on desired target. From this post you will learn how to successfully configure following components required for setting up Amazon VPC Traffic Mirroring:

  1. Traffic mirror target
  2. Traffic mirror filter
  3. Traffic mirror session

Step 0: Prerequisites

  • Make sure that the traffic mirror source and traffic mirror target are in the same VPC, in different VPCs that are connected via VPC peering or a transit gateway.
  • Make sure that the traffic mirror target instance allows traffic to UDP port 4789.
  • Make sure that the traffic mirror source has a route table entry for the traffic mirror target.
  • Make sure that there are no security group rules or network ACL rules on the traffic mirror target that drop the mirrored traffic from the traffic mirror source.

We will need the following resource before proceeding

  1. VPC
  2. IGW
  3. Public route table
  4. Public subnet
  5. Three EC2 instances
  • Acting as client(optional we can use our local machine as client.)
  • Acting as server
  • Acting as destination for mirrored traffic

Step 1: Create the traffic mirror target

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/

2. In the Region selector, choose the AWS Region that you used when you created the VPCs.

choose Traffic Mirroring, Mirror Targets

3. On the navigation pane, choose Traffic Mirroring, Mirror Targets.

4. Choose Create Traffic Mirror Target.

5. For Name tag, enter a name for the traffic mirror target.

(Optional) For Description, enter a description for the traffic mirror target.

6. For Target type, choose the traffic mirror target type.

Here we use Network Interface as we are creating a target to an EC2 instance.

7. For Target, choose the traffic mirror target.

From the drop down select the ENI of our target instance(destination of mirrored traffic). We can see our ENI of instance in instance description in EC2 console. Click on Network Interface eth0 and it will display the ENI.

(Optional) Add or remove a tag.

[Add a tag] Choose Add tag and do the following:

  • For Key, enter the key name.
  • For Value, enter the key value.

[Remove a tag] Next to the tag, choose Remove tag.

8. Choose Create.

Created the traffic mirror target

Step 2: Create the traffic mirror filter

A traffic mirror filter contains one or more traffic mirror rules, and a set of network services. The filters and rules that you add define the traffic that is mirrored. Now we will create traffic mirror filter

  1. On the left navigation pane, scroll down and choose Traffic Mirroring, Mirror Filters:
  2. Choose Create Traffic Mirror Target:

3. Enter value as show below and choose create traffic mirror filter:

We are going to mirror port 80 traffic ingressing on the server(source), hence we have created inbound rule for port 80. If you want to mirror traffic egressing from the server (source) outbound traffic, you need to create outbound rule as well.

we can also get all traffic mirrored without providing port range also CIDR as 0.0.0.0/0

4. Choose Create.

Created traffic mirror filter

Step 3: Create the traffic mirror session

  1. On the left navigation pane, scroll down and choose Traffic Mirroring, Mirror Session
  2. Choose Create Traffic Mirror session:

3. For Name tag, enter a name for the traffic mirror session.

For Description, enter a description for the traffic mirror session.

4. For mirror source, choose the network interface of the instance that you want to monitor. We will need the ENI of source instance so get the ENI as we did before

5. For mirror target, choose the traffic mirror target. From the drop down we can select the target we created in step 1

6. For Session number, enter the session number.

Use 1 for the highest priority.

7. Keep all other values as default as its optional to know more about the other optional values refer this

8. At this point you should have your filter successfully created

Step 4: Mirror traffic

As now our traffic mirroring target, session and filter is done now let check how to mirror traffic. In perquisite we creates three Amazon EC2 instances, they serve following purpose:

  1. as Client instance: (optional as we can curl from our local too. I would be good to know our public ip prior so we can verify from logs)
  • Using curl, we will send port 80 traffic from client to server

2. Server instance:

  • It is running web server and returns a basic hello html page. It will respond to client instances’s curl request. An Linux with Nginx or Apache would do this trick.
  • This is also acting as a source. We are going to mirror port 80 traffic ingressing on the server.

3. Destination instance:

  • Mirrored traffic is send to this instance

So lets Begin

  1. From destination instance start capturing traffic with the following command

sudo tcpdump -nnni ens5 udp port 4789

Expected output

2. Send port 80 traffic from client to server. You need to be on client instance terminal for this

curl <public ip of server>

3. Now in destination instance you will be getting the traffic mirrored

expected output

That’s it now traffic mirroring works fine.

You can use open-source tools to monitor network traffic from Amazon EC2 instances. The following tools work with Traffic Mirroring:

Reference :

--

--

Anil Augustine Chalissery
Anil Augustine Chalissery

No responses yet