Virtual Private Cloud (VPC) supports the traffic mirroring feature. You can use this feature to mirror network traffic that flows through an elastic network interface (ENI) based on specified filters. The traffic mirroring feature allows you to mirror network traffic from an Elastic Compute Service (ECS) instance that is deployed in a VPC and forward traffic to a specified ENI or internal-facing Server Load Balancer (SLB) instance. You can use this feature in scenarios such as content inspection, threat monitoring, and troubleshooting.

Traffic mirroring

Regions that support traffic mirroring

The following table describes the regions that support traffic mirroring.
Area Region
Asia Pacific China (Qingdao), China (Hohhot), China (Shenzhen), China (Chengdu), China (Hong Kong), and Australia (Sydney)
Europe & Americas US (Silicon Valley), US (Virginia), and UK (London)

Terms

  • Filter: contains inbound and outbound rules. Filters are used to control the network traffic in traffic mirror sessions.
  • Traffic mirror source: an ENI from which you want to mirror network traffic.
  • Traffic mirror destination: an ENI or an internal-facing SLB instance that is used to receive mirrored network traffic.
  • Traffic mirror session: mirrors network traffic from a traffic mirror source to a traffic mirror destination based on specified filters.

Filters

You can specify inbound and outbound rules in filters. When you create a traffic mirror session, you can associate the session with a filter. After the traffic mirror session is created and enabled, all network traffic that matches the filter is mirrored. Five parameters are used to specify the inbound and outbound rules in filters: source CIDR block, source port, destination CIDR block, destination port, and protocol.

For example, you can set the parameters to the following values for an inbound rule: source CIDR block to 192.168.0.0/16, source port to 10000, destination CIDR block to 10.0.0.0/8, destination port to 80, and protocol to TCP. After the configuration is complete, the traffic mirror session mirrors the network traffic that is transmitted to the specified ECS instance based on the specified information.

Scenarios

Security: Intrusion detection

You can use self-developed or third-party software to inspect mirrored traffic. This ensures that all security vulnerabilities and intrusion activities are detected. The traffic mirroring feature accelerates the detection process and allows you to respond to attacks at the earliest opportunity.

Auditing: Finance or public service sectors

In the finance industry or scenarios that require high-level compliance, network traffic must be audited. You can use the traffic mirroring feature to mirror network traffic from an instance to an auditing platform where you can audit the compliance of the traffic.

Network O&M: Troubleshooting

Operation and maintenance (O&M) engineers can use the traffic mirroring feature to troubleshoot network problems in scenarios such as TCP retransmission by querying mirrored traffic. They do not need to retrieve packets from a virtual machine (VM).

Billing and pricing

Total fee = Instance fee + Data transfer fee
  • Instance fee = Number of ENIs that have traffic mirroring enabled × Active duration of traffic mirror session (hours) × Unit price(USD/ENI/hour)

    After an ENI has traffic mirroring enabled, you are charged for using traffic mirroring on an hourly basis. If the usage duration is less than 1 hour, it is rounded up to 1 hour. After you disable traffic mirroring for an ENI, the billing stops.

  • Data transfer fee = Size of data transfer plan (GB) × Unit price(USD/GB)
The following table describes the billable items.
Billable item Unit price
Instance fee 0.014 (USD/ENI/hour)
Data transfer fee

Free of charge before December 30, 2022

0.007 (USD/GB)
For example, traffic mirroring is enabled for five ENIs that are deployed in a VPC in Silicon Valley Zone B. The traffic mirror sessions have been active 24 hours per day for 30 days, and the size of the data transfer plan is 20 GB. In this case, the fees are:
  • Instance fee =5 × 30 × 24 × 0.014 = USD 50.4
  • Data transfer fee =20 × 0.007 = USD 0.14
  • Total fee =50.4 + 0.14 = USD 50.54
Overdue payments
  • The traffic mirror feature continues to provide services within 15 days after the bill becomes overdue.
  • If the overdue payment remains unsettled, the traffic mirroring feature is suspended on the fifteenth day. After the traffic mirroring feature is suspended, it is unavailable. Active traffic mirror sessions also stop running.
  • If you do not complete the payment within 15 days after the traffic mirroring feature is suspended, the traffic mirror sessions are automatically deleted. You will be notified by an email one day before the traffic mirror sessions are deleted. After the traffic mirroring sessions are deleted, the configurations and data of the traffic mirroring sessions are deleted and cannot be recovered.

Limits

The following table describes the resource quotas of traffic mirroring.

Item Limit Quota increase
The number of traffic mirror sessions supported by each region within each Alibaba Cloud account 20000 N/A
The number of traffic mirror sessions supported by each traffic mirror source 1
The number of traffic mirror sources that can be specified in each traffic mirror session 1
The number of traffic mirror destinations that can be specified by each account Unlimited
The number of traffic mirror sessions supported by each traffic mirror destination
  • 200 (if the traffic mirror destination is an internal-facing SLB instance)
  • 10 (if the traffic mirror destination is an ENI)
The number of rules that can be specified in each filter 10
The number of traffic mirror sessions that can be associated with each filter 1000
The traffic mirroring feature has the following limits:
  • The standard Virtual Extensible LAN (VXLAN) protocol is used in traffic mirror sessions to encapsulate packets. For more information about the VXLAN protocol, see RFC 7348. If the packet to be mirrored or the VXLAN packet exceeds the maximum transmission unit (MTU) of the internal ENI of the specified ECS instance, the packet will be truncated. To avoid truncation, we recommend that you set the MTU of the internal ENI to a value that meets the following requirements: The value must be at least 50 bytes less than the MTU of the traffic mirror source and the traffic mirror destination if you use IPv4 addresses. For more information, see Set the MTU size of an NIC.
  • You do not need to provide additional bandwidth for traffic mirror sessions. Traffic mirror sessions share the bandwidth of the associated instances. The bandwidth is not affected.
  • Security groups and network access control lists (ACLs) do not affect network traffic when the traffic is copied on a traffic mirror source. However, when the copied network traffic is mirrored to the traffic mirror destination, the traffic is affected by security groups and network ACLs.
  • Each packet that is sent from a traffic mirror source can be mirrored only once and to only one traffic mirror destination.
  • You cannot specify an ENI as both the traffic mirror source and the traffic mirror destination.
  • The system does not mirror dropped Address Resolution Protocol (ARP) packets, Dynamic Host Configuration Protocol (DHCP) packets, Log Service packets, or packets that are dropped by security groups or network ACLs.
  • IPv6 traffic cannot be mirrored.
  • Only ECS instances of the following types support the traffic mirroring feature: g7ne, g7a, g7, g7t, g6t, g6e, c7a, c7, c7t, c6t, c6e, r7a, r7, r7t, r6e, hfc7, hfg7, hfr7, gn7i, ebmc6a, ebmc6e, ebmg6a, ebmg6e, ebmr6a, ebmr6e, ebmhfg7, ebmhfc7, and ebmhfr7. For more information about ECS instance types, see Instance families.

Procedure

The following figure describes how to use the traffic mirroring feature. Procedure