Virtual Private Cloud (VPC) supports the traffic mirroring feature. You can use this feature to mirror network traffic that flows through an elastic network interface (ENI) based on specified filters. You can use traffic mirroring to mirror network traffic from an Elastic Compute Service (ECS) instance in a VPC and forward the traffic to a specified ENI or an internal-facing Classic Load Balancer (CLB) instance. You can use this feature in scenarios such as content inspection, threat monitoring, and troubleshooting.
Supported regions
Area | Region |
Asia Pacific | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Thailand (Bangkok), and Philippines (Manila) |
Europe & Americas | Germany (Frankfurt), US (Silicon Valley), US (Virginia), and UK (London) |
Terms
Filter: contains inbound and outbound rules. Filters are used to control the network traffic in traffic mirror sessions.
Inbound traffic: traffic received by an ENI.
Outbound traffic: traffic sent from an ENI.
Traffic mirror source: an ENI from which you want to mirror network traffic.
Traffic mirror destination: an ENI or an internal-facing CLB instance that is used to receive mirrored network traffic.
Traffic mirror session: mirrors network traffic from a traffic mirror source to a traffic mirror destination based on specified filters.
Filters
You can specify inbound and outbound rules in filters. When you create a traffic mirror session, you can associate the session with a filter. After the traffic mirror session is created and enabled, all network traffic that matches the filter is mirrored. Five parameters are used to specify the inbound and outbound rules in filters: source CIDR block, source port, destination CIDR block, destination port, and protocol.
For example, you can set the parameters to the following values for an inbound rule: source CIDR block to 192.168.0.0/16, source port to 10000, destination CIDR block to 10.0.0.0/8, destination port to 80, and protocol to TCP. After the preceding configuration is completed, the traffic mirror session mirrors the network traffic that is transmitted to the specified ECS instance based on the specified filter conditions.
Scenarios
Security: Intrusion detection
You can use self-developed or third-party software to monitor mirrored traffic. This ensures that all security vulnerabilities and intrusion activities are detected. The traffic mirroring feature accelerates the detection process and allows you to respond to attacks at the earliest opportunity.
Auditing: Finance or public service sectors
In the finance industry or scenarios that require high-level compliance, network traffic must be audited. You can use the traffic mirroring feature to mirror network traffic to an auditing platform on which you can audit the compliance of the traffic.
Network O&M: Troubleshooting
O&M engineers can use the traffic mirroring feature to troubleshoot network issues. For example, they can query mirrored traffic to analyze TCP retransmission issues without the need to retrieve packets from a virtual machine (VM).
Billing and pricing
Billing overview
Total fee = Instance fee + Data mirroring fee
Instance fee = Number of ENIs that have traffic mirror sessions enabled × Active session hours × Unit price (USD/ENI/hour)
After an ENI has traffic mirror sessions enabled, you are charged on an hourly basis. If the usage duration is less than 1 hour, it is rounded up to 1 hour. After you disable traffic mirror sessions for an ENI, the billing stops.
Data mirroring fee = Total amount of mirrored data (GB) × Unit price (USD/GB)
The following table describes the unit prices of the billable items:
Item | Unit price |
Instance Fee | 0.014 (USD/ENI/hour) |
Traffic mirroring fee | 0.007 (USD/GB) |
You are not charged a data mirroring fee before March 30, 2024.
For example, traffic mirror sessions are enabled for five ENIs that are deployed in a VPC in Silicon Valley Zone B. The traffic mirror sessions have been active 24 hours per day for 30 days, and the size of the data transfer plan is 20 GB. In this case, the fees are calculated by using the following formulas:
Instance fee = 5 × 30 × 24 × 0.014 = USD 50.4
Traffic mirroring fee = 20 × 0.007 = USD 0.14
Total fee = 50.4 + 0.14 = USD 50.54
Limits
Limits on quotas
Item | Limit | Adjustable |
Maximum number of traffic mirror sources that can be specified in each traffic mirror session | 10 | You can request a quota increase by using one of the following methods:
|
Maximum number of traffic mirror sessions that you can create in each region with each Alibaba Cloud account | 20,000 | N/A |
Maximum number of traffic mirror sessions supported by each traffic mirror source | 3 | |
Maximum number of traffic mirror destinations that can be specified by each Alibaba Cloud account | Unlimited | |
Maximum number of traffic mirror sources that can use each traffic mirror destination |
| |
Maximum number of rules that can be specified in each filter | 10 | |
Maximum number of traffic mirror sessions that can be associated with each filter | 2,000 | |
ECS instance families that do not support traffic mirroring | ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.c1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.se1ne, ecs.se1nec, ecs.sn1, ecs.sn1ne, ecs.sn1nec, ecs.sn2, ecs.sn2ne, ecs.sn2nec, ecs.t1, and ecs.xn4 | N/A |
Limits on use
You can create traffic mirror sources and destinations in one VPC or different VPCs within the same Alibaba Cloud account and the same region. You can create traffic mirror sources and destinations in different regions or by using different Alibaba Cloud accounts.
The standard Virtual Extensible LAN (VXLAN) protocol is used in traffic mirror sessions to encapsulate packets. For more information about the VXLAN protocol, see RFC 7348. If the total size of a mirrored packet and its VXLAN packet exceeds the maximum transmission unit (MTU) of the source ENI, the packet is truncated. To prevent packet truncation in IPv4 scenarios, we recommend that you set the MTU of the ENI to a value that is at least 50 bytes smaller than the MTU supported by the connection.
You do not need to allocate additional bandwidth for traffic mirror sessions. Traffic mirror sessions share the bandwidth of the associated instances and the bandwidth usage is not capped.
Each packet from a traffic mirror source can be mirrored only once and sent to only one traffic mirror destination.
When packets are mirrored from a traffic mirror source, they are not limited by security groups or network access control lists (ACLs). However, security groups and network ACLs impose limits on packets when the packets are mirrored to a traffic mirror destination. Therefore, you must set the following security group rules and network ACL rules for the traffic mirror destination:
Security group rules: You must set an inbound rule that allows the IP address of the ENI of the traffic mirror source to access UDP packets whose destination port is 4789. For more information about how to configure security group rules, see Create a security group.
Network ACL rules: You must set an inbound rule that allows UDP packets from all source ports and the IP address of the ENI that serves as the traffic mirror source. For more information about how to configure a network ACL, see Work with a network ACL.
An ENI cannot serve as both a traffic mirror source and a traffic mirror destination.
The system does not mirror Address Resolution Protocol (ARP) packets, Dynamic Host Configuration Protocol (DHCP) packets, flow log packets, or packets that are dropped by security groups or network ACLs.
You cannot use traffic mirroring to mirror IPv6 traffic.
Procedure overview
For more information, see Create and manage traffic mirror sources.