Virtual Private Cloud (VPC) supports the traffic mirroring feature. You can use this feature to mirror network traffic that flows through an Elastic Network Interface (ENI) based on specified filters. The traffic mirroring feature allows you to mirror network traffic from an Elastic Compute Service (ECS) instance that is deployed in a VPC and send the traffic to a specified ENI or internal-facing Server Load Balancer (SLB) instance. You can use this feature in scenarios such as content inspection, threat monitoring, and troubleshooting.

Traffic mirroring

Regions that support traffic mirroring

The following table describes the regions that support traffic mirroring.
Area Region
Europe and Americas US (Silicon Valley), US (Virginia), and UK (London)
Asia Pacific Australia (Sydney)

Concepts

  • Filter: contains inbound and outbound rules. Filters are used to control the network traffic in traffic mirror sessions.
  • Traffic mirror source: an ENI from which you want to mirror network traffic.
  • Traffic mirror destination: an ENI or an internal-facing SLB instance that is used to receive mirrored network traffic.
  • Traffic mirror session: mirrors network traffic from a traffic mirror source to a traffic mirror destination based on specified filters.

Filters

You can specify inbound and outbound rules in filters. When you create a traffic mirror session, you can associate the session with a filter. After the traffic mirror session is created and enabled, all network traffic that matches the filter is mirrored. Five parameters are used to specify the inbound and outbound rules in filters: source CIDR block, source port, destination CIDR block, destination port, and protocol.

For example, you can set the parameters to the following values for an inbound rule: source CIDR block to 192.168.0.0/16, source port to 10000, destination CIDR block to 10.0.0.0/8, destination port to 80, and protocol to TCP. After the configuration is complete, the traffic mirror session mirrors the network traffic that is transmitted to the specified ECS instance based on the specified information.

Scenarios

Security: Intrusion detection

You can use self-developed or third-party software to inspect mirrored traffic. This ensures that all security vulnerabilities and intrusion activities are detected. The traffic mirroring feature accelerates the detection process and allows you to respond to attacks at the earliest opportunity.

Auditing: Finance or government

In the finance industry or scenarios that require high-level compliance, network traffic must be audited. You can use the traffic mirroring feature to mirror network traffic from an instance to an auditing platform where you can audit the compliance of the traffic.

Network O&M: Troubleshooting

O&M engineers can use the traffic mirroring feature to troubleshoot network problems in scenarios such as TCP retransmission by querying mirrored traffic. They do not need to retrieve packets from a virtual machine (VM).

Billing

When you use the traffic mirroring feature, Alibaba Cloud charges you an instance fee and a data transfer fee.
  • Instance fees
    You are charged an instance fee for each ENI that has traffic mirroring enabled.
    • After you enable traffic mirroring for an ENI, you are charged for each hour or partial hour that you use the ENI. If you use the ENI for less than one hour, the usage duration is rounded up to one hour. The unit price of the traffic mirroring feature is USD 0.014 per hour for each ENI.
    • After you disable traffic mirroring for an ENI, the billing stops.
    For example, traffic mirroring is enabled for five ENIs that are deployed in a VPC in Silicon Valley Zone B. The traffic mirror sessions have been active 24 hours per day for 30 days. Instance fee = 5 × 30 × 24 × 0.014 = USD 50.4.
  • Data transfer fees

    You are charged for the mirrored data transfer during traffic mirror sessions. Unit: GB. Unit price: USD 0.007 per GB. You are not charged a data transfer fee before December 30, 2022.

    For example, a traffic mirror session has been active for one hour in Silicon Valley Zone B and 10 GB of data is mirrored. Data transfer fee = 10 × 0.007 = USD 0.07.

Overdue payments
  • The traffic mirror feature continues providing services within 15 days after the bill becomes overdue.
  • If the overdue payment is not settled, the traffic mirroring feature is suspended on the fifteenth day. After the traffic mirroring feature is suspended, you cannot manage the feature. The active traffic mirror sessions also stop running.
  • If you do not pay the outstanding amount within 15 days after the traffic mirroring feature is suspended, the traffic mirror sessions are automatically deleted. You will be notified by an email one day before the traffic mirror sessions are deleted. After the traffic mirroring sessions are deleted, the configurations and data of the traffic mirroring sessions are deleted and cannot be recovered.

Limits

The following table describes the resource quotas of traffic mirroring.

Item Limit Adjustable
The number of traffic mirror sessions supported by each region within each account 20000 N/A
The number of traffic mirror sessions supported by each traffic mirror source 1
The number of traffic mirror sources that can be specified in each traffic mirror session 1
The number of traffic mirror destinations that can be specified by each account Unlimited
The number of traffic mirror sessions supported by each traffic mirror destination
  • 200 (if the traffic mirror destination is an internal-facing SLB instance)
  • 10 (if the traffic mirror destination is an ENI)
The number of rules that can be specified in each filter 10
The number of traffic mirror sessions that can be associated with each filter 1000
The traffic mirroring feature has the following limits:
  • The standard Virtual Extensible LAN (VXLAN) protocol is used in traffic mirroring sessions to encapsulate packets. For more information about the VXLAN protocol, see RFC 7348. If the packet to be mirrored or the VXLAN packet exceeds the maximum transmission unit (MTU) of the internal ENI of the specified ECS instance, the packet will be truncated. To avoid truncation, we recommend that you set the MTU of the internal ENI to a value that meets the following requirements: The value must be at least 50 bytes less than the MTU of the traffic mirror source and the traffic mirror destination if you use IPv4 addresses. For more information, see Set the MTU size of an NIC.
  • You do not need to provide additional bandwidth for traffic mirror sessions. Traffic mirror sessions share the bandwidth of the associated instances. The bandwidth is not affected.
  • Security groups and network access control lists (ACLs) do not affect network traffic when the traffic is copied on a traffic mirror source. However, when the copied network traffic is mirrored to the traffic mirror destination, the traffic is affected by security groups and network ACLs.
  • Each packet that is sent from a traffic mirror source can be mirrored only once and to only one traffic mirror destination.
  • You cannot specify an ENI as both the traffic mirror source and the traffic mirror destination.
  • The system does not mirror dropped Address Resolution Protocol (ARP) packets, Dynamic Host Configuration Protocol (DHCP) packets, Log Service packets, or packets that are dropped by security groups or network ACLs.
  • IPv6 traffic cannot be mirrored.
  • Only ECS instances that belong to the following instance families support traffic mirroring:
    • hfg7, general-purpose instance family with high clock speed
    • hfr7, in-memory instance family with high clock speed
    • hfc7, compute-optimized instance family with high clock speed
    • g6e, general-purpose instance family with enhanced performance
    • g7ne, network-enhanced instance family

Procedure

The following figure describes how to use the traffic mirroring feature. Security group workflow