Traffic mirroring is a feature that mirrors network traffic from an elastic network interface (ENI). Only network traffic that matches the traffic mirror rules is mirrored and then forwarded to a specified instance. This topic describes how to work with the traffic mirroring feature.

Background information

If a filter does not contain rules, no traffic is mirrored.

Prerequisites

  • If this is the first time that you use traffic mirroring, navigate to the Traffic Mirroring page and follow the instructions to enable the feature.
  • If the traffic mirror source and destination in the traffic mirror session belong to different virtual private clouds (VPCs), make sure that the VPCs can communicate with each other. For more information, see Connect VPCs.

Operations

Create a traffic mirror filter

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Filter.
  3. In the top navigation bar, select the region where you want to create the filter.
  4. On the Filter page, click Create Filter.
  5. In the Information section, specify Name and Description for the filter.
  6. On the Inbound Rules and Outbound Rules tabs of the Rule Configuration section, click Create Rule to create inbound rules and outbound rules. Then, click OK. The following table describes the parameters that you must set when you create the rules.
    Parameter Description
    Protocol Type Specify the transport layer protocol of the network traffic that you want to mirror from Elastic Compute Service (ECS) instances. Valid values:
    • ALL: all protocols
    • ICMP: Internet Control Message Protocol (ICMP)
    • TCP: Transmission Control Protocol (TCP)
    • UDP: User Datagram Protocol (UDP)
    Source CIDR Block Specify the source CIDR block of the traffic.
    Destination CIDR Block Specify the destination CIDR block of the traffic.
    Source Port Enter the source port range of the traffic.

    Valid values: 1 to 65535. Separate the first port and the last port with a forward slash (/), for example, 1/200 or 80/80. A value of -1/-1 specifies all ports.

    Destination Port Enter the destination port range of the traffic.

    Valid values: 1 to 65535. Separate the first port and the last port with a forward slash (/), for example, 1/200 or 80/80. A value of -1/-1 specifies all ports.

    Priority Specify the priority of the rule. Valid values: 1 to 16777216.

    A smaller value indicates a higher priority. You can create up to 10 rules. The priority of each inbound or outbound rule that belongs to the same filter must be unique.

    Policy Specify the action that you want to perform on the network traffic. Valid values:
    • Collect: collects the network traffic.
    • Do Not Collect: does not collect the network traffic.

Create a traffic mirror session

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, click Create Traffic Mirror Session.
  5. On the Create Traffic Mirror Session page, set the parameters and click Next.
    Parameter Description
    Name Enter a name for the traffic mirror session.

    The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

    Description Enter a description for the traffic mirror session.

    The description must be 2 to 256 characters in length. It cannot start with http:// or https://.

    VNI Specify the VXLAN Network Identifier (VNI) of the mirrored traffic. Valid values: 0 to 16777215.

    You can use VNIs to identify mirrored traffic from different sessions at the traffic mirror destination. If you do not specify a VNI, the system randomly allocates a VNI.

    Priority Specify the priority of the traffic mirror session. Valid values: 1 to 32766.

    A smaller value indicates a higher priority. You cannot specify the same priority for traffic mirror sessions that are created in the same region with the same Alibaba Cloud account.

  6. Select Associate Filter and click Next.
  7. In the Select Traffic Mirror Source section, select the ENI from which you want to mirror traffic and click Next.
  8. Click ENI or SLB.
  9. In the Select Instance section, select an ENI or a Server Load Balancer (SLB) instance, and then click Next.
    • An ENI cannot function as a traffic mirror source and a traffic mirror destination at the same time.
    • When an SLB instance is specified as a traffic mirror destination, the Listen by Port Range feature must be enabled. To enable this feature, submit a ticket.
  10. Click Submit.

Enable a traffic mirror session

By default, a traffic mirror session is disabled after it is created. To mirror network traffic, you must first enable the traffic mirror session.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to enable and click Start in the Actions column.

Disable a traffic mirror session

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to disable and click Stop in the Actions column.
  5. In the message that appears, click OK.

Delete and add a traffic mirror source

If you want to change the ENI from which network traffic is mirrored, delete the original traffic mirror source and create a new one.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session from which you want to delete the traffic mirror source and click the ID of the session.
  5. In the Traffic Mirror Sources section, click Delete in the Actions column.
  6. In the message that appears, click OK.
  7. In the Traffic Mirror Sources section, click Add Traffic Mirror Sources.
  8. In the Add Traffic Mirror Sources dialog box, select the ENI that you want to add as a traffic mirror source and click OK.

Delete a traffic mirror session

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to delete and click Delete in the Actions column.
  5. In the message that appears, click OK.

Delete a filter

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Filter.
  3. In the top navigation bar, select the region where you want to create the filter.
  4. On the Filter page, find the filter that you want to delete and click Delete in the Actions column.
  5. In the message that appears, click OK.

References