Traffic mirroring is a feature that mirrors network traffic from an elastic network interface (ENI). Only network traffic that matches the traffic mirror rules is mirrored and then forwarded to a specified instance. This topic describes how to work with the traffic mirroring feature.

Background information

  • If this is the first time that you use traffic mirroring,log on to the Traffic Mirroring page and follow the instructions to enable the feature.
  • If the traffic mirror source and destination in the traffic mirror session belong to different virtual private clouds (VPCs), make sure that the VPCs can communicate with each other. For more information, see Connect VPCs.
  • If traffic mirror rules are not added to the filter, traffic is not mirrored.

Operations

Create a traffic mirror filter

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose Traffic Mirroring > Filters.
  3. In the top navigation bar, select the region where you want to create the filter.
  4. On the Filters page, click Create Filter.
  5. In the Information section, specify Name and Description for the filter.
  6. On the Inbound Rule and Outbound Rule tabs of the Rule Configuration section, click Create Rule to create inbound rules and outbound rules. Then, click OK. The following table describes the parameters that you must set when you create the rules.
    Parameter Description
    Protocol Type Specify the transport layer protocol of the network traffic that you want to mirror from Elastic Compute Service (ECS) instances. Valid values:
    • ALL: all protocols.
    • ICMP: Internet Control Message Protocol (ICMP).
    • TCP: Transmission Control Protocol (TCP).
    • UDP: User Datagram Protocol (UDP).
    Source CIDR Block The source CIDR block of the traffic.
    Destination CIDR Block The destination CIDR block of the traffic.
    Source Port Enter the source port range of the traffic.

    Valid values: 1 to 65535. Separate the first port and last port with a forward slash (/), for example, 1/200 or 80/80. A value of -1/-1 indicates that all ports are available. Therefore, do not set the value to -1/-1.

    Destination Port Enter the destination port range of the traffic.

    Valid values: 1 to 65535. Separate the first port and last port with a forward slash (/), for example, 1/200 or 80/80. A value of -1/-1 indicates that all ports are available. Therefore, do not set the value to -1/-1.

    Priority The priority of the rule.

    A smaller value indicates a higher priority. You can create up to 10 rules.

    Policy The action that you want to perform on the network traffic. Valid values:
    • Collect: collects the network traffic.
    • Do not Collect: drops the network traffic.

Create a traffic mirror session

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where you want to create the traffic mirror session.
  4. On the Traffic Mirror Session page, click Create Traffic Mirror Session.
  5. On the Create Traffic Mirror Session page, set the parameters and click Next.
    Parameter Description
    Name Enter a name for the traffic mirror session.

    The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

    Description Enter a description for the traffic mirror session.

    The description must be 2 to 256 characters in length, and cannot start with http:// or https://.

    Specify a VNI The VXLAN Network Identifier (VNI) of the mirrored traffic. Valid values: 0 to 16777215.

    You can specify VNIs for the traffic mirror destination to identify mirrored traffic from different sessions. If you do not specify a VNI, the system randomly allocates a VNI.

    Priority The priority of the traffic mirror session. Valid values: 1 to 255.

    A smaller value indicates a higher priority. You cannot specify the same priority for traffic mirror sessions that are created in the same region with the same Alibaba Cloud account.

  6. Select Associate Filter and click Next.
  7. In the Select Traffic Mirror Source section, select the ENI from which you want to mirror the traffic and click Next.
  8. Click ENI or SLB.
  9. In the Select Instance section, select an ENI or a Server Load Balancer (SLB) instance and then click Next.
    • An ENI cannot function as a traffic mirror source and a traffic mirror destination at the same time.
    • When an SLB instance functions as a traffic mirror destination, the Listen by Port Range feature must be enabled. To enable this feature,submit a ticket.
  10. Click Submit.

Enable a traffic mirror session

By default, a traffic mirror session is disabled after it is created. To mirror network traffic, you must first enable the traffic mirror session.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to enable and click Start in the Actions column.

Disable a traffic mirror session

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to disable and click Stop in the Actions column.
  5. In the message that appears, click OK.

Delete and add a traffic mirror source

If you want to change the ENI from which network traffic is mirrored, delete the original traffic mirror source and create a new one.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session from which you want to delete the traffic mirror source and click the ID of the session.
  5. In the Traffic Mirror Source section, click Delete in the Actions column.
  6. In the message that appears, click OK.
  7. In the Traffic Mirror Source section, click Add Traffic Mirror Source.
  8. In the Add Traffic Mirror Source dialog box, select the ENI that you want to add as a traffic mirror source and click OK.

Delete a traffic mirror session

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to delete and click Delete in the Actions column.
  5. In the message that appears, click OK.

Delete a filter

  1. Log on to the VPC console.
  2. In the top navigation bar, select the region where the filter is created.
  3. On the Filters page, find the filter that you want to delete and click Delete in the Actions column.
  4. In the message that appears, click OK.