All Products
Search
Document Center

Virtual Private Cloud:Work with traffic mirroring

Last Updated:Mar 13, 2024

Traffic mirroring is a feature that mirrors network traffic from an elastic network interface (ENI). Only network traffic that matches specific filters is mirrored and then forwarded to a specified instance. This topic describes how to use the traffic mirroring feature.

For more information about the introduction and limits of traffic mirroring, see Overview of traffic mirroring.

Prerequisites

  • If you use the traffic mirroring feature for the first time, log on to the Traffic Mirroring page to enable the traffic mirroring feature.

  • You can create traffic mirror sources and destinations in one VPC or different VPCs within the same Alibaba Cloud account and the same region. You can create traffic mirror sources and destinations in different regions or by using different Alibaba Cloud accounts.

    If the traffic mirror source and traffic mirror destination in a traffic mirror session belong to different virtual private clouds (VPCs), make sure that the VPCs can communicate with each other. For more information, see Connect VPCs.

Create a filter

If a filter does not contain rules, no traffic is mirrored.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Filter.

  3. In the top navigation bar, select the region where you want to create a filter.

  4. On the Filter page, click Create Filter.

  5. On the Create Filter page, specify Name, Description, Resource Group, Tag Key, and Tag Value in the Basic Information section.

  6. On the Inbound Rules or Outbound Rules tab in the Rule Configuration section, click Create Rule. Set the following parameters and click OK. For more information about inbound and outbound rules, see Filters.

    Parameter

    Description

    Protocol Type

    Specify the protocol of the network traffic that you want to mirror from Elastic Compute Service (ECS) instances. Valid values:

    • ALL

    • ICMP

    • TCP

    • UDP

    Source CIDR Block

    Specify the source CIDR block of the traffic.

    Destination CIDR Block

    Specify the destination CIDR block of the traffic.

    Source Port

    Enter the source port range of the traffic.

    Valid values: 0 to 65535. Separate the first port and the last port with a forward slash (/), for example, 1/200 or 80/80.

    If you set the value to -1/-1, port numbers are unlimited. If you set Protocol Type to ALL or ICMP, the default value is -1/-1.

    Destination Port

    Enter the destination port range of the traffic.

    Valid values: 0 to 65535. Separate the first port and the last port with a forward slash (/), for example, 1/200 or 80/80.

    If you set the value to -1/-1, port numbers are unlimited. If you set Protocol Type to ALL or ICMP, the default value is -1/-1.

    Priority

    Specify the priority of the rule. Valid values: 1 to 16777216.

    A smaller value indicates a higher priority. You can create at most 10 rules. The priority of each inbound or outbound rule that belongs to the same filter must be unique.

    Policy

    Specify the action that you want to perform on the network traffic. Valid values:

    • Collect: collects the network traffic.

    • Do not Collect: does not collect the network traffic.

  7. Click Save.

Create a traffic mirror session

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.

  3. In the top navigation bar, select the region where the traffic mirror session is created.

  4. On the Traffic Mirror Session page, click Create Traffic Mirror Session.

  5. On the Basic Configuration wizard page, set the following parameters and click Next.

    Parameter

    Description

    Name

    Enter a name for the traffic mirror session.

    Tag key

    Select or enter a tag key. You can specify up to 20 tag keys.

    A tag key can be up to 128 characters in length and cannot contain http:// or https://. It cannot start with acs: or aliyun.

    Tag value

    Select or enter a tag value. You can specify up to 20 tag values.

    The tag value must be 1 to 128 characters in length and cannot contain http:// or https://. It cannot start with aliyun or acs:.

    Description

    Enter a description for the traffic mirror session.

    VNI

    Specify a VXLAN network identifier (VNI). Valid values: 0 to 16777215.

    You can use VNIs to identify mirrored traffic from different sessions at the traffic mirror destination. You can specify a custom VNI or use a random VNI allocated by the system.

    Priority

    Specify the priority of the traffic mirror session. Valid values: 1 to 32766. A smaller value indicates a higher priority.

    You cannot specify the same priority for traffic mirror sessions that are created in the same region by using the same account.

    Mirrored Packet Length

    Specify the original packet length (excluding VXLAN packet length). Default value: 1500. Valid values: 64 to 8500. Unit: bytes. This value determines the packet length received by the traffic mirror destination. For more information, see Limits.

    This parameter is available in the following regions:

    Philippines (Manila), UK (London), Germany (Frankfurt), China (Hohhot), China (Qingdao), China (Shenzhen), China (Hangzhou), China (Shanghai), US (Silicon Valley), China (Beijing), Singapore, and China (Hong Kong).

  6. On the Associate Filter wizard page, select a filter and click Next.

  7. On the Select Traffic Mirror Source wizard page, select an ENI and click Next.

    The ENI cannot belong to the following ECS instance families: ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.c1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.se1ne, ecs.se1nec, ecs.sn1, ecs.sn1ne, ecs.sn1nec, ecs.sn2, ecs.sn2ne, ecs.sn2nec, ecs.t1, and ecs.xn4. For more information about ECS instance families, see Overview of instance families.

  8. On the Select Traffic Mirror Destination wizard page, click ENI or CLB, select an ENI or a Classic Load Balancer (CLB) instance in the Select Instance section, and then click Next.

    Note

    An ENI cannot be specified as a traffic mirror source and a traffic mirror destination at the same time.

  9. On the Complete wizard page, click Submit.

Enable a traffic mirror session

By default, a traffic mirror session is disabled after it is created. To mirror network traffic, you must first enable the traffic mirror session.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.

  3. In the top navigation bar, select the region where the traffic mirror session is created.

  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to enable and click Start in the Actions column.

Disable a traffic mirror session

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.

  3. In the top navigation bar, select the region where the traffic mirror session is created.

  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to disable and click Stop in the Actions column.

  5. In the message that appears, click OK.

Delete and add a traffic mirror source

If you want to change the ENI from which network traffic is mirrored, delete the original traffic mirror source and create a new one.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.

  3. In the top navigation bar, select the region where the traffic mirror session is created.

  4. On the Traffic Mirror Session page, find the traffic mirror session from which you want to delete the traffic mirror source and click the ID of the session.

  5. In the Traffic Mirror Sources section, click Delete in the Actions column.

  6. In the message that appears, click OK.

  7. In the Traffic Mirror Sources section, click Add Traffic Mirror Sources.

  8. In the Add Traffic Mirror Sources dialog box, select the ENI that you want to add as a traffic mirror source and click OK.

Delete a traffic mirror session

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.

  3. In the top navigation bar, select the region where the traffic mirror session is created.

  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to delete and click Delete in the Actions column.

  5. In the message that appears, click OK.

Delete a traffic mirror filter

Before you delete a filter, make sure that the filter is not associated with a traffic mirror session. If the filter is associated with a traffic mirror session, disassociate the filter from the traffic mirror session before you delete the filter.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Filter.

  3. In the top navigation bar, select the region where you want to create a filter.

  4. On the Filter page, find the filter that you want to delete and click Delete in the Actions column.

  5. In the message that appears, click OK.

References