Traffic traceability identifies the real source or destination assets behind shared egress points such as NAT gateways and ALB/CLB. With this feature enabled, alerts pinpoint individual ECS instances instead of shared public IP addresses, improving security investigation accuracy and incident response.
Background
In a typical public cloud architecture, many-to-one network topologies are common: dozens or even hundreds of ECS instances may share a single NAT gateway for outbound internet access, and external-facing services may run across multiple ECS instances behind an ALB or CLB. Internet users see only the public IP address of the SLB (Server Load Balancer, which includes ALB and CLB) instance. With traditional out-of-band mirroring or public network traffic logs alone, NDR can observe only the public IP of the NAT gateway or SLB. It cannot determine which ECS instance connected to a known C2 domain, which container triggered a brute-force attack, which internal asset an attacker moved laterally to, or which business chain triggered a suspicious access complaint.
Benefits
Traffic traceability collects session-level correlation data from shared egress points such as NAT gateways, ALB, and CLB without altering your business traffic paths. It automatically maps public-side five-tuple information to private-side assets, enabling NDR alerts to reach the affected asset and process directly. This underpins advanced Agentic NDR features such as attack event aggregation, login behavior analysis, and one-click blocking.
Problems solved
-
Asset visibility gaps: Elevates NDR alerts from the "public IP level" to the "cloud asset level," binding each event to a specific ECS or container instance.
-
Traceability efficiency: Traditional investigation requires manually searching NAT/SLB logs by timestamp and five-tuple to locate assets. Traffic traceability automates this process, significantly reducing investigation time.
-
Event aggregation: Attack chains spanning multiple NAT gateways or VPCs are often split into isolated alerts. With traceability enabled, the system correctly correlates and causally orders events in the event center.
-
Multi-account and multi-VPC scenarios: Across accounts and regions, you can obtain a unified asset view from a single NDR console.
Scope
-
Supported asset types: Traffic traceability is available only for public NAT gateways, Application Load Balancers (ALB), and Classic Load Balancers (CLB).
-
Prerequisites: Before enabling traceability, make sure the corresponding public assets are connected to Agentic NDR.
Procedure
-
Enable logging for the corresponding cloud service:
-
Public NAT gateway: Go to the NAT Gateway console, open the instance details page, and on the page, click Enable Session Log. For detailed steps, see Start a session log.
-
ALB and CLB: Go to the Server Load Balancer console and enable the Access Logs feature for the corresponding instance. For detailed steps, see ALB access logs and CLB access logs.
Note-
Log type limitations: For ALB and CLB, only application-layer requests are recorded. Network-layer traffic cannot be traced through access logs.
-
Billing: Enabling the preceding logging features incurs log-related charges billed by the Log Service.
-
Traceability timing: The preceding logs may experience delays during capture and delivery. To ensure real-time security response, NDR allows a maximum traceability wait time of 90 seconds. If the relevant session logs are not delivered to Log Service (SLS) within 90 seconds, NDR terminates the traceability operation. This mechanism only indicates that the private IP association could not be completed—the original traffic detection and alert data are fully preserved.
-
-
-
Configure NDR traffic traceability: Return to the Agentic NDR console, go to the tab, and click Traffic Traceability Settings in the upper-right corner. On the page that appears, enable the traceability switch for the corresponding asset.
-
Attack Alert Traceability: After this is enabled, the system displays private network traceability results on the and pages, replacing the original NAT gateway or load balancer public IP addresses.
-
Sensitive Data Tracing: After this is enabled, the system displays private network traceability results on the page, replacing the original NAT gateway or load balancer public IP addresses.
-
FAQ
Does enabling traffic traceability affect NAT/SLB performance?
No. Traceability uses out-of-band asynchronous collection to capture session mapping metadata. The process runs outside the business forwarding path and has no impact on bandwidth or latency.
Can I trace historical traffic?
Mapping data collection begins from the time you enable the feature. Historical sessions before enablement are not within the traceability scope. We recommend enabling traceability when important business services go live.
Can I trace NAT/SLB across accounts?
Yes. In a multi-account management scenario, NAT/SLB instances from managed accounts appear in the primary account's Agentic NDR console, where you can enable and view traceability uniformly.