To enable threat detection for your cloud assets, connect their traffic to the Agentic NDR system. This topic describes how to connect both public and private network asset traffic.
Use cases
Public network asset traffic connection: Connects traffic from public network assets that have Elastic IP addresses (EIPs) or public IP addresses, such as ECS, SLB, NAT, ENI, ALB, and NLB instances.
Private network asset traffic connection: Connects private network traffic from all ECS assets. Agentic NDR automatically creates VPC traffic mirrors and private connections to mirror private network traffic, simplifying the connection process.
Agentic NDR uses bypass traffic mirroring, which does not affect the traffic of your running online services.
Connect public network asset traffic
Sign in to the Agentic NDR Console.
In the left-side navigation pane, click Traffic Ingestion.
On the Internet tab, locate the target asset, click Access in the Actions column, and then click OK in the dialog box that appears.
NoteAsset synchronization: If the target asset is not displayed, click Sync Assets in the upper-right corner and wait 5 to 10 minutes before refreshing the page. If the asset still does not appear, the asset type does not support connection or is outside the current Supported regions.
Full connection: To connect all assets at once, click Full Access in the upper-left corner of the page.
Connect private network asset traffic
Connect asset traffic
Sign in to the Agentic NDR Console.
In the left-side navigation pane, click Traffic Ingestion.
On the VPC tab, view the Total Assets, Collected Assets, Uncollected Assets, and the VPC list.
Select the VPC whose traffic you want to connect and click Access in the Actions column. Complete the following configurations.
Configure Traffic Mirroring : Select the mirrored assets whose traffic you want to connect.
ImportantBilling: Creating traffic mirrors incurs fees. Billing is handled by VPC. For billing details, see Traffic mirroring.
Cost estimation: You can view the traffic trends of the Selected Assets and Entire VPC in the traffic trend chart to estimate the related costs.
Define Mirroring Parameters:
Mirror Traffic Threshold: Select a mirror bandwidth threshold from the drop-down list based on your business requirements. You can refer to the estimated bandwidth displayed on the page.
Availability Zone: Select at least one vSwitch with an available IP address for Agentic NDR.
For high availability, create vSwitches in two different zones. If no suitable vSwitch is available in the target zone, click Create vSwitch to create one.
: Configure the connection traffic threshold.
: Set the time period type for traffic connection.
NoteAfter the configuration takes effect, Agentic NDR collects traffic only when both conditions are met: the Traffic Threshold is not reached and the configured Period Type is satisfied. Otherwise, traffic collection stops automatically.
After you confirm the billing prompt, click Close.
During asset connection, you can click Connecting in the VPC ID/Name column to view the connection status. After private network traffic connection is complete, Agentic NDR automatically configures a default traffic filter rule for the connected asset. You can also customize filter rules based on your business needs. For more information, see Customize traffic filter rules.
Customize traffic filter rules
By defining conditions to allow or deny specific traffic, such as direction, IP addresses, ports, and protocols, you can finely control private network traffic collection.
Procedure
In the upper-right corner of the asset list, click Filter Rule.
In the Filter Rule panel, click Create Rule.
In the Create Rule panel, configure the Rule Name and Rule Condition.
Click Add Rule Condition and configure the rule conditions as described in the following table.
Parameter
Description
Direction
The direction for traffic filtering. Select Inbound or Outbound.
Protocol Type
The protocol type for traffic patterns. You can select ALL (all protocol types), ICMP, TCP, UDP, and more.
Source CIDR Block
Configure the source CIDR block.
Source Port
Configure the source port number. Valid values: 1 to 65535. Separate the start port and end port with a forward slash (/). Format: 1/200, 80/80.
Destination CIDR Block
Configure the destination CIDR block.
Destination Port
Configure the destination port number. Valid values: 1 to 65535. Separate the start port and end port with a forward slash (/). Format: 1/200, 80/80.
Collect or Not
Specifies whether to collect traffic filtered by the rule.
Yes: Only traffic that matches the rule is collected.
No: Traffic that matches the rule is not collected. Other traffic is collected as normal.
Priority
Set the priority of the filter rule. A smaller value indicates a higher priority.
Other operations
Edit a rule: Click Details in the Actions column to view or modify the basic information of a rule. You can modify or delete configured rule conditions, or add new ones.
Delete a rule: Click Delete in the Actions column to delete a custom filter rule that is not referenced.
Next steps
Private network traffic traceability
In scenarios that use an Internet NAT Gateway and Server Load Balancer (SLB), the real IP address of the server providing the service is not exposed externally. When an attack occurs, it becomes difficult to identify the specific service instance, such as an ECS instance, that is under attack. As a result, public network alerts cannot be linked to the corresponding internal private network instance, and correlation between public and private network alerts is not possible.
For assets such as the Internet NAT Gateway, Application Load Balancer (ALB), and Classic Load Balancer (CLB), we recommend that you configure traffic traceability after connecting them. For more information, see Traffic traceability settings.
HTTPS traffic decryption
By default, Agentic NDR cannot inspect encrypted traffic content. To improve the visibility and threat detection capability for HTTPS traffic, the system supports automatic integration with cloud products to synchronize TLS session keys, enabling decryption and security analysis of encrypted traffic.
For assets that access the system through a WAF CNAME, you can configure the HTTPS traffic decryption feature. For more information, see HTTPS traffic decryption.
Daily operations
After your assets are connected, use the following daily operations to manage them.
Manage connected public network assets
After you connect public network assets, Agentic NDR continuously performs full traffic threat detection and protection for the connected assets. You can perform the following operations in the Traffic Ingestion list:
View the connected IP, Instance ID/Name, Asset Type/Region, Associated Asset, Protocol/Port, Status, and Collected At. You can also perform Edit or Stop on a target instance in the Actions column.
Available operations
Filter: Filter data by protocol, cloud service, collection status, asset ID, IP address, and asset name.
Stop: Click Stop in the Actions column to stop traffic collection for a cloud service.
Edit: Click Edit in the Actions column to modify the ports, protocol types, traffic thresholds, and collection time for cloud service traffic collection.
Manage connected private network assets
Click Details in the Actions column.
In the Details panel, view the connection status of Mirroring Parameters and Traffic Mirroring Assets under the VPC.
On the Mirror Parameters tab, you can perform the following operations:
View the vSwitches collected by Agentic NDR. Click a vSwitch name to go to the VPC console and view its details.
Click Edit to modify the mirror bandwidth threshold.
In Advanced Settings, click Edit Information to modify the connection Traffic Threshold and Period Type.
On the Mirror Traffic Assets tab, view collected and uncollected assets.
For uncollected assets, click Steer Traffic in the Actions column to connect traffic for the asset.
For collected assets, click the pencil icon in the Filter Rule column to modify traffic filter rules based on your business requirements. You can also click Create Rule to customize traffic filter rules. For more information, seeCustomize traffic filter rules.