Traffic mirroring overview - Virtual Private Cloud - Alibaba Cloud Documentation Center

Virtual Private Cloud (VPC) supports the traffic mirroring feature. You can use this feature to mirror network traffic that flows through an elastic network interface (ENI) based on specified filters. The traffic mirroring feature mirrors network traffic from an Elastic Compute Service (ECS) instance in a VPC and forwards the traffic to a specified ENI or an internal-facing Classic Load Balancer (CLB) instance. You can use this feature in scenarios such as content inspection, threat monitoring, and troubleshooting.

Regions that support traffic mirroring


Area	Region
Asia Pacific	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and Thailand (Bangkok)
Europe & Americas	Germany (Frankfurt), US (Silicon Valley), US (Virginia), and UK (London)

Terms

Filter: contains inbound and outbound rules. Filters are used to control the network traffic in traffic mirror sessions.
- Inbound traffic: traffic that is mirrored from ENIs and forwarded to destination instances such as ECS instances and Server Load Balancer (SLB) instances.
- Outbound traffic: traffic that is mirrored from destination instances such as ECS instances and SLB instances, and then forwarded to the Internet.
Traffic mirror source: an ENI from which you want to mirror network traffic.
Traffic mirror destination: an ENI or an internal-facing CLB instance that is used to receive mirrored network traffic.
Traffic mirror session: mirrors network traffic from a traffic mirror source to a traffic mirror destination based on specified filters.

Filters

You can specify inbound and outbound rules in filters. When you create a traffic mirror session, you can associate the session with a filter. After the traffic mirror session is created and enabled, all network traffic that matches the filter is mirrored. Five parameters are used to specify the inbound and outbound rules in filters: source CIDR block, source port, destination CIDR block, destination port, and protocol.

For example, you can set the parameters to the following values for an inbound rule: source CIDR block to 192.168.0.0/16, source port to 10000, destination CIDR block to 10.0.0.0/8, destination port to 80, and protocol to TCP. After the preceding configuration is completed, the traffic mirror session mirrors the network traffic that is transmitted to the specified ECS instance based on the specified filter conditions.

Use scenarios

Security: Intrusion detection
You can use self-developed or third-party software to monitor mirrored traffic. This ensures that all security vulnerabilities and intrusion activities are detected. The traffic mirroring feature accelerates the detection process and allows you to respond to attacks at the earliest opportunity.
Auditing: Finance or public service sectors
In the finance industry or scenarios that require high-level compliance, network traffic must be audited. You can use the traffic mirroring feature to mirror network traffic to an auditing platform on which you can audit the compliance of the traffic.
Network O&M: Troubleshooting
O&M engineers can use the traffic mirroring feature to troubleshoot network issues. For example, they can query mirrored traffic to analyze TCP retransmission issues without the need to retrieve packets from a virtual machine (VM).

Billing and pricing

Billing

Total fee = Instance fee + Data mirroring fee

Instance fee = Number of ENIs that have traffic mirror sessions enabled × Active session hours × Unit price (USD/ENI/hour)
After an ENI has traffic mirror sessions enabled, you are charged on an hourly basis. If the usage duration is less than 1 hour, it is rounded up to 1 hour. After you disable traffic mirror sessions for an ENI, the billing stops.
Data mirroring fee = Total amount of mirrored data (GB) × Unit price (USD/GB)

The following table describes the unit prices of the billable items:


Billable item	Unit price
Instance fee	0.014 (USD/ENI/hour)
Traffic mirroring fee	0.007 (USD/GB)

Note You are not charged a data mirroring fee before March 30, 2024.

For example, traffic mirror sessions are enabled for five ENIs that are deployed in a VPC in Silicon Valley Zone B. The traffic mirror sessions have been active 24 hours per day for 30 days, and the size of the data transfer plan is 20 GB. In this case, the fees are calculated by using the following formulas:

Instance fee = 5 × 30 × 24 × 0.014 = USD 50.4
Traffic mirroring fee = 20 × 0.007 = USD 0.14
Total fee = 50.4 + 0.14 = USD 50.54

Overdue payments

If a payment becomes overdue, the traffic mirroring feature continues to provide services for the following 15 days.
If the outstanding amount is not paid within the 15 days, the traffic mirroring feature is suspended. After the traffic mirroring feature is suspended, it is unavailable. Active traffic mirror sessions are also suspended.
If you do not complete the payment within 15 days after the traffic mirroring feature is suspended, the traffic mirror sessions are automatically deleted. An email notification is sent to you one day before the traffic mirror sessions are deleted. After the traffic mirror sessions are deleted, the configurations and data of the traffic mirror sessions are deleted and cannot be restored.

Limits

Resource quotas


Item	Default value	Adjustable
The maximum number of traffic mirror sources that can be specified in each traffic mirror session	10	You can request a quota increase by using one of the following methods: Go to the Quota Management page to request a quota increase. Go to the Quota Center page and request a quota increase. For more information about how to increase quotas, see Adjust quotas.
The maximum number of traffic mirror sessions that you can create in each region with each Alibaba Cloud account	20000	N/A
The maximum number of traffic mirror sessions supported by each traffic mirror source	1
The maximum number of traffic mirror destinations that can be specified by each Alibaba Cloud account	Unlimited
The maximum number of traffic mirror sessions supported by each traffic mirror destination	200 (if the traffic mirror destination is an internal-facing CLB instance) 10 (if the traffic mirror destination is an ENI)
The maximum number of rules that can be specified in each filter	10
The maximum number of traffic mirror sessions that can be associated with each filter	1000

Limits on use

The standard Virtual Extensible LAN (VXLAN) protocol is used in traffic mirror sessions to encapsulate packets. For more information about the VXLAN protocol, see RFC 7348. If the total size of a mirrored packet and its VXLAN packet exceeds the maximum transmission unit (MTU) of the source ENI, the packet is truncated. To prevent packet truncation in IPv4 scenarios, we recommend that you set the MTU of the ENI to a value that is at least 50 bytes smaller than the MTU supported by the connection.
You do not need to allocate additional bandwidth for traffic mirror sessions. Traffic mirror sessions share the bandwidth of the associated instances and the bandwidth usage is not capped.
Each packet from a traffic mirror source can be mirrored only once and sent to only one traffic mirror destination.
When packets are mirrored from a traffic mirror source, they are not limited by security groups or network ACLs. However, security groups and network ACLs impose limits on packets when the packets are mirrored to a traffic mirror destination. Therefore, you must set the following security group rules and network ACL rules for the traffic mirror destination:
- Security group rules: You must set an inbound rule that allows the IP address of the ENI of the traffic mirror source to access UDP packets whose destination port is 4789. For more information about how to configure security group rules, see Create a security group.
- Network ACL rules: You must set an inbound rule that allows UDP packets from all source ports and the IP address of the ENI that serves as the traffic mirror source. For more information about how to configure network ACL rules, see Work with network ACLs.
An ENI cannot serve as both a traffic mirror source and a traffic mirror destination.
The system does not mirror Address Resolution Protocol (ARP) packets, Dynamic Host Configuration Protocol (DHCP) packets, flow log packets, or packets that are dropped by security groups or network ACLs.
You cannot use traffic mirroring to mirror IPv6 traffic.
Only ECS instances that belong to the following instance families support traffic mirroring:r5, hfg6, c6, c6a, g5ne, g6se, c5, g6, g6a, hfr6, r6, r6a, g5, g5ne, hfc5, hfg5, hfc6, g7ne, g7a, g7, g7t, g6t, g6e, c7a, c7, c7t, c6t, c6e, r7a, r7, r7t, r6e, hfc7, hfg7, hfr7, gn7i, ebmc6a, ebmc6e, ebmg6a, ebmg6e, ebmr6a, ebmr6e, ebmhfg7, ebmhfc7, and ebmhfr7 For more information about ECS instance families, see Overview of instance families.

Virtual Private Cloud:Traffic mirroring overview