Virtual Private Cloud (VPC) supports the traffic mirroring feature. You can use this feature to mirror network traffic that flows through an elastic network interface (ENI) based on specified filters. The traffic mirroring feature allows you to mirror network traffic from an Elastic Compute Service (ECS) instance that is deployed in a VPC and forward the traffic to a specified ENI or internal-facing Server Load Balancer (SLB) instance. You can use this feature in scenarios such as content inspection, threat monitoring, and troubleshooting.

Traffic mirroring

Regions that support traffic mirroring

District Region
Asia Pacific China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), South Korea (Seoul), Singapore (Singapore), Australia (Sydney), and Thailand (Bangkok).
Europe & Americas US (Silicon Valley), US (Virginia), and UK (London)

Terms

  • Filter: contains inbound and outbound rules. Filters are used to control the network traffic in traffic mirror sessions.
  • Traffic mirror source: an ENI from which you want to mirror network traffic.
  • Traffic mirror destination: an ENI or an internal-facing SLB instance that is used to receive mirrored network traffic.
  • Traffic mirror session: mirrors network traffic from a traffic mirror source to a traffic mirror destination based on specified filters.

Filters

You can specify inbound and outbound rules in filters. When you create a traffic mirror session, you can associate the session with a filter. After the traffic mirror session is created and enabled, all network traffic that matches the filter is mirrored. Five parameters are used to specify the inbound and outbound rules in filters: source CIDR block, source port, destination CIDR block, destination port, and protocol.

For example, you can set the parameters to the following values for an inbound rule: source CIDR block to 192.168.0.0/16, source port to 10000, destination CIDR block to 10.0.0.0/8, destination port to 80, and protocol to TCP. After the configuration is complete, the traffic mirror session mirrors the network traffic that is transmitted to the specified ECS instance based on the specified information.

Scenarios

  • Security: Intrusion detection

    You can use self-developed or third-party software to inspect mirrored traffic. This ensures that all security vulnerabilities and intrusion activities are detected. The traffic mirroring feature accelerates the detection process and allows you to respond to attacks at the earliest opportunity.

  • Auditing: Finance or public service sectors

    In the finance industry or scenarios that require high-level compliance, network traffic must be audited. You can use the traffic mirroring feature to mirror network traffic to an auditing platform where you can audit the compliance of the traffic.

  • Network O&M: Troubleshooting

    O&M engineers can use the traffic mirroring feature to troubleshoot network issues in scenarios such as TCP retransmission by querying mirrored traffic. They do not need to retrieve packets from a virtual machine (VM).

Billing and pricing

Billing rules

Total fee = Instance fee + Data mirroring fee
  • Instance fee = Number of ENIs for which traffic mirroring is enabled × Active duration of traffic mirror session (hours) × Unit price(USD/ENI/hour)

    After you enable traffic mirroring for an ENI, you are charged for using traffic mirroring on an hourly basis. If the usage duration is less than 1 hour, it is rounded up to 1 hour. After you disable traffic mirroring for an ENI, the billing stops.

  • Data mirroring fee = Total amount of mirrored data (GB) × Unit price(USD/GB)
The following table describes the unit prices of the billable items:
Billable item Unit price
Instance fee 0.014 (USD/ENI/hour)
Data mirroring fee 0.007 (USD/GB)
Note You are not charged a data mirroring fee before June 30, 2022.
For example, traffic mirroring is enabled for five ENIs that are deployed in a VPC in Silicon Valley Zone B. The traffic mirror sessions are active 24 hours per day for 30 days, and the total amount of mirrored data is 20 GB. In this case, the fees are calculated by using the following formulas:
  • Instance fee =5 × 30 × 24 × 0.014 = USD 50.4
  • Data mirroring fee =20 × 0.007 = USD 0.14
  • Total fee =50.4 + 0.14 = USD 50.54

Overdue payments

  • The traffic mirroring feature continues to provide services within 15 days after the payment becomes overdue.
  • If the outstanding amount is not paid 15 days after the payment becomes overdue, the traffic mirroring feature is suspended. After the traffic mirroring feature is suspended, it is unavailable. Active traffic mirror sessions also stop running.
  • If you do not complete the payment within 15 days after the traffic mirroring feature is suspended, the traffic mirror sessions are automatically deleted. An email notification is sent to you one day before the traffic mirror sessions are deleted. After the traffic mirroring sessions are deleted, the configurations and data of the traffic mirroring sessions are deleted and cannot be recovered.

Limits

Resource quotas

Item Limit Adjustable
The number of traffic mirror sessions that you can create in each region with each Alibaba Cloud account 20000 N/A
The number of traffic mirror sessions supported by each traffic mirror source 1
The number of traffic mirror sources that can be specified in each traffic mirror session 1
The number of traffic mirror destinations that can be specified by each Alibaba Cloud account Unlimited
The number of traffic mirror sessions supported by each traffic mirror destination
  • 200 (if the traffic mirror destination is an internal-facing SLB instance)
  • 10 (if the traffic mirror destination is an ENI)
The number of rules that can be specified in each filter 10
The number of traffic mirror sessions that can be associated with each filter 1000

Limits

  • The standard Virtual Extensible LAN (VXLAN) protocol is used in traffic mirror sessions to encapsulate packets. For more information about the VXLAN protocol, see RFC 7348. If the total size of a mirrored packet and its VXLAN packet exceeds the maximum transmission unit (MTU) of the source ENI, the packet is truncated. To avoid packet truncation, we recommend that you set the MTU of the ENI to a value that is at least 50 bytes less than the link MTU between the traffic mirror source and destination if you use IPv4 addresses. For more information, see Set the MTU size of an NIC.
  • You do not need to allocate additional bandwidth for traffic mirror sessions. Traffic mirror sessions share the bandwidth of the associated instances and the bandwidth usage is not capped.
  • Each packet from a traffic mirror source can be mirrored only once and sent to only one traffic mirror destination.
  • When packets are mirrored from a traffic mirror source, they are not limited by security groups or network ACLs. However, security groups and network ACLs impose limits on packets when the packets are mirrored to a traffic mirror destination. Therefore, you must set the following security group rules and network ACL rules for the traffic mirror destination:
    • Security group rules: You must set an inbound rule that allows the IP address of the source ENI to access UDP packets whose destination port is 4789. For more information about how to configure security group rules, see Create a security group.
    • Network ACL rules: You must set an inbound rule that allows UDP packets from all source ports and the IP address of the source ENI. For more information about how to configure network ACL rules, see Work with network ACLs.
  • You cannot specify an ENI as both the traffic mirror source and the traffic mirror destination.
  • The system does not mirror Address Resolution Protocol (ARP) packets, Dynamic Host Configuration Protocol (DHCP) packets, flow log packets, or packets that are dropped by security groups or network ACLs.
  • IPv6 traffic cannot be mirrored.
  • Only ECS instances that belong to the following instance families support the traffic mirroring feature: g7ne, g7a, g7, g7t, g6t, g6e, c7a, c7, c7t, c6t, c6e, r7a, r7, r7t, r6e, hfc7, hfg7, hfr7, gn7i, ebmc6a, ebmc6e, ebmg6a, ebmg6e, ebmr6a, ebmr6e, ebmhfg7, ebmhfc7, and ebmhfr7. For more information about ECS instance families, see Instance family.

Procedure

Procedure