Traffic mirroring is a feature that mirrors network traffic from an elastic network interface (ENI). Only network traffic that matches specific filters is mirrored and then forwarded to a specified instance. This topic describes how to use the traffic mirroring feature.

Prerequisites

  • If this is your first time using traffic mirroring,go to the Traffic Mirroring page and follow the instructions to enable the feature.
  • If the traffic mirror source and traffic mirror destination in a traffic mirror session belong to different VPCs, make sure that the VPCs can communicate with each other. For more information, see Connect VPCs.

Create a filter

If a filter does not contain rules, no traffic is mirrored.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Filter.
  3. In the top navigation bar, select the region where you want to create a filter.
  4. On the Filter page, click Create Filter.
  5. In the Information section of the Create Filter page, set Name and Description.
  6. On the Inbound Rules and Outbound Rules tabs of the Rule Configuration section, click Create Rule to create inbound rules and outbound rules. Then, click OK. The following table describes the required parameters. For more information about inbound and outbound rules, see Filters.
    Parameter Description
    Protocol Type Specify the protocol of the network traffic that you want to mirror from Elastic Compute Service (ECS) instances. Valid values:
    • ALL: all protocols
    • ICMP: Internet Control Message Protocol (ICMP)
    • TCP: TCP
    • UDP: UDP
    Source CIDR Block Specify the source CIDR block of the traffic.
    Destination CIDR Block Specify the destination CIDR block of the traffic.
    Source Port Enter the source port range of the traffic.

    Valid values: 1 to 65535. Separate the first port and the last port with a forward slash (/), for example, 1/200 or 80/80.

    If you set Protocol Type to ALL or ICMP, you cannot specify the port range. The default value -1/-1 is used, which indicates that all port numbers are available.

    Destination Port Enter the destination port range of the traffic.

    Valid values: 1 to 65535. Separate the first port and the last port with a forward slash (/), for example, 1/200 or 80/80.

    If you set Protocol Type to ALL or ICMP, you cannot specify the port range. The default value -1/-1 is used, which indicates that all port numbers are available.

    Priority Specify the priority of the rule. Valid values: 1 to 16777216.

    A smaller value indicates a higher priority. You can create at most 10 rules. The priority of each inbound or outbound rule that belongs to the same filter must be unique.

    Policy Specify the action that you want to perform on the network traffic. Valid values:
    • Collect: collects the network traffic.
    • Do not Collect: does not collect the network traffic.

Create a traffic mirror session

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, click Create Traffic Mirror Session.
  5. On the Basic Configuration wizard page, set the following parameters and click Next.
    Parameter Description
    Name Enter a name for the traffic mirror session.
    Description Enter a description for the traffic mirror session.
    VNI Specify a VXLAN network identifier (VNI). Valid values: 0 to 16777215.

    You can use VNIs to identify mirrored traffic from different sessions at the traffic mirror destination. If you do not specify a VNI, the system randomly allocates a VNI.

    Priority Specify the priority of the traffic mirror session. Valid values: 1 to 32766.

    A smaller value indicates a higher priority. You cannot specify identical priorities for traffic mirror sessions that are created in the same region by using the same account.

  6. On the Associate Filter wizard page, select a filter and click Next.
  7. On the Select Traffic Mirror Source wizard page, select the ENI from which you want to mirror the traffic and click Next.
    The ENI must be associated with an ECS instance that belongs to one of the following instance families: g7ne, g7a, g7, g7t, g6t, g6e, c7a, c7, c7t, c6t, c6e, r7a, r7, r7t, r6e, hfc7, hfg7, hfr7, gn7i, ebmc6a, ebmc6e, ebmg6a, ebmg6e, ebmr6a, ebmr6e, ebmhfg7, ebmhfc7, and ebmhfr7. For more information about ECS instance families, see Overview of instance families.
  8. On the Select Traffic Mirror Destination wizard page, click ENI or SLB, select an ENI or Server Load Balancer (SLB) instance from the Select Instance drop-down list, and then click Next.
    Note An ENI cannot be specified as a traffic mirror source and a traffic mirror destination at the same time.
  9. On the Complete wizard page, click Submit.

Enable a traffic mirror session

By default, a traffic mirror session is disabled after it is created. To mirror network traffic, you must first enable the traffic mirror session.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to enable and click Start in the Actions column.

Disable a traffic mirror session

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to disable and click Stop in the Actions column.
  5. In the message that appears, click OK.

Delete and add a traffic mirror source

If you want to change the ENI from which network traffic is mirrored, delete the original traffic mirror source and create a new one.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session for which you want to delete the traffic mirror source and click the ID of the session.
  5. In the Traffic Mirror Sources section, click Delete in the Actions column.
  6. In the message that appears, click OK.
  7. In the Traffic Mirror Sources section, click Add Traffic Mirror Sources.
  8. In the Add Traffic Mirror Sources dialog box, select the ENI that you want to add as a traffic mirror source and click OK.

Delete a traffic mirror session

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
  3. In the top navigation bar, select the region where the traffic mirror session is created.
  4. On the Traffic Mirror Session page, find the traffic mirror session that you want to delete and click Delete in the Actions column.
  5. In the message that appears, click OK.

Delete a filter

Before you delete a filter, make sure that the filter is not associated with a traffic mirror session. If the filter is associated with a traffic mirror session, disassociate the filter from the traffic mirror session before you delete the filter.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Filter.
  3. In the top navigation bar, select the region where you want to create a filter.
  4. On the Filter page, find the filter that you want to delete and click Delete in the Actions column.
  5. In the message that appears, click OK.

References