Traditional methods for monitoring network traffic, such as logging on to an instance to capture packets or deploying a monitoring agent, consume system resources and degrade service performance. VPC traffic mirror provides a bypass monitoring solution that does not interfere with service traffic. This feature copies and forwards traffic that enters and leaves a specified elastic network interface (ENI) if the traffic matches filter conditions. The copied traffic is then sent to a security analytics device for real-time detection.
Common use cases:
Security: Intrusion detection
Use traffic mirroring to get all data packets of a specific stream. Perform comprehensive inspections using self-developed or third-party security software to identify potential vulnerabilities and intrusion threats in real-time. This lets you inspect and respond to attacks promptly.
Auditing: Finance or government compliance
For businesses with high financial or security compliance requirements, use traffic mirroring to transparently mirror instance traffic to a unified audit platform for analysis and meet audit requirements.
Operations and maintenance (O&M): Locating network issues
Check for network issues. O&M engineers can view the transmitted content, such as analyzing TCP retransmissions, to troubleshoot issues without having to log on to an ECS instance to capture packets.
How it works
Workflow
A traffic mirror session establishes a forwarding path between a traffic mirror source and a destination. After a session is started, the traffic mirroring feature performs the following operations:
Copies the service packets from the traffic mirror source that match the filter conditions.
Currently, only ENIs are supported as traffic mirror sources.
A traffic mirror filter contains inbound and outbound rules. The 5-tuple, which consists of the source CIDR block, source port, destination CIDR block, destination port, and protocol type, is used to filter traffic that is received or sent by the ENI based on priority.
Encapsulates the copied packets in the standard VXLAN packet format.
VXLAN network identifier (VNI): A virtual network ID assigned to a traffic mirror session, used to distinguish mirrored data from different sessions. When left empty, the system randomly assigns one.
Source IP: The primary IP of the traffic mirror source.
Source port: Determined by the hash value of the packet 5-tuple.
Destination IP: The primary IP of the traffic mirror destination.
Destination port: Port 4789 is used by default and cannot be modified.
Forwards the mirrored packets to a reachable traffic mirror destination. If the traffic mirror destination and source are not in the same VPC, you must configure a VPC peering connection to connect the source and destination.
Currently, ENIs, internal-facing Classic Load Balancers (CLBs), and Gateway Load Balancer (GWLB) endpoints are supported as traffic mirror destinations.
The regions that support forwarding traffic to GWLB endpoints are China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Shenzhen), Singapore, US (Silicon Valley), and US (Virginia).
Packets copied from a traffic mirror source are not limited by security groups or network ACLs. However, when mirrored packets are forwarded to the destination, you must configure inbound rules in the security group and network ACL of destination to allow source UDP packets to access the port 4789 of the destination.
When using an internal-facing CLB as the destination, you must configure a UDP listener on port 4789. A GWLB listens on all ports for all data packets.
Matching rules
The same packet from the same source can be mirrored only once.
Take the inbound traffic of a source as an example:
If a traffic mirror source is added to only one session, the inbound rules of the associated traffic mirror filter are evaluated. The system checks the rules in sequence of priority to find a match for the traffic's 5-tuple. When the first matching rule is found, its specified policy is executed. If no rules match, the traffic is not mirrored.
If a traffic mirror source is added to multiple sessions, the inbound rules of the associated traffic mirror filters are evaluated based on the priority of the sessions. If no rules match in the current session's filter, the system proceeds to the filter of the next-highest priority session. This process continues until a match is found and the corresponding policy is executed. If no inbound rules in any session match, the traffic is not mirrored.
Length of packets received by the destination
Mirroring behavior of fragmented service packets
If the length of the original service packet exceeds the link Maximum Transmission Unit (MTU), the packet is fragmented for transmission.
For example, if a service packet is 2,000 bytes in length and the link MTU is 1500 bytes, the packet is fragmented into two parts of 1,500 bytes and 500 bytes.
The default link MTU in Alibaba Cloud networks is 1,500 bytes. However, some network components, such as VPN gateways, have an MTU of less than 1,500 bytes.
If TCP Segmentation Offload (TSO) or UDP Fragmentation Offload (UFO) is enabled for the ECS instance to which the traffic mirror source is attached, the mirroring behavior of fragmented service packets may be different. If you want the traffic mirror destination to receive the mirrored packets of all fragmented service packets, we recommend that you disable TSO and UFO, which may affect instance performance, or use an ECS instance of a seventh-generation instance family or later.
You can determine whether an instance is of the seventh generation based on the number in the instance family name, for example, ecs.g7se.xlarge.
Mirrored packet truncation: If the length of a mirrored packet (the original packet plus the 50-byte VXLAN header) exceeds the MTU of the forwarding path, the system truncates the mirrored packet.
In the China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Shenzhen), Singapore, US (Silicon Valley), and US (Virginia) regions, the length of the mirrored packets received by the traffic mirror destination is limited by the MTU of the traffic mirror destination. Currently, the eighth-generation primary instance families of Alibaba Cloud support jumbo frames with an MTU of 8500. We recommend that you enable jumbo frames for the traffic mirror destination to prevent mirrored packets from being truncated.
If the service packet length is 1500 bytes, the system truncates the mirrored packet when the MTU of the traffic mirror destination is 1500 bytes. When jumbo frames (supporting an MTU of 8500 bytes) are enabled for the traffic mirror destination, the mirrored packet can be fully forwarded.
Service packet length
500
1500
1500
MTU of traffic mirror destination
1500
1500
8500
Size of mirrored packets received by the traffic mirror destination
550 = 500 (length of the actual mirrored service packet) + 50 (length of the VXLAN header)
1500 = 1450 (length of the actual mirrored service packet) + 50 (length of the VXLAN header)
1550 = 1500 (length of the actual mirrored service packet) + 50 (length of the VXLAN header)
In other regions, the length of the mirrored packets received by the traffic mirror destination is limited by the default link MTU (1500 bytes).
If you only need to view the header of a mirrored packet of a specific length, you can set the Mirrored Packet Length. The system truncates the part of the service packet from the traffic mirror source that exceeds this value and then forwards it to the traffic mirror destination.
Limits
Traffic mirror source and destination: The same ENI cannot be used as both a traffic mirror source and a traffic mirror destination. Managed ENIs are not supported as traffic mirror sources or destinations.
Account and region: You can configure a traffic mirror source and destination in a single VPC or across VPCs within the same Alibaba Cloud account and region. Cross-region or cross-account scenarios are not supported.
IP version: Traffic mirroring supports mirroring of IPv4 network traffic. IPv6 is not supported.
Bandwidth: Traffic mirroring consumes instance bandwidth and is not subject to additional throttling. If the instance bandwidth reaches its maximum capacity, mirrored packets are dropped to prioritize the forwarding of service traffic.
Traffic type: Traffic mirroring does not support mirroring traffic dropped by network ACLs or security groups, flow log traffic, Address Resolution Protocol (ARP) traffic, or Dynamic Host Configuration Protocol (DHCP) traffic.
Create or delete a traffic mirror
The system evaluates service traffic that enters and leaves a traffic mirror source against the rules in the associated traffic mirror filter. A rule match is determined by the Priority, Protocol Type, Source CIDR Block, Destination CIDR Block, Source Port, and Destination Port. When a match occurs, the system executes the specified to determine whether to mirror the traffic. The mirrored data is then copied and forwarded to the traffic mirror destination.
Priority determines the priority of a rule. The value ranges from 1 to 16777216. A smaller value indicates a higher priority. The priorities of inbound or outbound rules in the same traffic mirror filter must be unique.
If the protocol type is TCP(6) or UDP(17), you can adjust the port range. The value ranges from 0 to 65535. The format is
start port/end port. If you select another protocol type, you cannot set the port range. The default value is -1/-1, which indicates that the port is not limited.
Console
When using traffic mirror for the first time, you must activate the service. Log on to the Traffic mirror activation page and follow the instructions.
Create a traffic mirror
Creating filter criteria
If you have an existing traffic mirror filter that meets your requirements, you can skip this step and directly create a traffic mirror session.
Go to the VPC console - Filter page. In the top navigation bar, select the region where you want to create the traffic mirror. Click Create Filter.
Configure inbound and outbound rules to specify the traffic to be copied from the traffic mirror source and forwarded to the traffic mirror destination. If a traffic mirror filter does not contain any rules, no traffic is mirrored.
When you create a traffic mirror filter, you can configure up to 10 inbound and 10 outbound rules. After the traffic mirror filter is created, you can add, edit, or delete inbound and outbound rules.
To delete a traffic mirror filter, make sure that it is not associated with any traffic mirror sessions. If it is, you must first disassociate it from the traffic mirror session, and then click Delete in the Actions column of the target traffic mirror filter.
Create a traffic mirror session
Go to the VPC console - Traffic Mirror Session page. In the top navigation bar, select the region where you want to create the traffic mirror. Click Create Traffic Mirror Session.
Configure the traffic mirror session:
VNI: A virtual network ID assigned to a traffic mirror session. It is used to distinguish mirrored data from different sessions. Valid values: 0 to 16777215. If you do not specify a VNI, the system randomly assigns one.
Configure Priority: If a traffic mirror source is added to multiple traffic mirror sessions, the traffic is mirrored to a destination based on the Priority of the traffic mirror sessions. Valid values: 1 to 32766. A smaller value indicates a higher priority. The priorities of traffic mirror sessions created in the same region with the same account must be unique.
If you only need to view the header of a mirrored packet of a specific length, you can set the Mirrored Packet Length. The system truncates the part of the service packet from the traffic mirror source that exceeds this value and then forwards it to the traffic mirror destination.
Configure the associated traffic mirror filter, traffic mirror source, and traffic mirror destination.
Start the traffic mirror session
After you create the traffic mirror session, enable it. Alternatively, you can return to the list of sessions and click Enable in the Actions column for the session.
If the traffic mirror source has traffic that matches the filter conditions, you can run the
tcpdump -i name of the NIC corresponding to the traffic mirror destination udp port 4789 -nnecommand on the traffic mirror destination to view the mirrored packets that it receives.
Modify a traffic mirror
On the details page of the target traffic mirror session, you can Change the traffic mirror destination and traffic mirror filter, Add or Delete traffic mirror sources, or modify the VNI, priority, and mirrored packet length of the traffic mirror session.
Stop or delete a traffic mirror session
In the Actions column for the target traffic mirror session, click Disable or Delete.
API
Create a traffic mirror
Before you use traffic mirroring for the first time, you must call the OpenTrafficMirrorService operation to activate the service.
Call the CreateTrafficMirrorFilter operation to create a traffic mirror filter.
Call the CreateTrafficMirrorFilterRules operation to create inbound or outbound rules for the traffic mirror filter.
Call the CreateTrafficMirrorSession operation to create a traffic mirror session.
Call the UpdateTrafficMirrorSessionAttribute operation and set the
Enabledparameter totrueto start the traffic mirror session.
Modify a traffic mirror
Call the AddSourcesToTrafficMirrorSession or RemoveSourcesFromTrafficMirrorSession operation to add traffic mirror sources to or remove them from a traffic mirror session.
Call the UpdateTrafficMirrorSessionAttribute operation to modify the configuration of a traffic mirror session or change the traffic mirror destination or traffic mirror filter.
Modify or delete filter criteria
Call the CreateTrafficMirrorFilterRules operation to create inbound or outbound rules for the traffic mirror filter.
Call the DeleteTrafficMirrorFilterRules operation to delete inbound or outbound rules of a traffic mirror filter.
Call the DeleteTrafficMirrorFilter operation to delete a traffic mirror filter.
Stop or delete a traffic mirror
Call the UpdateTrafficMirrorSessionAttribute operation and set the
Enabledparameter tofalseto stop the traffic mirror session.Call the DeleteTrafficMirrorSession operation to delete a traffic mirror session.
Terraform
This example mirrors only the TCP traffic that enters and leaves the traffic mirror source. You must configure the inbound and outbound rules of the traffic mirror filter based on the traffic that you want to mirror.
Resources: alicloud_vpc_traffic_mirror_filter, alicloud_vpc_traffic_mirror_session
# Specify the region where you want to create the traffic mirror.
provider "alicloud" {
region = "cn-hangzhou"
}
# Specify the ID of the traffic mirror source.
variable "traffic_mirror_source_id" {
default = "eni-hp3e******" # Replace with the actual ID of the ENI.
}
# Specify the ID of the traffic mirror destination.
variable "traffic_mirror_target_id" {
default = "eni-hp3h******" # Replace with the actual ID of the ENI.
}
# Create a traffic mirror filter and configure inbound and outbound rules to collect all TCP traffic that enters and leaves the traffic mirror source.
resource "alicloud_vpc_traffic_mirror_filter" "example_vpc_traffic_mirror_filter" {
traffic_mirror_filter_name = "example_vpc_traffic_mirror_filter_name"
egress_rules {
priority = 1
protocol = "TCP"
action = "accept"
destination_cidr_block = "0.0.0.0/0"
destination_port_range = "-1/-1"
source_cidr_block = "0.0.0.0/0"
source_port_range = "-1/-1"
}
ingress_rules {
priority = 1
protocol = "TCP"
action = "accept"
destination_cidr_block = "0.0.0.0/0"
destination_port_range = "-1/-1"
source_cidr_block = "0.0.0.0/0"
source_port_range = "-1/-1"
}
}
# Create a traffic mirror session.
resource "alicloud_vpc_traffic_mirror_session" "example_vpc_traffic_mirror_session" {
traffic_mirror_session_name = "example_vpc_traffic_mirror_session"
priority = 1 # Specify the priority of the traffic mirror session. If a traffic mirror source is added to multiple traffic mirror sessions, the traffic is mirrored to a destination based on the priority of the traffic mirror sessions. Valid values: 1 to 32766. A smaller value indicates a higher priority. The priorities of traffic mirror sessions created in the same region with the same account must be unique.
virtual_network_id = 10 # Specify the VNI of the traffic mirror session. It is used to distinguish mirrored data from different sessions. Valid values: 0 to 16777215. If you do not specify a VNI, the system randomly assigns one.
traffic_mirror_filter_id = alicloud_vpc_traffic_mirror_filter.example_vpc_traffic_mirror_filter.id # Specify the associated traffic mirror filter.
traffic_mirror_source_ids = [var.traffic_mirror_source_id] # Specify the traffic mirror source.
traffic_mirror_target_type = "NetworkInterface" # Specify the type of the traffic mirror destination.
traffic_mirror_target_id = var.traffic_mirror_target_id # Specify the traffic mirror destination.
#packet_length = 1500 # If you only need to view the header of a mirrored packet of a specific length, you can set the mirrored packet length. The system truncates the part of the service packet from the traffic mirror source that exceeds this value and then forwards it to the traffic mirror destination.
}Traffic mirror configuration examples
Mirror inbound TCP traffic to an ENI
Mirror inbound TCP/UDP traffic to different traffic mirror destinations
Mirror traffic from outside a VPC to another VPC
Configure a traffic mirror filter to monitor traffic from outside the VPC and traffic that leaves the VPC.
For example, you can use rule priority to create a filter that does not mirror traffic originating from within the VPC CIDR block, but mirrors all other inbound traffic.
Because the traffic mirror destination and source are in different VPCs, they are isolated by default. You must use a VPC peering connection and configure routes in both VPCs to ensure that the destination is reachable from the source.
More information
Billing
Billable items
Traffic mirroring fee = Instance fee + Data processing fee
Instance fee = Number of traffic mirror sources with active sessions (count) × Active duration of sessions (hours) × Unit price of instance fee (USD/count/hour)
Data processing fee = Total amount of mirrored data (GB) × Unit price (USD/GB)
Billable item | Unit price |
Instance fee | 0.014 (USD/count/hour) |
Data processing fee | 0.007 (USD/GB) |
Billing rules
Data processing fees are waived before March 31, 2026.
After a traffic mirror session is enabled for a traffic mirror source, you are charged on an hourly basis for each traffic mirror source that has an enabled traffic mirror session. If the usage duration is less than one hour, it is rounded up to one hour.
If multiple traffic mirror sessions are created for a single traffic mirror source, the instance fee is charged only once. The billable active duration is calculated based on the cumulative active duration of the traffic mirror source across all traffic mirror sessions. For example, if a traffic mirror source is active for 5 hours in traffic mirror session 1 and 4 hours in traffic mirror session 2, the total billable active duration is 9 hours.
Billing example
Traffic mirror sessions are enabled for five ENIs in a VPC. The sessions are active 24 hours a day for 30 days, and the total amount of mirrored data is 20 GB. The detailed fee calculation is as follows:
Instance fee = 5 × 30 × 24 × 0.014 = USD 50.4
Data processing fee = 20 × 0.007 = USD 0.14
Total traffic mirroring fee = 50.4 + 0.14 = USD 50.54
Overdue payments and top-ups
Overdue payments and renewals
Supported regions
Area | Regions |
Asia Pacific - China | China (Hangzhou), China (Shanghai), China (Nanjing - Local Region, Closing Down), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), and China (Fuzhou - Local Region, Closing Down) |
Asia Pacific - Others | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Thailand (Bangkok), Philippines (Manila) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia) |
Middle East | SAU (Riyadh - Partner Region) |
Quotas
Quota name | Description | Default limit | Increase quota |
trafficmirror_quota_source_num_per_session | The number of traffic mirror sources that can be added to a traffic mirror session. | 10 | Go to the Quota Management page or Quota Center to request a quota increase. |
vpc_quota_traffic_mirror_source_num_per_large_ecs_target | The number of traffic mirror sources supported by a single traffic mirror destination when the destination is an ENI and the ENI is attached to an ECS instance of one of the following instance types. | 200 | |
vpc_quota_traffic_mirror_source_num_per_small_ecs_target | The number of traffic mirror sources supported by a single traffic mirror destination when the destination is an ENI and the ENI is not attached to an ECS instance of one of the following instance types. | 20 | |
vpc_quota_traffic_mirror_rules_num_per_filter | The number of filter rules supported by a single filter. | 20 | |
None | The maximum number of traffic mirror sessions that can be created by an account in a region. | 20,000 | Cannot be increased. |
The maximum number of traffic mirror sessions that can be created for a traffic mirror source. | 3 | ||
The number of traffic mirror sources supported by a single traffic mirror destination when the destination is a private Classic Load Balancer (CLB) instance. | 500 | ||
The number of traffic mirror sources supported by a single traffic mirror destination when the destination is a Gateway Load Balancer endpoint (GWLBe). | 500 | ||
The maximum number of filters that can be created by an account in a region. | 100 | ||
The number of traffic mirror sessions that can be associated with a single filter. | 2,000 |