What is Amazon VPC traffic mirroring?
Traffic mirroring is a feature for Amazon Virtual Private Cloud (Amazon VPC). The feature is used to monitor the network traffic level of workloads. To do this, traffic mirroring works by giving users direct access to network packets that travel through a VPC. Users can then send the copied traffic to security and network analysis tools to inspect content, monitor potential threats and troubleshoot any apparent issues.
The traffic monitoring feature helps fill a gap where an organization would have to monitor network-level traffic within their own workloads. Amazon VPC users can use this feature to detect network anomalies and gain network visibility.
This feature can also be used in a multi-account AWS environment; particularly useful for capturing network traffic across many AWS accounts, then sending that data to a central VPC for monitoring. Users can choose to capture all traffic or use filters to capture specific packets.
Traffic mirroring uses in the AWS ecosystem
Traffic mirroring can copy network traffic from the elastic network interface of AWS EC2 (Amazon Elastic Compute Cloud) instances. Traffic can be monitored in any EC2 instance that is powered by an AWS Nitro system. VPC traffic mirroring can also be used in a multi-account AWS environment to capture network traffic data at scale.
If an organization wants to achieve high-availability monitoring, then it should also use a network load balancer to forward AWS EC2 instances. This way, an AWS-based environment can have its traffic monitored for malicious activity.
Benefits of traffic mirroring
This feature can benefit users in an AWS environment by providing more security, simplifying operations, giving an increased choice in monitoring options, its integration with EC2 instances, as well as the options on how much traffic is captured.
- Providing more security -- by allowing users more insights to their VPC network traffic.
- Simplifying operations -- through mirroring (copying) VPC traffic, meaning a packet forwarding agent does not have to be used.
- Giving an increased choice in monitoring options -- once traffic data is collected, it can be sent to a number of security tools.
- Integration with EC2 instances -- which means everything works smoothly together.
- Options on how much traffic is captured -- which includes capturing all network traffic, specific network packets and limiting the number of bytes captured per packet.
How does traffic mirroring work?
Users can create, manage and access traffic mirror resources through a variety of means. For example, users can access this feature through the AWS Management Console, the AWS Command Line Interface (CLI), Query API and AWS Software Development Kits (SDKs).
Traffic mirroring works by copying inbound and outbound traffic. The process involves encapsulating the original packet in a VXLAN packet, which is then forwarded to a User Datagram Protocol (UDP) listener. Data is also transferred through Amazon VPC peering or AWS Transit Gateway to a central VPC.
Some central elements of traffic mirroring include:
- The traffic mirror source, which is a resource in a specific VPC used as the source of traffic; typically, an Elastic Network Interface (ENI).
- The traffic mirror target, which is the destination of the mirrored packets; typically, an ENI or network load balancer.
- The traffic mirror session, which is the connection between a mirror source and target.
- The traffic mirror filter, which is the user-specified data to be captured.
VPC traffic mirroring also has a few limitations. These include:
- AWS may shorten packets to a maximum transmission unit (MTU) value if the mirrored packet size is larger than the target's MTU value. Cut-off packets can result in unexpected data loss if a user doesn't set them to a larger value.
- VPC traffic mirroring can't mirror all types of traffic. ARP, DHCP, Instance metadata service, NTP and Windows activation traffic cannot currently be mirrored.
- Mirrored traffic counts toward instance bandwidth, which means that users must also accommodate extra Gbps to cover inbound and outbound traffic, both existing and mirrored.
Other limitations include supported instances and load balancer considerations.
Competing traffic mirroring tools
The concept of VPC traffic mirroring is very similar to port mirroring, which monitors network traffic and involves forwarding a copy of each packet from one network switch port to another. This means that there are a number of tools with similar goals. The most similar tool may be Microsoft's virtual network Terminal Access Point.
Most other cloud service providers, however, still use an approach based on deploying local agents. This may indicate that traffic mirroring is either a service that is not needed by many customers or that it is difficult and costly to employ in cloud instances.
Some other network data analysis tools are intended specifically for cloud services. ExtraHop Reveal(x) Cloud, for example, is a SaaS tool that offers network threat detection, investigation and response using AWS VPC Traffic Mirroring.