Work with traffic mirroring - Virtual Private Cloud - Alibaba Cloud Documentation Center

Traffic mirroring is a feature that mirrors network traffic from an elastic network interface (ENI). Only network traffic that matches specific filters is mirrored and then forwarded to a specified instance. This topic describes how to use the traffic mirroring feature.

For more information about the introduction and limits of traffic mirroring, see Overview of traffic mirroring.

Prerequisites

If you use the traffic mirroring feature for the first time, log on to the Traffic Mirroring page to enable the traffic mirroring feature.
If the traffic mirror source and traffic mirror destination in a traffic mirror session belong to different virtual private clouds (VPCs), make sure that the VPCs can communicate with each other. For more information, see Connect VPCs.
Note
The IP address of the traffic mirror destination must be an IP address that can be accessed by using the traffic mirror source route.

Create a filter

If a filter does not contain rules, no traffic is mirrored.

Log on to the VPC console.
In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Filter.
In the top navigation bar, select the region where you want to create a filter.
On the Filter page, click Create Filter.
On the Create Filter page, specify Name, Description, Resource Group, Tag Key, and Tag Value in the Basic Information section.

On the Inbound Rules or Outbound Rules tab in the Rule Configuration section, click Create Rule. Set the following parameters and click OK. For more information about inbound and outbound rules, see Filters.

Parameter	Description
Protocol Type	Specify the protocol of the network traffic that you want to mirror from Elastic Compute Service (ECS) instances. Valid values: ALL ICMP TCP UDP
Source CIDR Block	Specify the source CIDR block of the traffic.
Destination CIDR Block	Specify the destination CIDR block of the traffic.
Source Port	Enter the source port range of the traffic. Valid values: 0 to 65535. Separate the first port and the last port with a forward slash (/), for example, `1/200` or `80/80`. If you set the value to -1/-1, port numbers are unlimited. If you set Protocol Type to ALL or ICMP, the default value is -1/-1.
Destination Port	Enter the destination port range of the traffic. Valid values: 0 to 65535. Separate the first port and the last port with a forward slash (/), for example, `1/200` or `80/80`. If you set the value to -1/-1, port numbers are unlimited. If you set Protocol Type to ALL or ICMP, the default value is -1/-1.
Priority	Specify the priority of the rule. Valid values: 1 to 16777216. A smaller value indicates a higher priority. You can create at most 10 rules. The priority of each inbound or outbound rule that belongs to the same filter must be unique.
Policy	Specify the action that you want to perform on the network traffic. Valid values: Collect: collects the network traffic. Do not Collect: does not collect the network traffic.

Click Save.

Create a traffic mirror session

Log on to the VPC console.
In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
In the top navigation bar, select the region where the traffic mirror session is created.
On the Traffic Mirror Session page, click Create Traffic Mirror Session.

On the Basic Configuration wizard page, set the following parameters and click Next.

Parameter	Description
Name	Enter a name for the traffic mirror session.
Tag key	Select or enter a tag key. You can specify up to 20 tag keys. A tag key can be up to 128 characters in length and cannot contain `http://` or `https://`. It cannot start with `acs:` or `aliyun`.
Tag value	Select or enter a tag value. You can specify at most 20 tag values. The tag value must be 1 to 128 characters in length and cannot contain `http://` or `https://`. It cannot start with `aliyun` or `acs:`.
Description	Enter a description for the traffic mirror session.
VNI	Specify a VXLAN network identifier (VNI). Valid values: 0 to 16777215. You can use VNIs to identify mirrored traffic from different sessions at the traffic mirror destination. You can specify a custom VNI or use a random VNI allocated by the system.
Priority	Specify the priority of the traffic mirror session. Valid values: 1 to 32766. A smaller value indicates a higher priority. You cannot specify the same priority for traffic mirror sessions that are created in the same region by using the same account.
Mirrored Packet Length	Specify the original packet length (excluding VXLAN packet length). Default value: 1500. Valid values: 64 to 8500. Unit: bytes. This value determines the packet length received by the traffic mirror destination. For more information, see Limits. This parameter is available in the following regions: Philippines (Manila), UK (London), Germany (Frankfurt), China (Hohhot), China (Qingdao), China (Shenzhen), China (Hangzhou), China (Shanghai), US (Silicon Valley), China (Beijing), Singapore, and China (Hong Kong).

On the Associate Filter wizard page, select a filter and click Next.
On the Select Traffic Mirror Source wizard page, select an ENI and click Next.
The ENI cannot belong to the following ECS instance families: ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.c1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.se1ne, ecs.se1nec, ecs.sn1, ecs.sn1ne, ecs.sn1nec, ecs.sn2, ecs.sn2ne, ecs.sn2nec, ecs.t1, and ecs.xn4. For more information about ECS instance families, see Overview of instance families.
On the Select Traffic Mirror Destination wizard page, click ENI or CLB, select an ENI or a Classic Load Balancer (CLB) instance in the Select Instance section, and then click Next.
Note
An ENI cannot be specified as a traffic mirror source and a traffic mirror destination at the same time.
On the Complete wizard page, click Submit.

Enable a traffic mirror session

By default, a traffic mirror session is disabled after it is created. To mirror network traffic, you must first enable the traffic mirror session.

Log on to the VPC console.
In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
In the top navigation bar, select the region where the traffic mirror session is created.
On the Traffic Mirror Session page, find the traffic mirror session that you want to enable and click Start in the Actions column.

Disable a traffic mirror session

Log on to the VPC console.
In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
In the top navigation bar, select the region where the traffic mirror session is created.
On the Traffic Mirror Session page, find the traffic mirror session that you want to disable and click Stop in the Actions column.
In the dialog box that appears, click OK.

Delete and add a traffic mirror source

If you want to change the ENI from which network traffic is mirrored, delete the original traffic mirror source and create a new one.

Log on to the VPC console.
In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
In the top navigation bar, select the region where the traffic mirror session is created.
On the Traffic Mirror Session page, find the traffic mirror session from which you want to delete the traffic mirror source and click the ID of the session.
In the Traffic Mirror Sources section, click Delete in the Actions column.
In the dialog box that appears, click OK.
In the Traffic Mirror Sources section, click Add Traffic Mirror Sources.
In the Add Traffic Mirror Sources dialog box, select the ENI that you want to add as a traffic mirror source and click OK.

Delete a traffic mirror session

Log on to the VPC console.
In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Traffic Mirror Session.
In the top navigation bar, select the region where the traffic mirror session is created.
On the Traffic Mirror Session page, find the traffic mirror session that you want to delete and click Delete in the Actions column.
In the dialog box that appears, click OK.

Delete a traffic mirror filter

Before you delete a filter, make sure that the filter is not associated with a traffic mirror session. If the filter is associated with a traffic mirror session, disassociate the filter from the traffic mirror session before you delete the filter.

Log on to the VPC console.
In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Filter.
In the top navigation bar, select the region where you want to create a filter.
On the Filter page, find the filter that you want to delete and click Delete in the Actions column.
In the dialog box that appears, click OK.

References

OpenTrafficMirrorService: enables traffic mirroring.
CreateTrafficMirrorFilter: creates a traffic mirror filter.
CreateTrafficMirrorFilterRules: creates inbound or outbound rules.
CreateTrafficMirrorSession: creates a traffic mirror session.
RemoveSourcesFromTrafficMirrorSession: deletes a traffic mirror source from a traffic mirror session.
AddSourcesToTrafficMirrorSession: adds a traffic mirror source to a traffic mirror session.
DeleteTrafficMirrorSession: deletes a traffic mirror session.
DeleteTrafficMirrorFilterRules: deletes inbound rules or outbound rules from a filter.
DeleteTrafficMirrorFilter: deletes a filter of traffic mirroring.