Work with traffic mirroring - Virtual Private Cloud - Alibaba Cloud Documentation Center

Traffic mirroring is a feature that mirrors network traffic from an Elastic Network Interface (ENI). Only network traffic that matches specific filters is mirrored and then forwarded to a specified instance. This topic describes how to use the traffic mirroring feature.

Prerequisites

If you use traffic mirroring for the first time, log on to the Traffic Mirroring page to enable the feature.
If the traffic mirror source and destination in a session belong to different virtual private clouds (VPCs), make sure that the VPCs can communicate with each other. For more information, see Overview of VPC connections.
Note
The traffic mirror destination must be an IP address that can be accessed by using the source route.

Create or delete a filter

Log on to the VPC console.
In the left-side navigation pane, choose O&M and Monitoring > Traffic Mirroring > Filter.
In the top navigation bar, select the region where you want to create a filter.
Click Create Filter. In the Basic Information section, specify the Name, Description, Resource Group, Tag Key, and Tag Value for the filter based on your requirements.

Under the Inbound Rules or Outbound Rules tab in the Rule Configuration section, click Create Rule. Set the following parameters based on Traffic mirroring.

Note

A filter without rules will not mirror any traffic.

Parameter	Description
Protocol Type	Specify the protocol of the network traffic that you want to mirror from Elastic Compute Service (ECS) instances. Valid values: ALL: All protocols. ICMP: Internet Control Message Protocol. TCP: Transmission Control Protocol. UDP: User Datagram Protocol.
Source CIDR Block	Specify the source CIDR block of the traffic.
Destination CIDR Block	Specify the destination CIDR block of the traffic.
Source Port	Enter the source port range of the traffic. Valid values: 0 to 65535. Separate the first port and the last port with a forward slash (/), for example, `1/200` or `80/80`. If you set the value to -1/-1, port numbers are unlimited. If you set Protocol Type to ALL or ICMP, the default value is -1/-1.
Destination Port	Enter the destination port range of the traffic. Valid values: 0 to 65535. Separate the first port and the last port with a forward slash (/), for example, `1/200` or `80/80`. If you set the value to -1/-1, port numbers are unlimited. If you set Protocol Type to ALL or ICMP, the default value is -1/-1.
Priority	Specify the priority of the rule. Valid values: 1 to 16777216. A smaller value indicates a higher priority. You can create at most 10 rules. The priority of each inbound or outbound rule that belongs to the same filter must be unique.
Policy	Specify the action that you want to perform on the network traffic. Valid values: Collect: Collects network traffic. Do Not Collect: Does not collect network traffic.

To remove a filter, go to the Filter page, find the filter that you want to manage, and click Delete in the Actions column.

Note

Ensure that the filter that you want to delete is not linked to a traffic mirror session. If it is, you must reassign or remove the filter from the session before deletion.

Create or delete a mirror session

On the Traffic Mirror Session, click Create Traffic Mirror Session.

On the Basic Configuration wizard page, set the following parameters. Leave other parameters at their default values or modify them based on your requirements. Then, click Next.

Parameter	Description
VNI	Specify a VXLAN network identifier (VNI). Valid values: 0 to 16777215. You can use VNIs to identify mirrored traffic from different sessions at the traffic mirror destination. You can specify a custom VNI or use a random VNI allocated by the system.
Priority	Specify the priority of the traffic mirror session. Valid values: 1 to 32766. A smaller value indicates a higher priority. You cannot specify the same priority for traffic mirror sessions that are created in the same region by using the same account.
Mirrored Packet Length	Specify the original packet length (excluding VXLAN packet length). Default value: 1500. Valid values: 64 to 8500. Unit: bytes. This value determines the packet length received by the traffic mirror destination. For more information, see Overview of traffic mirroring.

On the Associate Filter wizard page, select a filter.
On the Select Traffic Mirror Source wizard page, select an ENI instance that you want to use as the traffic mirror source.
On the Select Mirror Destination wizard page, click ENI or CLB. Select an ENI or a Classic Load Balancer (CLB) instance in the Select Instance section.
Note
An ENI cannot be specified as a traffic mirror source and a traffic mirror destination at the same time.

To remove a traffic mirror session, go to the Traffic Mirror Session page, find the session you want to delete, and click Delete in the Actions column.

Start or stop a mirror session

After a mirror session has been created, it is set to an inactive status by default. To initiate the session, go to the Traffic Mirror Session page, find the session that you want to manage, and click Start in the Actions column.

To halt a Running traffic mirror session, click Stop in the Actions column of the session.

Change the mirror source

To modify the mirror source, you can either delete the existing source or add a new one to the session.

On the Traffic Mirror Session page, find the mirror session that you want to modify, and click the instance ID.
In the Traffic Mirror Source section, Delete traffic mirror sources from the Actions column.
You can Add Traffic Mirror Sources by selecting an ENI instance as the mirror source.

References

For more information on the capabilities and restrictions of traffic mirroring, see Traffic mirroring.
Traffic mirroring can also be managed through APIs using SDK, Terraform, or ROS:
- OpenTrafficMirrorService: Activates traffic mirroring.
- CreateTrafficMirrorFilter: Creates a traffic mirror filter.
- DeleteTrafficMirrorFilter: Removes a traffic mirror filter.
- CreateTrafficMirrorFilterRules: Creates inbound or outbound rules for a traffic mirror filter.
- DeleteTrafficMirrorFilterRules: Removes inbound or outbound rules from a traffic mirror filter.
- CreateTrafficMirrorSession: Creates a traffic mirror session.
- DeleteTrafficMirrorSession: Deletes a traffic mirror session.
- AddSourcesToTrafficMirrorSession: Associates additional traffic mirror sources with an existing mirror session.
- RemoveSourcesFromTrafficMirrorSession Removes traffic mirror sources from an existing session.