All Products
Search
Document Center

Virtual Private Cloud:Overview of traffic mirroring

Last Updated:Nov 18, 2024

Virtual private cloud (VPC) supports the traffic mirroring feature. You can use this feature to mirror network traffic that flows through an Elastic Network Interface (ENI) based on specified filters. You can use traffic mirroring to mirror network traffic from an Elastic Compute Service (ECS) instance in a VPC and forward the traffic to a specified ENI or an internal-facing Classic Load Balancer (CLB) instance for content inspection, threat monitoring, and troubleshooting.

image

Regions that support traffic mirroring

Area

Supported region

Asia Pacific

China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Thailand (Bangkok), and Philippines (Manila)

Europe & Americas

Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

Middle East

SAU (Riyadh - Partner Region)

Features

Terms

  • Filter: contains inbound and outbound rules. Filters are used to control the network traffic in traffic mirror sessions.

    • Inbound traffic: traffic received by an ENI.

    • Outbound traffic: traffic sent from an ENI.

  • Traffic mirror source: an ENI from which you want to mirror network traffic.

  • Traffic mirror destination: an ENI or an internal-facing CLB instance that is used to receive mirrored network traffic.

  • Traffic mirror session: mirrors network traffic from a traffic mirror source to a traffic mirror destination based on specified filters.

Description

You can specify inbound and outbound rules in filters. When you create a traffic mirror session, you can associate the session with a filter. After the traffic mirror session is created and enabled, all network traffic that matches the filter is mirrored. Five parameters are used to specify the inbound and outbound rules in filters: source CIDR block, source port, destination CIDR block, destination port, and protocol.

For example, you can set the parameters to the following values for an inbound rule: source CIDR block to 192.168.0.0/16, source port to 10000, destination CIDR block to 10.0.0.0/8, destination port to 80, and protocol to TCP. After the preceding configuration is completed, the traffic mirror session mirrors the network traffic that is transmitted to the specified ECS instance based on the specified filter conditions.

Traffic mirror destination

  • A traffic mirror destination can be an ENI or an internal-facing CLB instance.

  • Within the same account and region, a traffic mirror source and a traffic mirror destination can be deployed in the same VPC or in different VPCs. You cannot create traffic mirror sources and destinations in different regions or with different Alibaba Cloud accounts.

  • After the mirrored traffic is encapsulated, it needs to be forwarded to the traffic mirror destination through the path specified by the VPC route table. Make sure that the route table is correctly configured so that the mirrored traffic can be forwarded to the traffic mirror destination.

  • If the traffic mirror source and destination belong to different VPCs, make sure that the two VPCs can communicate with each other through VPC peering connections or Cloud Enterprise Network (CEN). This ensures that traffic can be forwarded from the VPC where the source resides to the VPC where the destination resides.

Scenarios

  • Security: Intrusion detection

    You can use self-developed or third-party software to monitor mirrored traffic. This ensures that all security vulnerabilities and intrusion activities are detected. The traffic mirroring feature accelerates the detection process and allows you to respond to attacks at the earliest opportunity.

  • Auditing: Finance or public service sectors

    In the finance industry or scenarios that require high-level compliance, network traffic must be audited. You can use the traffic mirroring feature to mirror network traffic to an auditing platform on which you can audit the compliance of the traffic.

  • Network O&M: Troubleshooting

    O&M engineers can use the traffic mirroring feature to troubleshoot network issues. For example, they can query mirrored traffic to analyze TCP retransmission issues without the need to retrieve packets from a virtual machine (VM).

Billing

Billing rules

Total fee = Instance fee + Data mirroring fee

  • Instance fee = Number of ENIs that have traffic mirror sessions enabled × Active session hours × Unit price (USD per ENI-hour)

    After an ENI has traffic mirror sessions enabled, you are charged on an hourly basis. If the usage duration is less than 1 hour, it is rounded up to 1 hour. After you disable traffic mirror sessions for an ENI, the billing stops.

  • Data mirroring fee = Total amount of mirrored data (GB) × Unit price (USD/GB)

The following table describes the unit prices of the billable items:

Billable item

Unit price

Instance fee

0.014 (USD/ENI/hour)

Traffic mirroring fee

0.007 (USD/GB)

Note

You are not charged traffic mirroring fees before March 31, 2025.

For example, traffic mirror sessions are enabled for five ENIs that are deployed in a VPC in Silicon Valley Zone B. The traffic mirror sessions have been active 24 hours per day for 30 days, and the size of the data transfer plan is 20 GB. In this case, the cost breakdown is as follows:

  • Instance fee = 5 × 30 × 24 × 0.014 = USD 50.4

  • Traffic mirroring fee = 20 × 0.007 = USD 0.14

  • Total fee = 50.4 + 0.14 = USD 50.54

Limits

Quotas

Name/ID

Description

Default value

Adjustable

trafficmirror_quota_source_num_per_session

Maximum number of traffic mirror sources that can be specified in each traffic mirror session

10

You can increase the quota by performing the following operations:

N/A

Maximum number of traffic mirror sessions that you can create in each region with each Alibaba Cloud account

20,000

N/A

Maximum number of traffic mirror sessions supported by each traffic mirror source

3

Maximum number of traffic mirror destinations that can be specified by each Alibaba Cloud account

Unlimited

Maximum number of traffic mirror sources that can use each traffic mirror destination

  • If the traffic mirror destination is an internal-facing Classic Load Balancer (CLB) instance, it can be used by at most 200 traffic mirror sources.

  • If the traffic mirror destination is an ENI and the ENI is associated with an ECS instance of the following instance families, the ECS instance can be used by at most 100 traffic mirror sources. If the associated ECS instance does not belong to the following instance families, the ECS instance can be used by at most 10 traffic mirror sources.

    Instance family

    ecs.ebmc7.32xlarge, ecs.ebmg7.32xlarge, ecs.ebmr7.32xlarge, ecs.ebmhfg7.48xlarge, ecs.ebmhfc7.48xlarge, ecs.ebmhfr7.48xlarge, ecs.ebmc7a.64xlarge, ecs.ebmg7a.64xlarge, ecs.ebmg7se.32xlarge, ecs.ebmg6a.64xlarge, ecs.ebmg6e.26xlarge, ecs.ebmc6a.64xlarge, ecs.ebmc6e.26xlarge, ecs.ebmr7a.64xlarge, ecs.ebmr6a.64xlarge, ecs.ebmr6e.26xlarge, ecs.c8i.48xlarge, ecs.g8i.48xlarge, ecs.c7nex.32xlarge, ecs.g7nex.32xlarge,

    ecs.g7ne.24xlarge, ecs.c7.32xlarge, ecs.g7.32xlarge, ecs.r7.32xlarge, ecs.r6e.26xlarge,

    ecs.g7t.32xlarge, ecs.g6t.26xlarge, ecs.g6e.26xlarge, ecs.c7t.32xlarge, ecs.c6t.26xlarge, ecs.c6e.26xlarge, ecs.g5ne.18xlarge, and ecs.r7t.32xlarge

Maximum number of rules that can be specified in each filter

10

Maximum number of traffic mirror sessions that can be associated with each filter

2,000

Limits

  • Accounts and regions

    You can create traffic mirror sources and destinations in one VPC or different VPCs within the same Alibaba Cloud account and the same region. You cannot create traffic mirror sources and destinations in different regions or with different Alibaba Cloud accounts.

    Note

    The IP address of the traffic mirror destination must be an IP address that can be accessed by using the traffic mirror source route.

  • IP version

    You cannot use traffic mirroring to mirror IPv6 traffic.

  • Bandwidth

    Traffic mirror sessions share the bandwidth of the associated ECS instances and the bandwidth usage is not capped.

    Note

    If the maximum bandwidth of an ECS instance is reached, traffic mirror packets are dropped to ensure that service traffic can be forwarded as expected.

  • Traffic mirror source and destination

    • Each packet from a traffic mirror source can be mirrored only once and sent to only one traffic mirror destination.

    • An ENI cannot serve as both a traffic mirror source and a traffic mirror destination.

  • Traffic type

    The system does not mirror Address Resolution Protocol (ARP) packets, Dynamic Host Configuration Protocol (DHCP) packets, flow log packets, or packets that are dropped by security groups or network ACLs.

  • Security rules

    When packets are mirrored from a traffic mirror source, they are not limited by security groups or network access control lists (ACLs). However, security groups and network ACLs impose limits on packets when the packets are mirrored to a traffic mirror destination. Therefore, you must set the following security group rules and network ACL rules for the traffic mirror destination:

    • Security group rules: You must set an inbound rule that allows the IP address of the ENI of the traffic mirror source to access UDP packets whose destination port is 4789. For more information about how to configure security group rules, see Create a security group.

    • Network ACL rules: You must set an inbound rule that allows UDP packets from all source ports and the IP address of the ENI that serves as the traffic mirror source. For more information about how to configure network ACLs, see Create and manage network ACLs.

  • Packet length and MTU

    The standard Virtual Extensible LAN (VXLAN) protocol is used in traffic mirror sessions to encapsulate packets. For more information about the VXLAN protocol, see RFC 7348.

    The length of mirrored packets received by the traffic mirror destination is limited by the minimum MTU and the specified mirrored packet length.

    • If the length of a mirrored packet plus the length of the VXLAN header (a fixed value of 50) is greater than the minimum MTU, the system truncates the mirrored packet.

      • In Alibaba Cloud networks, the default MTU is 1500. However, the MTU of some components, such as VPN gateways, is less than 1500. For more information, see MTU and jumbo frames.

      • If the minimum MTU is greater than 1500, for example, 8500, the system still truncates packets at an MTU of 1500.

    • If the actual mirrored packet length is greater than the specified mirrored packet length, the system truncates the mirrored packets. This feature is supported only in some regions. For more information, see Work with traffic mirroring.

    • To prevent the mirrored packets from being truncated, we recommend that you set the MTU of traffic mirror source below 1450 bytes, 50 bytes less than that of the mirror destination.

    If the source ECS instance has TCP Segmentation Offload (TSO) or UDP Fragmentation Offload (UFO) enabled, the mirroring process may be different. If you want the traffic mirror destination to receive all mirrored packets of source service packets, we recommend that you disable TSO and UFO for the source ECS instance, or use seventh-generation ECS instance families or later. After you disable TSO and UFO, the performance of the ECS instance may be affected.

    Click to view details

    Source ECS instance (MTU = 1500)

    - Seventh-generation or later

    - Seventh-generation or earlier with TSO and UFO disabled

    Seventh-generation or earlier with TSO or UFO enabled

    Mirroring process

    Truncates source packets, and then mirrors truncated packets.

    Mirrors source packets, and then truncates mirrored packets.

    Source packet size

    2000

    Minimum MTU

    1500

    1500

    1500

    1500

    Mirrored packet length

    1400

    1500

    1400

    1500

    Number of packets received by the traffic mirror destination

    2

    2

    1

    1

    Length of the packets received by the traffic mirror destination

    - Fragment 1: 1450 = 1400 (length of actual mirrored packet) +50 (VXLAN header length)

    - Fragment 2: 550 = 500 (length of actual mirrored packet) +50 (VXLAN header length)

    - Fragment 1: 1500 = 1450 (length of actual mirrored packet) +50 (VXLAN header length)

    - Fragment 2: 550 = 500 (length of actual mirrored packet) +50 (VXLAN header length)

    1450 = 1400 (length of actual mirrored packet) +50 (VXLAN header length)

    1500 = 1450 (length of actual mirrored packet) +50 (VXLAN header length)

    Note
    • You can determine whether an ECS instance is of the seventh generation based on the instance type name. For example, ecs.g7se.xlarge indicates that the ECS instance is of the seventh generation. For more information, see Instance type selection.

    • Unit for packet length: bytes.

Procedure

image

For more information, see Create and manage traffic mirror sources.