3 min read

Yesterday the team at AWS launched VPC Traffic Mirroring, a new feature that can be used with the existing Virtual Private Clouds (VPCs) for capturing and inspecting network traffic at scale.

Network and security people. #AWS now has port mirroring, SPAN, sniffing, passive packet capture, whatever you want to call it! This is a huge change and I know a ton of customers have been waiting for this. Check it out: https://t.co/T9cBtRUHzI — Nick Matthews (@nickpowpow) June 25, 2019

Features of VPC Traffic Monitoring

Detecting network and responding to attacks

Users can now detect network and security anomalies and extract traffic of interest from any workload in a VPC and route it to the detection tools with VPC Traffic Mirroring. Users can now detect and respond to attacks more quickly than with traditional log-based tools.

Better network visibility

Users can now get the network visibility and control for making better security decisions.

Regulatory and compliance requirements

It is now possible to meet regulatory and compliance requirements that mandate monitoring, logging, etc.

Troubleshooting

Users can mirror application traffic internally for testing and troubleshooting and analyze traffic patterns. It is now easy for users to proactively locate choke points that will hamper the performance of the applications.

The blog post reads, “You can think of VPC Traffic Mirroring as a “virtual fiber tap” that gives you direct access to the network packets flowing through your VPC.”

Mirror traffic from any EC2 instance

Users can choose to capture all the traffic or can use filters for capturing the packets that are of particular interest and can limit the number of bytes captured per packet. VPC Traffic Mirroring can be used in a multi-account AWS environment for capturing traffic from VPCs spread across many AWS accounts. Users can now mirror traffic from any EC2 instance powered by the AWS Nitro system.

It is now possible to replicate the network traffic from an EC2 instance within their Amazon Virtual Private Cloud (Amazon VPC) and forward that traffic to security and monitoring appliances for use cases such as threat monitoring, content inspection, and troubleshooting.

And these appliances can be easily deployed on an individual Amazon EC2 instance or a fleet of instances behind a Network Load Balancer (NLB) with the help of a User Datagram Protocol (UDP) listener.

Amazon VPC traffic mirroring also supports traffic filtering and packet truncation, allowing customers to extract only traffic they are interested in monitoring.

Improved security

VPC Traffic mirroring helps in capturing packets at the Elastic Network Interface (ENI) level that cannot be tampered, thus strengthening security. Users can choose to analyze their network traffic from a wide range of monitoring solutions that are integrated with Amazon VPC traffic mirroring on AWS Marketplace.

Key elements for VPC Traffic Mirroring

Mirror source

It is an AWS network resource within a particular VPC which can be used as the source of traffic. VPC Traffic Mirroring supports Elastic Network Interfaces (ENIs) as mirror sources.

Mirror target

It is an ENI or Network Load Balancer that works as a destination for the mirrored traffic. The mirror target can be in the same AWS account as the Mirror Source or it can be in a different account for the implementation of the central-VPC model.

Mirror filter

It is a specification of the inbound or outbound traffic that is to be captured or skipped. It can be used to specify a protocol that ranges for the source, destination ports, and CIDR blocks for the source and destination.

Traffic mirror session

It is a connection that is between a mirror source and target that uses a filter. Sessions are numbered, evaluated in order, and the first match (accept or reject) is used to determine the fate of the packet. A given packet is sent to at most one target.

VPC Traffic Mirroring is now available and customers can start using it in all commercial AWS Regions except for Asia Pacific (Sydney), China (Beijing), and China (Ningxia). Support for these regions is still pending and will be added soon, as per the official post.

To know more about this news, check out Amazon’s official blog post.

Read Next

Amazon adds UDP load balancing support for Network Load Balancer

Amazon patents AI-powered drones to provide ‘surveillance as a service’

Amazon is being sued for recording children’s voices through Alexa without consent