Help Center/ Virtual Private Cloud/ User Guide/ Traffic Mirroring/ Traffic Mirroring

Updated on 2024-12-16 GMT+08:00

View PDF

Traffic Mirroring

What Is Traffic Mirroring?

Traffic Mirroring can be used to mirror traffic that meets a mirror filter from mirror sources, such as elastic network interfaces. You can configure inbound and outbound rules for a mirror filter to determine which traffic will be mirrored from mirror sources to a mirror target, such as a network interface or load balancer. You can then send the traffic for inspection, audit analysis, and troubleshooting.

Currently, the Traffic Mirroring function is free. You will be notified in advance if the billing starts.

Currently, Traffic Mirroring is available only in certain regions. For details, visit Function Overview and click Traffic Mirroring.

Concepts

The following are the concepts for Traffic Mirroring:

A mirror filter is a set of inbound rules and outbound rules to determine the traffic that is mirrored. You can specify matching criteria, such as priority and action for each rule.
- Inbound rules match the traffic received by a mirror source.
- Outbound rules match the traffic sent by a mirror source.
A mirror source is an elastic network interface, from which traffic will be mirrored.
A mirror target is an ECS network interface or a load balancer, which is used to receive mirrored traffic.
A mirror session can be associated with a mirror filter, multiple mirror sources, and a mirror target. A mirror session mirrors traffic from a mirror source to a mirror target that meets the mirror filter.

Working Principles

The following describes the working principles of traffic mirroring. As shown in Figure 1, a mirror session is associated with two mirror sources, one mirror filter, and one mirror target.

Mirror source 01 is network interface-B that is attached to ECS-B. To access ECS-A from ECS-B, the outbound and inbound traffic of network interface-B is mirrored.
Mirror source 02 is network interface-C that is attached to ECS-C. To access ECS-C from the Internet, the outbound and inbound traffic of network interface-C is mirrored.
The mirror filter contains both inbound and outbound rules.
The mirror target is a load balancer that receives mirrored traffic.

In Table 1, mirror sources network interface-B and network interface-C are used as examples to describe the traffic mirroring principle.

Figure 1 Traffic mirroring architecture

**Table 1** Mirror path of packets
Mirror Source	Access Path	Packet	Direction	Description
Network interface-B	From ECS-B to ECS-A	Request packet 01	Outbound	Request packet 01 from ECS-B is an outbound packet for network interface-B. If packet 01 matches the outbound rules of the mirror filter, packet 01 is mirrored to the load balancer.
Network interface-B	From ECS-B to ECS-A	Response packet 02	Inbound	Response packet 02 from ECS-A is an inbound packet for network interface-B. If packet 02 matches the inbound rules of the mirror filter, packet 02 is mirrored to the load balancer.
Network interface-C	From the Internet to ECS-C	Request packet 03	Inbound	Request packet 03 from the Internet is an inbound packet for network interface-C. If packet 03 matches the inbound rules of the mirror filter, packet 03 is mirrored to the load balancer.
Network interface-C	From the Internet to ECS-C	Response packet 04	Outbound	Response packet 04 from ECS-C is an outbound packet for network interface-C. If packet 04 matches the outbound rules of the mirror filter, packet 04 is mirrored to the load balancer.

Table 2 shows rules in a mirror filter and describes how the mirror session filters traffic using the mirror filter.

**Table 2** Traffic filtering description
Direction	Priority	Protocol	Action	Type	Source	Source Port Range	Destination	Destination Port Range	Filtering Description
Inbound	1	TCP	Accept	IPv4	172.16.0.0/24	10000-10001	10.0.0.3/32	80-80	If traffic enters a network interface of the mirror source, the mirror session will mirror packets that meet the following rule: TCP (IPv4) packets from source 172.16.0.0/24 over port 10000 or 10001 to destination 10.0.0.3/32 over port 80
Outbound	1	All	Reject	IPv4	192.168.0.0/24	All	10.2.0.0/24	All	If traffic leaves a network interface of the mirror source, the mirror session will not mirror packets that meet the following rule: IPv4 packets from source 192.168.0.0/24 over any port to destination 10.2.0.0/24 over any port.

Application Scenarios

Traffic inspection
If there are network intrusions, you can use traffic mirroring to mirror required traffic to security software for comprehensively analysis and check. This helps to quickly locate security vulnerabilities and ensure network security.
Traffic auditing
You can use traffic mirroring to mirror traffic to a specific platform for auditing and analysis. This applies to scenarios that have high security requirements, such as finance.
Fault locating
O&M engineers can directly view mirrored traffic instead of capturing packets on service servers to locate faults. This prevents services from being affected during O&M.

Matching Rules

If a packet from the same mirror source meets multiple mirror filter rules, the packet is matched only once. The matching rules are described as follows:

**Table 3** Matching rules
Matching Rule	Description
Sequence match	Matching is performed in descending order of priority. A smaller value indicates a higher priority. For example, the priority of 1 is higher than that of 2. Mirror session priority: A mirror source can be associated with multiple mirror sessions at the same time. The mirror sessions are matched in descending order of priority. For details, see the matching process of mirror sessions. Mirror filter rule priority: A mirror session can be associated with only one mirror filter that contains multiple rules. The rules are matched in descending order of priority. An inbound or outbound mirror filter rule determines the traffic that is mirrored. You can specify matching criteria, such as priority and action for each rule. For details, see the matching process of mirror filter rules.
Unique match	If a packet matches a mirror filter rule, the packet does not attempt to match any other rules.

Figure 2 describes the matching process of mirror sessions. If a mirror source is associated with multiple mirror sessions, packets are matched in descending order of mirror session priorities. Inbound packets are used as an example here.
- If a packet matches an inbound mirror filter rule of a mirror session:
  - The packet will be mirrored if the rule action is Accept.
  - The packet will not be mirrored if the rule action is Reject.
- If a packet does not match any inbound mirror filter rule in a mirror session, the packet will not be mirrored.
For example, a mirror source is associated with both mirror sessions A and B. The priority of mirror session A is 1 and that of mirror session B is 2. If a packet in the inbound direction of the mirror source meets the mirror filter rules of both mirror session A and mirror session B, the packet preferentially matches the mirror filter rules of mirror session A according to the priority, and will not match that of mirror session B.
Figure 2 Mirror session matching process
Figure 3 describes the matching process of mirror filter rules. If a mirror source is associated with only one mirror session, packets are matched in descending order of priorities of inbound mirror filter rules. Inbound packets are used as an example here.
- If a packet matches an inbound mirror filter rule:
  - The packet will be mirrored if the rule action is Accept.
  - The packet will not be mirrored if the rule action is Reject.
- If a packet does not match any inbound mirror filter rule, the packet will not be mirrored.
For example, a mirror source is associated with mirror session A. The mirror filter of mirror session A has inbound rules A and B, which have the same traffic matching conditions but different priorities and actions. The priority of rule A is 1, and the action is Reject. The priority of rule B is 2, and the action is Accept. If a packet in the inbound direction of the mirror source meets the traffic matching conditions of both rule A and rule B, the packet matches rule A first according to the rule priority. The packet will be rejected and will not be mirrored and match rule B.
Figure 3 Mirror filter rule matching process

Traffic Mirroring Quotas

Table 4 lists the quotas about Traffic Mirroring resources. Some default quotas can be increased.

**Table 4** Quotas
Item	Default Quota	Adjustable
Maximum number of mirror sources that can be associated with a mirror session	10	Yes. For details, see Managing Quotas.
Maximum number of mirror sessions that can be associated with a mirror source	3	No
Maximum number of mirror targets that can be associated with a mirror session	1	No
Maximum number of mirror sessions that can be associated with a mirror target	10 (if the mirror target is an ECS network interface) 200 (if the mirror target is a load balancer)	No
Maximum number of mirror filters that can be associated with a mirror session	1	No
Maximum number of mirror sessions that can be associated with a mirror filter	1,000	No
Maximum number of rules that can be added to a mirror filter	10 inbound rules 10 outbound rules	No
Maximum number of mirror sessions that can be created in a region	20,000	No

Notes and Constraints

As shown in Figure 4, mirrored traffic is encapsulated in the standard VXLAN packet format. For more information about the VXLAN protocol, see RFC 7348. If the total length of mirrored packets and VXLAN packets is greater than the MTU of the mirror source, the system truncates the packets. To prevent packets from being truncated, you are advised to set the MTU of the elastic network interface to be at least 64 bytes smaller than the MTU supported by the link in IPv4 scenarios.
Figure 4 Traffic Mirroring packet format

Table 5 and Table 6 show the constraints on different types of mirror sources and mirror targets.

**Table 5** Constraints on mirror sources
Mirror Source Type	Constraints
Elastic network interface	If the mirror source is an elastic network interface, the network interface needs to be attached to an ECS. Only the network interface of an ECS with certain flavors (such as C7t and aC7) can be used as mirror sources. You can call APIs to query details about ECS flavors and use the response value of network_interface:traffic_mirroring_supported to check whether an ECS flavor supports traffic mirroring. An elastic network interface cannot be used as both a mirror source and a mirror target at the same time. Traffic Mirroring occupies the bandwidth of instances attached to elastic network interfaces and does not have bandwidth limits.

**Table 6** Constraints on mirror targets
Mirror Target Type	Constraints
Network interface	If a mirror target needs to receive mirrored traffic from multiple mirror sources, ensure that the mirror target has proper specifications based on service requirements. An elastic network interface cannot be used as both a mirror source and a mirror target at the same time.
Load balancer	The encapsulated mirrored packet uses the IPv4 UDP protocol. So the dedicated load balancer used as the mirror target must support IPv4 UDP.

If a packet from a mirror source meets multiple mirror filter rules, the packet will be matched only once and will be accepted or rejected to a mirror target according to the rule action.
If a packet from a mirror source is discarded by a security group or network ACL, the packet will not be mirrored.

If a packet from a mirror source meets a mirror filter, the packet will be mirrored and will not be restricted by outbound rules of a security group or network ACL of the mirror source. This means you do not need to configure the security group or network ACL for the mirror source. However, if you want to mirror the packet to the mirror target, you need to configure the following rules for the security group and network ACL of the mirror target:

Add a security group rule to allow inbound UDP packets from the mirror source over port 4789.

Table 7 shows a rule example if the private IP address of the mirror source is 192.168.0.27. To learn about how to add a rule, see Adding a Security Group Rule.

**Table 7** Security group rule configuration example (a network interface as the mirror source)
Direction	Action	Type	Protocol & Port	Source
Inbound	Allow	IPv4	UDP: 4789	192.168.0.27/32 Set the source based on the actual requirements.

Add a network ACL rule to allow inbound UDP packets from the mirror source over port 4789.

Table 8 shows a rule example if the IP address of the mirror source is 192.168.0.27. To learn about how to add a rule, see Adding a Network ACL Rule.

**Table 8** Network ACL rule configuration example (a network interface as the mirror source)
Direction	Type	Action	Protocol	Source	Source Port Range	Destination	Destination Port Range
Inbound	IPv4	Allow	UDP	192.168.0.27/32 Set the source based on the actual requirements.	If not specified, all ports are used.	If the mirror target is a network interface, configure its private IPv4 address as the destination, for example, 192.168.1.24/32. If mirror target is a load balancer, configure its private IPv4 address as the destination, for example, 192.168.1.25/32. Set the destination based on the actual requirements. Ensure that the IP address of the mirror target is within the destination CIDR block.	4789 Port 4789 must be opened. Open other ports based on the actual requirements.

Resources from different VPCs cannot communicate with each other. If a mirror source and a mirror target are not in the same VPC, you need to use a VPC peering connection or an enterprise router to connect their VPCs first.
- To use a VPC peering connection, see VPC Peering Connection Overview.
- To use an enterprise router, see Using an Enterprise Router to Enable Communications Between VPCs in the Same Region.

Usage Process

To use the traffic mirroring function, you need to create a mirror session and associate a mirror filter, mirror sources, and a mirror target with the mirror session. Figure 5 shows the process.

Figure 5 Process of using Traffic Mirroring

**Table 9** Description of the Traffic Mirroring process
Step	Description	Reference
Configure basic information about a mirror session.	Set parameters such as the name and priority of the mirror session.	Creating a Mirror Session
Associate a mirror filter.	Select a mirror filter and associate it with the mirror session. Each mirror session can have one mirror filter associated. If there is no mirror filter required, you can create one by referring to Creating a Mirror Filter.
Associate mirror sources.	Select an elastic network interface as the mirror source and associate it with the mirror session. Each mirror session can be associated with multiple mirror sources.
Associate a mirror target.	Select an ECS network interface or load balancer as the mirror target and associate it with the mirror session.
Finish	If the mirror session is enabled, the traffic that meets the mirror filter from the mirror source will be mirrored to the mirror target. If you do not enable the mirror session when creating it, the traffic of the mirror source will not be mirrored. You can enable the mirror session by referring to Enabling or Disabling a Mirror Session.

Parent Topic: Traffic Mirroring

Previous topic: Traffic Mirroring

Next topic: Mirror Filters

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot