Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Traffic Mirroring

Updated on 2025-01-17 GMT+08:00

What Is Traffic Mirroring?

Traffic Mirroring can be used to mirror traffic that meets a mirror filter from mirror sources, such as elastic network interfaces. You can configure inbound and outbound rules for a mirror filter to determine which traffic will be mirrored from mirror sources to a mirror target, such as a network interface or load balancer. You can then send the traffic for inspection, audit analysis, and troubleshooting.

NOTICE:

Currently, the Traffic Mirroring function is free. You will be notified in advance if the billing starts.

Currently, Traffic Mirroring is available only in certain regions. For details, visit Function Overview and click Traffic Mirroring.

Concepts

The following are the concepts for Traffic Mirroring:
  • A mirror filter is a set of inbound rules and outbound rules to determine the traffic that is mirrored. You can specify matching criteria, such as priority and action for each rule.
    • Inbound rules match the traffic received by a mirror source.
    • Outbound rules match the traffic sent by a mirror source.
  • A mirror source is an elastic network interface, from which traffic will be mirrored.
  • A mirror target is a network interface of a cloud server or a load balancer, which is used to receive mirrored traffic.
  • A mirror session can be associated with a mirror filter, multiple mirror sources, and a mirror target. A mirror session mirrors traffic from a mirror source to a mirror target that meets the mirror filter.

Working Principles

The following describes the working principles of traffic mirroring. As shown in Figure 1, a mirror session is associated with two mirror sources, one mirror filter, and one mirror target.
  • Mirror source 01 is network interface-B that is attached to ECS-B. To access ECS-A from ECS-B, the outbound and inbound traffic of network interface-B is mirrored.
  • Mirror source 02 is network interface-C that is attached to ECS-C. To access ECS-C from the Internet, the outbound and inbound traffic of network interface-C is mirrored.
  • The mirror filter contains both inbound and outbound rules.
  • The mirror target is a load balancer that receives mirrored traffic.

In Table 1, mirror sources network interface-B and network interface-C are used as examples to describe the traffic mirroring principle.

Figure 1 Traffic mirroring architecture
Table 1 Mirror path of packets

Mirror Source

Access Path

Packet

Direction

Description

Network interface-B

From ECS-B to ECS-A

Request packet 01

Outbound

Request packet 01 from ECS-B is an outbound packet for network interface-B. If packet 01 matches the outbound rules of the mirror filter, packet 01 is mirrored to the load balancer.

Response packet 02

Inbound

Response packet 02 from ECS-A is an inbound packet for network interface-B. If packet 02 matches the inbound rules of the mirror filter, packet 02 is mirrored to the load balancer.

Network interface-C

From the Internet to ECS-C

Request packet 03

Inbound

Request packet 03 from the Internet is an inbound packet for network interface-C. If packet 03 matches the inbound rules of the mirror filter, packet 03 is mirrored to the load balancer.

Response packet 04

Outbound

Response packet 04 from ECS-C is an outbound packet for network interface-C. If packet 04 matches the outbound rules of the mirror filter, packet 04 is mirrored to the load balancer.

Table 2 shows rules in a mirror filter and describes how the mirror session filters traffic using the mirror filter.
Table 2 Traffic filtering description

Direction

Priority

Protocol

Action

Type

Source

Source Port Range

Destination

Destination Port Range

Filtering Description

Inbound

1

TCP

Accept

IPv4

172.16.0.0/24

10000-10001

10.0.0.3/32

80-80

If traffic enters a network interface of the mirror source, the mirror session will mirror packets that meet the following rule:

TCP (IPv4) packets from source 172.16.0.0/24 over port 10000 or 10001 to destination 10.0.0.3/32 over port 80

Outbound

1

All

Reject

IPv4

192.168.0.0/24

All

10.2.0.0/24

All

If traffic leaves a network interface of the mirror source, the mirror session will not mirror packets that meet the following rule:

IPv4 packets from source 192.168.0.0/24 over any port to destination 10.2.0.0/24 over any port.

Application Scenarios

  • Traffic inspection

    If there are network intrusions, you can use traffic mirroring to mirror required traffic to security software for comprehensively analysis and check. This helps to quickly locate security vulnerabilities and ensure network security.

  • Traffic auditing

    You can use traffic mirroring to mirror traffic to a specific platform for auditing and analysis. This applies to scenarios that have high security requirements, such as finance.

  • Fault locating

    O&M engineers can directly view mirrored traffic instead of capturing packets on service servers to locate faults. This prevents services from being affected during O&M.

Matching Rules

If a packet from the same mirror source meets multiple mirror filter rules, the packet is matched only once. The matching rules are described as follows:

Table 3 Matching rules

Matching Rule

Description

Sequence match

Matching is performed in descending order of priority. A smaller value indicates a higher priority. For example, the priority of 1 is higher than that of 2.
  • Mirror session priority: A mirror source can be associated with multiple mirror sessions at the same time. The mirror sessions are matched in descending order of priority.

    For details, see the matching process of mirror sessions.

  • Mirror filter rule priority: A mirror session can be associated with only one mirror filter that contains multiple rules. The rules are matched in descending order of priority.

    An inbound or outbound mirror filter rule determines the traffic that is mirrored. You can specify matching criteria, such as priority and action for each rule.

    For details, see the matching process of mirror filter rules.

Unique match

If a packet matches a mirror filter rule, the packet does not attempt to match any other rules.

  • Figure 2 describes the matching process of mirror sessions. If a mirror source is associated with multiple mirror sessions, packets are matched in descending order of mirror session priorities. Inbound packets are used as an example here.
    • If a packet matches an inbound mirror filter rule of a mirror session:
      • The packet will be mirrored if the rule action is Accept.
      • The packet will not be mirrored if the rule action is Reject.
    • If a packet does not match any inbound mirror filter rule in a mirror session, the packet will not be mirrored.
    For example, a mirror source is associated with both mirror sessions A and B. The priority of mirror session A is 1 and that of mirror session B is 2. If a packet in the inbound direction of the mirror source meets the mirror filter rules of both mirror session A and mirror session B, the packet preferentially matches the mirror filter rules of mirror session A according to the priority, and will not match that of mirror session B.
    Figure 2 Mirror session matching process
  • Figure 3 describes the matching process of mirror filter rules. If a mirror source is associated with only one mirror session, packets are matched in descending order of priorities of inbound mirror filter rules. Inbound packets are used as an example here.
    • If a packet matches an inbound mirror filter rule:
      • The packet will be mirrored if the rule action is Accept.
      • The packet will not be mirrored if the rule action is Reject.
    • If a packet does not match any inbound mirror filter rule, the packet will not be mirrored.
    For example, a mirror source is associated with mirror session A. The mirror filter of mirror session A has inbound rules A and B, which have the same traffic matching conditions but different priorities and actions. The priority of rule A is 1, and the action is Reject. The priority of rule B is 2, and the action is Accept. If a packet in the inbound direction of the mirror source meets the traffic matching conditions of both rule A and rule B, the packet matches rule A first according to the rule priority. The packet will be rejected and will not be mirrored and match rule B.
    Figure 3 Mirror filter rule matching process

Traffic Mirroring Quotas

Table 4 lists the quotas about Traffic Mirroring resources. Some default quotas can be increased.
Table 4 Quotas

Item

Default Quota

Adjustable

Maximum number of mirror sources that can be associated with a mirror session

10

Yes. For details, see Managing Quotas.

Maximum number of mirror sessions that can be associated with a mirror source

3

No

Maximum number of mirror targets that can be associated with a mirror session

1

No

Maximum number of mirror sessions that can be associated with a mirror target

  • 10 (if the mirror target is the network interface of a cloud server)
  • 200 (if the mirror target is a load balancer)

No

Maximum number of mirror filters that can be associated with a mirror session

1

No

Maximum number of mirror sessions that can be associated with a mirror filter

1,000

No

Maximum number of rules that can be added to a mirror filter

  • 10 inbound rules
  • 10 outbound rules

No

Maximum number of mirror sessions that can be created in a region

20,000

No

Notes and Constraints

  • As shown in Figure 4, mirrored traffic is encapsulated in the standard VXLAN packet format. If the total length of mirrored packets and VXLAN packets is greater than the MTU of the mirror source, the system truncates the packets. To prevent packets from being truncated, you are advised to set the MTU of the elastic network interface to be at least 64 bytes smaller than the MTU supported by the link in IPv4 scenarios.
    Figure 4 Traffic Mirroring packet format
  • Table 5 and Table 6 show the constraints on different types of mirror sources and mirror targets.
    Table 5 Constraints on mirror sources

    Mirror Source Type

    Constraints

    Elastic network interface

    • If the mirror source is an elastic network interface, the network interface needs to be attached to an ECS. Only the network interface of an ECS with certain flavors (such as C7t and aC7) can be used as mirror sources.

      You can call APIs to query details about ECS flavors and use the response value of network_interface:traffic_mirroring_supported to check whether an ECS flavor supports traffic mirroring.

    • An elastic network interface cannot be used as both a mirror source and a mirror target at the same time.
    • Traffic Mirroring occupies the bandwidth of instances attached to elastic network interfaces and does not have bandwidth limits.
    Table 6 Constraints on mirror targets

    Mirror Target Type

    Constraints

    Network interface

    • If a mirror target needs to receive mirrored traffic from multiple mirror sources, ensure that the mirror target has proper specifications based on service requirements.
    • An elastic network interface cannot be used as both a mirror source and a mirror target at the same time.

    Load balancer

    The encapsulated mirrored packet uses the IPv4 UDP protocol. So the dedicated load balancer used as the mirror target must support IPv4 UDP.

  • If a packet from a mirror source meets multiple mirror filter rules, the packet will be matched only once and will be accepted or rejected to a mirror target according to the rule action.
  • If a packet from a mirror source is discarded by a security group or network ACL, the packet will not be mirrored.
  • If a packet from a mirror source meets a mirror filter, the packet will be mirrored and will not be restricted by outbound rules of a security group or network ACL of the mirror source. This means you do not need to configure the security group or network ACL for the mirror source. However, if you want to mirror the packet to the mirror target, you need to configure the following rules for the security group and network ACL of the mirror target:
    • Add a security group rule to allow inbound UDP packets from the mirror source over port 4789.
      Table 7 shows a rule example if the private IP address of the mirror source is 192.168.0.27. To learn about how to add a rule, see Adding a Security Group Rule.
      Table 7 Security group rule configuration example (a network interface as the mirror source)

      Direction

      Action

      Type

      Protocol & Port

      Source

      Inbound

      Allow

      IPv4

      UDP: 4789

      192.168.0.27/32

      Set the source based on the actual requirements.

    • Add a network ACL rule to allow inbound UDP packets from the mirror source over port 4789.
      Table 8 shows a rule example if the IP address of the mirror source is 192.168.0.27. To learn about how to add a rule, see Adding a Network ACL Rule.
      Table 8 Network ACL rule configuration example (a network interface as the mirror source)

      Direction

      Type

      Action

      Protocol

      Source

      Source Port Range

      Destination

      Destination Port Range

      Inbound

      IPv4

      Allow

      UDP

      192.168.0.27/32

      Set the source based on the actual requirements.

      If not specified, all ports are used.

      • If the mirror target is a network interface, configure its private IPv4 address as the destination, for example, 192.168.1.24/32.
      • If mirror target is a load balancer, configure its private IPv4 address as the destination, for example, 192.168.1.25/32.

      Set the destination based on the actual requirements. Ensure that the IP address of the mirror target is within the destination CIDR block.

      4789

      Port 4789 must be opened. Open other ports based on the actual requirements.

  • Resources from different VPCs cannot communicate with each other. If a mirror source and a mirror target are not in the same VPC, you need to use a VPC peering connection or an enterprise router to connect their VPCs first.

Usage Process

To use the traffic mirroring function, you need to create a mirror session and associate a mirror filter, mirror sources, and a mirror target with the mirror session. Figure 5 shows the process.

Figure 5 Process of using Traffic Mirroring
Table 9 Description of the Traffic Mirroring process

Step

Description

Reference

Configure basic information about a mirror session.

Set parameters such as the name and priority of the mirror session.

Creating a Mirror Session

Associate a mirror filter.

Select a mirror filter and associate it with the mirror session.

Each mirror session can have one mirror filter associated. If there is no mirror filter required, you can create one by referring to Creating a Mirror Filter.

Associate mirror sources.

Select an elastic network interface as the mirror source and associate it with the mirror session.

Each mirror session can be associated with multiple mirror sources.

Associate a mirror target.

Select the network interface of a cloud server or load balancer as the mirror target and associate it with the mirror session.

Finish

If the mirror session is enabled, the traffic that meets the mirror filter from the mirror source will be mirrored to the mirror target.

If you do not enable the mirror session when creating it, the traffic of the mirror source will not be mirrored. You can enable the mirror session by referring to Enabling or Disabling a Mirror Session.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback