Traffic mirroring#

General information#

The traffic mirroring service copies inbound and outbound traffic from the network interface of one instance to the interface of another instance in the same availability zone. Filters allow for the mirroring of only the selected traffic. The service can be used to connect network appliances for the purpose of content inspection, threat monitoring, and network traffic diagnostics.

Important

Currently, the service is at the preview stage and is only available in the ru-spb region on demand. To use the the service, please contact your manager or leave a request on the support portal.

Key concepts#

  • Mirror source — The network interface of the instance whose traffic should be monitored. Each packet is mirrored only once. However, a single source can be used in multiple mirror sessions. This can be useful when different subsets of traffic are to be processed by different monitoring tools.

  • Mirror target — The network interface of the instance to which the mirrored traffic is directed. Traffic from different sources can be mirrored to a single target.

  • Mirror filter — A set of rules that determines which inbound and outbound traffic should be mirrored. If no rules are specified, no traffic will be mirrored.

  • Mirror session — A specifiс combination of mirror source, mirror filter, and mirror target. The order in which a session is evaluated depends on its number.

Available quotas#

For each project, the following default quotas are allocated for the traffic mirroring service:

  • The number of mirror targets: 350

  • The number of mirror filters: 350

  • The number of rules per filter: 10

  • The number of mirror sessions: 350

  • The number of mirror sessions per mirror source: 3

  • The number of mirror sessions per mirror target: 10

If necessary, you can increase quotas. To do this, contact the support service.

Traffic mirroring management#

To mirror traffic via an existing interface, create the following resources:

Managing mirror targets#

Create a mirror target#

The mirror target must be in the same availability zone as the mirror sources that need to be monitored. The target can be in any VPC of the project.

  1. Go to Interconnect Traffic mirroring Mirror targets.

  2. Click Create.

  3. In the window that opens, set the target parameters.

    • (Optional) Name tag.

    • The network interface to which the mirrored traffic is to be forwarded.

    • (Optional) Mirror target description.

  4. (Optional) If you want to assign tags to the mirror target, click Add tags to go to the next step.

    • If the Name tag was not specified and you want to add it, click Add Name tag and set the tag value.

    • To add an arbitrary tag, click Add tag and enter tag key and value.

  5. Once all parameters are set, click Create.

Delete a mirror target#

A mirror target can only be deleted if it is not used in any mirror session. Before deleting a target, delete all sessions where it is used.

Note

A mirror target is not deleted when its network interface is deleted.

  1. Go to Interconnect Traffic mirroring Mirror targets.

  2. Click Delete.

  3. In the window that opens, confirm the deletion.

A mirror target can be also deleted in the Information tab on its page.

Managing mirror filters#

Mirror filters on the source network interface apply to all outbound traffic as well as inbound traffic that has already been filtered using access control lists, security groups, and source/destination checks. No other filters besides the mirror filter are applied to the traffic mirrored from the source to the target, i.e. all mirrored traffic will get to the target. Therefore, all traffic visible on the mirror target interface that has passed through the mirror filters is mirrored.

Create a mirror filter#

  1. Go to Interconnect Traffic mirroring Mirror filters.

  2. Click Create.

  3. In the window that opens, set the filter parameters.

    • (Optional) Name tag.

    • (Optional) Mirror filter description.

  4. (Optional) If you want to assign tags to the mirror filter, click Add tags to go to the next step.

    • If the Name tag was not specified and you want to add it, click Add Name tag and set the tag value.

    • To add an arbitrary tag, click Add tag and enter tag key and value.

  5. Once all parameters are set, click Create.

Delete a mirror filter#

A mirror filter can only be deleted if it is not used in any mirror session. Before deleting the filter, delete all sessions where it is used.

  1. Go to Interconnect Traffic mirroring Mirror filters.

  2. Click Delete.

  3. In the window that opens, confirm the deletion.

A mirror filter can also be deleted in the Information tab on its page.

Managing mirror sessions#

A mirror session determines which target the traffic from the selected source should be mirrored to and which filter should be applied to that traffic.

First, filter rules from the session with the lowest number are applied to the traffic. If the traffic does not match any of these rules, the filter rules from the session with the next number are applied, etc.

For example, for several sessions with the shared mirror source, the Reject all rule should be set in the session with the highest number; otherwise, the rules in the sessions with numbers higher than that of the session where it is set, will not be applied.

Create a mirror session#

  1. Go to Interconnect Traffic mirroring Mirror sessions.

  2. Click Create.

  3. In the window that opens, set the session parameters.

    • (Optional) Name tag.

    • (Optional) Mirror filter description.

    • Network interface that needs to be monitored.

    • Mirror target where the mirrored traffic will be directed to.

    • Mirror filter to be applied to the mirrored traffic.

    • Session number ranging from 1 to 128. The number determines the order in which sessions for the same mirror source are processed. Rules with lower numbers are applied first.

  4. (Optional) If you want to assign tags to the mirror session, click Add tags to go to the next step.

    • If the Name tag was not specified and you want to add it, click Add Name tag and set the tag value.

    • To add an arbitrary tag, click Add tag and enter tag key and value.

  5. Once all parameters are set, click Create.

Delete a mirror session#

Note

If a network interface of the mirror source or target is deleted, its respective session will be automatically deleted too.

  1. Go to Interconnect Traffic mirroring Mirror sessions.

  2. Click Delete.

  3. In the window that opens, confirm the deletion.

A mirror session can be also deleted on its page.

Managing filter rules#

Filter rules are applied in ascending order of their numbers. The first matching rule determines whether a packet will be mirrored. For example, if an inbound rule No. 10 mirrors (Accept) TCP traffic to ports 22, 80, and 443, and a rule No. 100 rejects (Reject) all TCP traffic, the first rule will be applied first. As a result, SSH, HTTP, and HTTPS traffic will be mirrored, while all other traffic will be rejected.

Note

If no rule is set for inbound or outbound traffic, the corresponding traffic will not be mirrored.

Add a filter rule#

  1. Go to Interconnect Traffic mirroring Mirror filters.

  2. Find the mirror filter for which you need to create a rule, and click the filter ID to go to its page.

  3. To create an inbound or outbound rule, go to the respective tab and click Add.

  4. In the window that opens, configure the filter rule:

    • (Optional) Name tag.

    • (Optional) Filter rule description.

    • Rule number ranging from 1 to 128.

    • Rule triggered action:

      • Accept — mirroring traffic;

      • Reject — rejecting traffic.

    • Protocol. By default, the action applies to all protocols. You can select a protocol from the list or specify an arbitrary one.

    • Protocol number. This option is available only if Other is selected as the protocol.

    • Traffic source IP address (in CIDR notation).

    • Traffic destination IP address (in CIDR notation).

    • Traffic source port. Applicable only for TCP and UDP. You can select a specific port or a range of ports.

    • Traffic destination port. Applicable only for TCP and UDP. You can select a specific port or a range of ports.

  5. (Optional) If you want to assign tags to the rule, click Add tags to go to the next step.

    • If the Name tag was not specified and you want to add it, click Add Name tag and set the tag value.

    • To add an arbitrary tag, click Add tag and enter tag key and value.

  6. Once all parameters are set, click Create.

Modify a filter rule#

Tags cannot be changed while modifying the rule. You can set up them separately.

  1. Go to Interconnect Traffic mirroring Mirror filters.

  2. Find the mirror filter where the rule needs to be changed, and click the filter ID to go to its page.

  3. To modify the inbound/outbound rule, go to the corresponding tab and click Modify.

  4. In the window that opens, you can modify the following filter rule parameters:

    • (Optional) Filter rule description.

    • Rule number ranging from 1 to 128.

    • Rule triggered action:

      • Accept — mirroring traffic;

      • Reject — rejecting traffic.

    • Protocol. You can select a protocol from the list or specify an arbitrary one.

    • Protocol number. This option is available only if Other is selected as the protocol.

    • Traffic source IP address (in CIDR notation).

    • Traffic destination IP address (in CIDR notation).

    • Traffic source port. Applicable only for TCP and UDP. You can select a specific port or a range of ports.

    • Traffic destination port. Applicable only for TCP and UDP. You can select a specific port or a range of ports.

  5. Once all parameters are set, click Save.

Customize tags for a rule#

To add, modify or delete tags for a filter rule:

  1. Go to Interconnect Traffic mirroring Mirror filters.

  2. In the resource table, find the filter which the rule releates to and click the filter ID to go to the filter page.

  3. To assign tags to an inbound/outbound rule, go to the corresponding tab.

  4. In the resource table, select the rule and click Customize tags.

  5. To add a tag, click Add tag and specify the Key and Value fields.

    To modify a tag, edit the required fields (Value and/or Key) of the respective tag.

    To delete a tag, click the icon next to the tag you no longer need.

    Note

    If no tags have been set earlier, you can add the Name tag by clicking Add Name tag and specifying its value.

  6. Click Apply to save the changes.

Delete a filter rule#

  1. Go to Interconnect Traffic mirroring Mirror filters.

  2. Find the mirror filter from which you need to delete a rule, and click the filter ID to go to its page.

  3. To delete an inbound/outbound rule, go to the corresponding tab.

  4. In the resource table, select the filter rule to be deleted and click Delete.

  5. In the window that opens, confirm the action.

Information on traffic mirroring#

General information about a specific type of resources (mirror sessions, mirror targets, and mirror filters) can be found in the resource table of the corresponding section. To view the table, go to Interconnect Traffic mirroring and open the required subsection.

Information on mirror session#

To view details of a specific mirror session, go to Interconnect Traffic mirroring Mirror sessions and click the session ID in the resource table.

The Information tab provides the detailed information about the mirror session:

  • Name tag;

  • description;

  • mirror source;

  • mirror target;

  • mirror filter;

  • session number.

Here you can delete the session.

The Tags tab displays information about assigned tags. You can add new, modify existing, and delete no-longer-needed tags.

Information on mirror target#

To view details of a specific mirror target, go to Interconnects Traffic mirroring Mirror targets and click the target ID in the resource table.

The Information tab provides the detailed information about the mirror target:

  • Name tag;

  • ID of the network interface of the mirror target;

  • description;

  • number of mirror sessions in which the target is included.

Here you can delete the mirror target.

The Sessions tab displays a table with data on the sessions in which the target is included:

  • session ID;

  • Name tag;

  • session description;

  • session number;

  • mirror filter in use;

  • mirror source.

Note

The sequence and scope of the displayed fields may vary depending on the table preview settings.

Here you can create new sessions and delete existing ones.

The Tags tab displays information about tags assigned to the mirror target. You can add new, modify existing, and delete no-longer-needed tags.

Information on mirror filters#

To view details of a specific mirror filter, go to Interconnect Traffic mirroring Mirror filters and click the filter ID in the resource table.

The Information tab provides the detailed information about the mirror filter:

  • Name tag;

  • description;

  • number of inbound traffic rules;

  • number of outbound traffic rules.

The Outbound traffic rules and Inbound traffic rules tabs display a table with data on the respective rules defined for the filter:

  • rule ID;

  • Name tag;

  • rule description;

  • rule number;

  • rule-triggered action;

  • filtered protocol;

  • CIDR of the traffic source;

  • CIDR of the traffic destination;

  • ports of the traffice source;

  • port of the traffic destination.

Note

The sequence and scope of the displayed fields may vary depending on the table preview settings.

Here you can add, modify, and delete rules, as well as customize tags for a specific rule.

The Tags tab displays information about tags assigned to the mirror filter. You can add new, modify existing, and delete no-longer-needed tags .