Home > Research > AWS VPC Traffic Mirroring Improves Out-of-Band Traffic Inspection

AWS VPC Traffic Mirroring Improves Out-of-Band Traffic Inspection

AWS VPC Traffic Mirroring gives customers more visibility for out-of-band traffic inspection. This feature is another useful tool for monitoring in the AWS cloud.

AWS developed VPC Traffic Mirroring in response to its customers’ desire to have greater visibility into network traffic within their Virtual Private Clouds (VPC).

A Virtual Private Cloud is a software-defined networking environment in the AWS cloud in which the customer has full control over IP addresses and routing of instances within the VPC. Before Traffic Mirroring, the primary native AWS service that gave customers visibility into their VPC’s network behavior was VPC Flow Logs.

VPC Flow Logs is a useful feature but has some limitations. The Flow Logs feature gives users an auditable record of metadata about the traffic in the VPC, but while it records information such as which instances are communicating over which ports, it doesn’t allow for inspection of the packets themselves.

VPC Traffic Mirroring allows AWS customers to gain real-time visibility and inspection into the traffic flowing through the virtual machines in their VPC, without having to install agents on those operating systems. Customers simply enable traffic mirroring on their Elastic Network Interfaces (ENIs, virtual network cards), and can then decide where to forward the traffic and what filters to apply.

VPC Traffic Mirroring then forwards the packets wrapped in metadata to the target, which could be another instance or a Network Load Balancer in front of a group of instances, to analyze that traffic. Customers can analyze the traffic using open-source tools, custom-built solutions, or commercial off-the-shelf solutions purchased on AWS Marketplace from partners such as Cisco, Palo Alto, or Riverbed.

Source: AWS Online Tech Talks, YouTube, Feb. 26, 2020

Currently, Traffic Mirroring is only supported on Nitro-based instances (C5, M5), though AWS has mentioned that it may expand support to additional instance types in the future if demand warrants.

Traffic Mirroring users must be cognizant of bandwidth limitations based on the filters they apply. If forwarding all traffic, that will double the bandwidth. According to AWS, however, in the event that bandwidth throughput caps out, the mirrored traffic will be dropped from the VPC before any production traffic will be dropped.

There are two important things to keep in mind when configuring traffic mirroring: filters and sessions. A filter tells VPC Traffic Mirroring what kind of traffic to mirror. For example, customers could apply a filter to protocols such as HTTP or to a particular port range.

Each filter is then captured in a particular session on the target, so a single instance can be mirroring traffic for multiple sessions at once. These sessions will be captured in the priority order in which they’ve been configured. For example, if the first session is configured to capture HTTP traffic only and the second session TCP, the first will capture the HTTP traffic and the second will capture everything except the HTTP traffic captured by the first session.

Our Take

VPC Traffic Mirroring allows for real-time inspection, monitoring, and troubleshooting of network traffic within customers’ VPCs without the need to install agents on those devices.

This is a handy tool in customers’ toolbox, providing much more visibility than VPC Flow Logs. Unlike VPC Flow Logs, however, Traffic Mirroring requires a good deal of effort to set up and additional cost, in the form of both configuration and infrastructure management.

Customers need to define the appropriate filters for each ENI based on the nature of the traffic going through the attached instance and the analysis that will be performed on that traffic. They will also need to build or buy the software tools to analyze the packets and build out additional infrastructure in their VPCs in the form of more instances and probably Network Load Balancers, all at additional cost.

Clearly, running workloads in the cloud well requires a lot more effort than simply running in the cloud. Infrastructure & Operations professionals are needed to ensure appropriate configuration and monitoring of AWS VPCs just as much as they have been for on-prem data centers and co-los.

For those with the skills who are willing to put in the work, VPC Traffic Mirroring should help improve their security posture and enable operational excellence for VPC workloads involving mirrored traffic.


Want to Know More?

AWS Improves Security Options With VPC Ingress Routing

Reimagine IT Operations for a Cloud-First World