In this post, we will explore how to gain insight into your network traffic using Amazon VPC Traffic Mirroring. We will learn how to copy network traffic from an elastic network interface (ENI) from your EC2 instances into your VPCs and send it to the security and monitoring appliances.
Before we begin we briefly go over what a network can look like and what are different native traffic monitoring capabilities available within AWS cloud.
What is Traffic Mirroring?
Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for:
Content inspection
Threat monitoring
Troubleshooting
Traffic Mirroring concepts
The following are the key concepts for Traffic Mirroring:
Source — A network interface with the type instance.
Target — The destination for mirrored traffic.
Filter — A set of rules that defines the traffic that is copied in a traffic mirror session.
Session — An entity that describes Traffic Mirroring from a source to a target using filters.
Get started with Traffic Mirroring
Now we will setup traffic mirroring for a desired source and look at the captured packet on desired target. From this post you will learn how to successfully configure following components required for setting up Amazon VPC Traffic Mirroring:
Traffic mirror target
Traffic mirror filter
Traffic mirror session
Step 0: Prerequisites
Make sure that the traffic mirror source and traffic mirror target are in the same VPC, in different VPCs that are connected via VPC peering or a transit gateway.
Make sure that the traffic mirror target instance allows traffic to UDP port 4789.
Make sure that the traffic mirror source has a route table entry for the traffic mirror target.
Make sure that there are no security group rules or network ACL rules on the traffic mirror target that drop the mirrored traffic from the traffic mirror source.
We will need the following resource before proceeding
VPC
IGW
Public route table
Public subnet
Three EC2 instances
Acting as client(optional we can use our local machine as client.)
Acting as server
Acting as destination for mirrored traffic
Step 1: Create the traffic mirror target
-
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
- In the Region selector, choose the AWS Region that you used when you created the VPCs.
On the navigation pane, choose Traffic Mirroring, Mirror Targets.
Choose Create Traffic Mirror Target.
For Name tag, enter a name for the traffic mirror target.
(Optional) For Description, enter a description for the traffic mirror target.
- For Target type, choose the traffic mirror target type.
Here we use Network Interface as we are creating a target to an EC2 instance.
- For Target, choose the traffic mirror target.
From the drop down select the ENI of our target instance(destination of mirrored traffic). We can see our ENI of instance in instance description in EC2 console. Click on Network Interface eth0 and it will display the ENI.
(Optional) Add or remove a tag.
[Add a tag] Choose Add tag and do the following:
For Key, enter the key name.
For Value, enter the key value.
[Remove a tag] Next to the tag, choose Remove tag.
- Choose Create.
Step 2: Create the traffic mirror filter
A traffic mirror filter contains one or more traffic mirror rules, and a set of network services. The filters and rules that you add define the traffic that is mirrored. Now we will create traffic mirror filter
On the left navigation pane, scroll down and choose Traffic Mirroring, Mirror Filters:
Choose Create Traffic Mirror Target:
- Enter value as show below and choose create traffic mirror filter:
We are going to mirror port 80 traffic ingressing on the server(source), hence we have created inbound rule for port 80. If you want to mirror traffic egressing from the server (source) outbound traffic, you need to create outbound rule as well.
we can also get all traffic mirrored without providing port range also CIDR as 0.0.0.0/0
- Choose Create.
Step 3: Create the traffic mirror session
On the left navigation pane, scroll down and choose Traffic Mirroring, Mirror Session
Choose Create Traffic Mirror session:
- For Name tag, enter a name for the traffic mirror session.
For Description, enter a description for the traffic mirror session.
For mirror source, choose the network interface of the instance that you want to monitor. We will need the ENI of source instance so get the ENI as we did before
For mirror target, choose the traffic mirror target. From the drop down we can select the target we created in step 1
For Session number, enter the session number.
Use 1 for the highest priority.
- Keep all other values as default as its optional to know more about the other optional values refer this
- At this point you should have your filter successfully created
Step 4: Mirror traffic
As now our traffic mirroring target, session and filter is done now let check how to mirror traffic. In perquisite we creates three Amazon EC2 instances, they serve following purpose:
- as Client instance: (optional as we can curl from our local too. I would be good to know our public ip prior so we can verify from logs)
- Using curl, we will send port 80 traffic from client to server
- Server instance:
It is running web server and returns a basic hello html page. It will respond to client instances’s curl request. An Linux with Nginx or Apache would do this trick.
This is also acting as a source. We are going to mirror port 80 traffic ingressing on the server.
- Destination instance:
- Mirrored traffic is send to this instance
So lets Begin
- From destination instance start capturing traffic with the following command > sudo tcpdump -nnni ens5 udp port 4789
-
Send port 80 traffic from client to server. You need to be on client instance terminal for this
curl
Now in destination instance you will be getting the traffic mirrored
That’s it now traffic mirroring works fine.
You can use open-source tools to monitor network traffic from Amazon EC2 instances. The following tools work with Traffic Mirroring:
Zeek — For more information, see the Zeek Network Monitor Security website.
Suricata — For more information see the Suricata website.
Top comments (0)