Everything in the cloud starts with the creation of a VPC (Virtual Private Cloud) Amazon VPC allows you to create your own private piece of the Amazon Web Services (AWS) cloud. It’s like carving out your own space within AWS where you can set up virtual networks just the way you want. You get to decide everything from choosing your own IP addresses to creating specific sub-networks and configuring how everything connects using route tables and network gateways. It’s like having your own customized slice of the AWS cloud, tailored exactly to your needs.
What is Traffic Mirroring?
Traffic Mirroring is a cool feature in Amazon VPC that lets you duplicate network traffic from a specific type of elastic network interface. This duplicated traffic can then be directed to security and monitoring tools for various purposes:
• Checking content for security purposes
• Monitoring for potential threats
• Resolving network issues
You can set up these security and monitoring tools as standalone instances or as a group of instances behind a Network Load Balancer or a Gateway Load Balancer with a UDP listener. With Traffic Mirroring, you can apply filters and truncate packets to focus only on the traffic you want to analyze, using whatever monitoring tools you prefer.
To understand it better we need to know important Traffic Mirroring concepts,
The following are the key concepts for Traffic Mirroring:
• Source — The network interface to monitor.
• Filter — A set of rules that defines the traffic that is mirrored.
• Target — The destination for mirrored traffic.
• Session — Establishes a relationship between a source, a filter, and a target.
Traffic Mirroring provides several advantages:
• Simplified Operation: Easily mirror any VPC traffic range without needing to handle packet forwarding agents on your EC2 instances.
• Enhanced Security: Capture packets directly at the elastic network interface, which can’t be disabled or tampered with from user space.
• Increased Monitoring Flexibility: Route your mirrored traffic to any security device for comprehensive monitoring.
How Traffic Mirroring works?
Traffic Mirroring copies inbound and outbound traffic from the network interfaces that are attached to your instances. You can send the mirrored traffic to the network interface of another instance, a Network Load Balancer that has a UDP listener, or a Gateway Load Balancer that has a UDP listener.
After you create the traffic mirror session, any traffic that matches the filter rules is encapsulated in a VXLAN header. It is then sent to the target.
Let’s do hands-on checking traffic mirroring service.
Step1 is to create traffic mirror target, for this login your AWS console and type VPC in search box.
Search your VPC and navigate to Create Mirror traffic, fill in the details and click create. Your Mirror traffic is created.
Step 2 is to create a traffic mirror filter to do this, navigate to filter in the navigation pane, fill in the details, and click create. Your filter is now created and ready to use.
Step 3 is to traffic the mirror session, to make this happen navigate to the session in the VPC navigation pan and click create. Fill in the details and click Create. Your session is also created.
Step 4 is the final step to analyze the data, once the packets are being captured you can analyze the traffic and then create appropriate filters.
Hope this article will be useful for readers like you to create your traffic mirror, analyze traffic flow and filter out unwanted ones.