Task Statement 4.2: Validate and audit security by using network monitoring and logging services.
📘AWS Certified Advanced Networking – Specialty
🔷 1. What is Network Traffic Mirroring?
VPC Traffic Mirroring is an AWS feature that lets you capture and copy network traffic from your EC2 instances and send that traffic to another destination for analysis.
👉 In simple terms:
It creates a duplicate of network packets and sends them to a monitoring system without affecting the original traffic.
🔷 2. Why Traffic Mirroring is Important (Exam Focus)
Traffic Mirroring is used for:
✅ Security monitoring
- Detect suspicious traffic patterns
- Analyze potential attacks (e.g., scanning, malware communication)
✅ Deep packet inspection
- View actual packet contents (not just metadata like VPC Flow Logs)
✅ Troubleshooting
- Diagnose application/network issues at packet level
✅ Compliance & auditing
- Capture traffic for forensic analysis
🔷 3. Key Difference (VERY IMPORTANT FOR EXAM)
| Feature | VPC Flow Logs | Traffic Mirroring |
|---|---|---|
| Data Type | Metadata (IP, port, accept/deny) | Full packet data |
| Visibility | Limited | Deep inspection |
| Use Case | Monitoring & auditing | Security analysis, IDS/IPS |
| Performance impact | Minimal | Slight overhead |
👉 Exam Tip:
If the question mentions deep inspection, IDS, packet capture → choose Traffic Mirroring
🔷 4. Core Components of Traffic Mirroring
To configure Traffic Mirroring, you must understand these 3 components:
🔹 1. Mirror Source
- The EC2 instance network interface (ENI) you want to monitor
- Only Elastic Network Interfaces (ENIs) are supported
👉 Example:
- Web server ENI
- Application server ENI
🔹 2. Mirror Target
Where mirrored traffic is sent.
Supported targets:
- Network Load Balancer (NLB)
- Elastic Network Interface (ENI)
👉 Typically used with:
- Security appliances (IDS/IPS)
- Packet analyzers
🔹 3. Mirror Session
Defines how traffic is mirrored.
Includes:
- Source
- Target
- Filter
- Priority
- Packet length
🔹 4. Mirror Filter (VERY IMPORTANT)
Controls which traffic is copied.
- Works like stateless rules
- Based on:
- Source/destination IP
- Protocol (TCP, UDP, ICMP)
- Port ranges
👉 You can:
- Include traffic
- Exclude traffic
🔷 5. How Traffic Mirroring Works (Step-by-Step)
- Traffic flows through EC2 instance (ENI)
- Traffic Mirroring copies selected packets
- Packets are encapsulated using VXLAN
- Sent to Mirror Target
- Analysis tool processes the packets
🔷 6. VXLAN Encapsulation (Exam Important)
- AWS uses VXLAN (Virtual Extensible LAN) protocol
- Encapsulates mirrored packets
👉 Key facts:
- Adds extra headers → increases packet size
- Uses UDP port 4789
🔷 7. Creating Traffic Mirroring (Step-by-Step)
Step 1: Create Mirror Target
- Choose:
- NLB (recommended)
- or ENI
Step 2: Create Mirror Filter
- Define rules:
- Allow HTTP/HTTPS traffic
- Deny unwanted traffic
Step 3: Create Mirror Session
- Attach:
- Source ENI
- Target
- Filter
- Configure:
- Session number (priority)
- Packet length (truncate if needed)
Step 4: Start Monitoring
- Traffic is now mirrored and analyzed
🔷 8. Important Configuration Options
🔹 Packet Length
- You can limit how much of each packet is captured
- Helps reduce cost and bandwidth
🔹 Session Priority
- Lower number = higher priority
- Important when multiple sessions exist
🔹 Filtering Rules
- Stateless (no connection tracking)
- Order matters (like NACLs)
🔷 9. Performance & Limitations (Exam Critical)
✅ Supported Resources
- Only EC2 instances with ENIs
❌ Not Supported
- Not for:
- AWS Lambda
- RDS
- Managed services
⚠️ Performance Considerations
- Mirroring adds:
- CPU overhead
- Network overhead
⚠️ Bandwidth Impact
- Mirrored traffic consumes extra bandwidth
⚠️ Same Region Requirement
- Source and target must be in the same VPC or connected VPCs
🔷 10. Security Considerations
🔹 Data Exposure
- Full packet capture includes sensitive data
🔹 Encryption
- Traffic is mirrored after decryption (inside VPC)
🔹 Access Control
- Use IAM and security groups to restrict access
🔷 11. Integration with Security Tools
Traffic Mirroring is commonly used with:
- Intrusion Detection Systems (IDS)
- Intrusion Prevention Systems (IPS)
- Packet analyzers (e.g., Wireshark-like tools)
- Network forensic tools
🔷 12. Common Exam Scenarios
🟢 Scenario 1
You need to inspect full packet payloads
👉 Use: Traffic Mirroring
🟢 Scenario 2
You need lightweight logging of traffic metadata
👉 Use: VPC Flow Logs
🟢 Scenario 3
You want to send traffic to security appliance
👉 Use:
- Traffic Mirroring + NLB
🟢 Scenario 4
You want real-time threat detection
👉 Use:
- Traffic Mirroring + IDS
🔷 13. Best Practices
✅ Use filters wisely
- Capture only necessary traffic
✅ Use NLB as target
- Scalable and highly available
✅ Limit packet size
- Reduce cost and performance impact
✅ Monitor performance
- Ensure mirroring doesn’t overload systems
🔷 14. Quick Exam Revision (Must Remember)
- Traffic Mirroring = full packet capture
- Uses ENI as source
- Uses NLB or ENI as target
- Uses VXLAN (UDP 4789)
- Supports deep packet inspection
- Stateless filtering (like NACL)
- Higher overhead than Flow Logs
🔷 15. Final Summary
VPC Traffic Mirroring allows you to copy network traffic from EC2 instances and send it to monitoring tools for deep inspection, security analysis, and troubleshooting.
It is a powerful but resource-intensive feature, mainly used when detailed packet-level visibility is required, which cannot be achieved using basic logging tools like VPC Flow Logs.
