If you deployed the sensor using the CloudFormation template, you already have a Mirror Target and a sample Mirror filter that accepts all traffic. Next, you'll need to create a Mirror Session.
Create a Mirror Target
Mirror Traffic is directed to Mirror Targets. Create a Mirror Target that references the Sensor Mirror Interface as a destination for Mirror Traffic.
To do this, follow this AWS guide to create the traffic mirror target: https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-getting-started.html#step-create-traffic-mirroring-target.
Create a Mirror Filter
VPC Traffic Mirroring allows you to fine tune the traffic to be mirrored. Create a Mirror Filter and add rules and select the traffic you want to mirror. The filter defines the properties of the traffic to be mirrored, by IP, and Port. It does not identify the instances that are to be monitored.
To configure a mirror filter, follow this AWS guide: https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-getting-started.html#step-create-traffic-mirroring-filters.
Create a Mirror Session
The final step is to create a Mirror Session for each instance you want to monitor. To create a Mirror Session, the Mirror Source, Mirror Target and Mirror Filter need to be identified.
Steps to create a Mirror Session:
- Open AWS Console and open VPC > Traffic Mirroring > Mirror Sessions.
- Select Create Traffic Mirror Session.
- Name the session.
- Select the Mirror Source. This is the interface on the instance you want to monitor. Accurate descriptions of the interfaces will help you identify them.
- Select the Mirror Target. This was automatically created by the CloudFormation template or has been manually created.
- Select the Session number. Multiple sessions can be created and are evaluated in order of the session number. A packet is only mirrored once, so the ordering of the sessions is important if you are using more than one.
- Select the Mirror Filter. This was automatically created by the CloudFormation template or has been manually created.
- Click Create to complete the creation of the Mirror Session.
Network Maximum Transmission Unit (MTU)
AWS provides an important note about MTU, Traffic Mirroring and encapsulation. As Traffic Mirror involves encapsulating packets with a VXLAN header, the default MTU on monitored instances needs to be reduced. See https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-considerations.html.
BPF filters cannot be applied to the Network Sensor configuration when using AWS Mirror Traffic. If mirrored traffic needs to be filtered, use the AWS Traffic Mirror Filter instead.