Deploying a virtual appliance as a traffic mirror target

Procedure

Configure the traffic mirror filter.

For details, see https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-filters.html.
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the Region selector, select the AWS Region that you used when you created the VPCs.
3. On the navigation pane, go to Traffic Mirroring → Mirror Filters.
4. Select Create traffic mirror filter.
5. For Name tag, type a name for the traffic mirror filter.
  
  For example, type demo-traffic-mirror-filter.
6. (Optional) For Description, type a description for the traffic mirror filter.
  
  For example, type demo-traffic-mirror-filter.
7. Select amazon-dns.
8. Add inbound rules. Select Inbound rules → Add → rule, and then specify the following information about the traffic mirror source inbound traffic:
  - Rule number: Type a priority to assign to the rule.
  - Rule action: Select the action to take for the packet.
  - Protocol: Select the L4 protocol to assign to the rule.
  - (Optional) Source port range: Type the source port range.
  - (Optional) Destination port range: Type the destination port range.
  - Source CIDR block: Type a source CIDR block.
  - Destination CIDR block: Type a destination CIDR block.
  - (Optional) Description: Type a description for the rule.
  The following is an example of the values.
  - Rule number: Use the default number
  - Rule action: Select accept.
  - Protocol: Select All protocols.
  - Source CIDR block: Type 0.0.0.0/0.
  - Destination CIDR block: Type 0.0.0.0/0.
  - Description: Type mirror all inbound traffic.
9. Add outbound rules. Select Outbound rules → Add → rule, and then specify the following information about the traffic mirror source outbound traffic:
  - Rule number: Type a priority to assign to the rule.
  - Rule action: Select the action to take for the packet.
  - Protocol: Select the L4 protocol to assign to the rule.
  - (Optional) Source port range: Type the source port range.
  - (Optional) Destination port range: Type the destination port range.
  - Source CIDR block: Type a source CIDR block.
  - Destination CIDR block: Type a destination CIDR block.
  - (Optional) Description: Type a description for the rule.
  The following is an example of the values.
  - Rule number: Use the default number
  - Rule action: Select accept.
  - Protocol: Select All protocols.
  - Source CIDR block: Type 0.0.0.0/0.
  - Destination CIDR block: Type 0.0.0.0/0.
  - Description: Type mirror all outbound traffic.
10. Repeat the previous step for each inbound rule and outbound rule that you want to add.
11. Click Create.

Configure the traffic mirror target.

On the navigation pane, select Traffic Mirroring → Mirror Targets.
Select Create Traffic Mirror Target.
For Name tag, type a name for the traffic mirror target.

For example, type demo-traffic-mirror-target.
(Optional) For Description, type a description for the traffic mirror target.

For example, type demo-traffic-mirror-target.
For Target type, select Network Interface.

For Target, select the Deep Discovery Inspector virtual appliance's eth0 (the data port that is connected to your subnet) as the traffic mirror target.

Note

You can select any other data port that you have attached on the Deep Discovery Inspector virtual appliance, such as eth2, or eth3.

Do not select the eth1 port that is used as the management port for the Deep Discovery Inspector virtual appliance.

Click Create.

Repeat the previous step to create a traffic mirror target for each Deep Discovery Inspector virtual appliance in your AWS environment.

Configure the traffic mirror session.

On the navigation pane, select Traffic Mirroring → Mirror Sessions.
Select Create traffic mirror session.
For Name tag, type a name for the traffic mirror session.

For example, type demo-traffic-mirror-session.
(Optional) For Description, type a description for the traffic mirror session.

For example, type demo-traffic-mirror-session.
For Mirror source, select the network interface of the instance that you want to monitor.
For Mirror target, select the traffic mirror target.

For example, select demo-traffic-mirror-target.
Under Additional settings, perform the following:
- For Session number, type the session number 1.
  
  The session number determines the order that the traffic mirror sessions are evaluated in both of the following situations:
  - When an interface is used by multiple sessions
  - When an interface is used by different traffic mirror targets and traffic mirror filters.
  Traffic is only mirrored one time. Use 1 for the highest priority. Valid values are 1-32766.
- (Optional) For VNI, type the VXLAN ID to use for the traffic mirror session.
  
  For details, see https://tools.ietf.org/html/rfc7348.
  
  If you do not specify a value, AWS assigns a random, unused number.
- (Optional) For Packet Length, type the number of bytes in each packet to mirror.
  
  If you do not want to mirror the entire packet, set Packet Length to the number of bytes in each packet to mirror. For example, if you set this value to 100, the first 100 bytes after the VXLAN header that meet the filter criteria are copied to the target.
  
  To mirror the entire packet, do not enter a value in this field.
- For Filter, select the traffic mirror filter that determines what traffic gets mirrored.
  
  For example, select demo-traffic-mirror-filter.
- (Optional) Under the Tags section, add or remove a tag.
The following are example settings.
- For Session number, type the session number 1.
- For VNI, leave the value empty. AWS will assign a random number.
- For Packet Length, leave the value empty. AWS will mirror the entire packet.
- For Filter, select demo-traffic-mirror-filter.

Click Create.

Note

For more details, see Working with Traffic Mirroring at https://docs.aws.amazon.com/vpc/latest/mirroring/working-with-traffic-mirroring.html.

Repeat the previous step to create more traffic mirror sessions when there are multiple sources that you want to monitor.