Set up your VCN networks to enable traffic mirroring to your Virtual Network Sensor data port.
Procedure
- Go to https://www.oracle.com/cloud/sign-in.html and sign in to Oracle Cloud Infrastructure.
- Create a network load balancer for sending mirrored traffic to the Virtual Network
Sensor.Due to current Oracle Cloud Infrastructure restrictions, mirrored traffic can only be sent from a network load balancer to the Virtual Network Sensor. For details, see VTAP sources and targets.
- Click the navigation menu icon (
) on the top left and go to .
- Click Create network load balancer.
- Specify a name for the network load balancer.
- Select a compartment.For simplicity and ease of management, keep the network load balancer in the same compartment as the Virtual Network Sensor instance.
- Select Private for the visibility type.
- Under Header preservation, enable Source/destination header (IP, port) preservation (network load balancer).
- Turn on Enable symmetric hashing.
- Under Choose networking, select the virtual cloud network as well as the compartment where the network load
balancer resides.For simplicity and ease of management, keep the network load balancer in the same compartment and virtual cloud network as the Virtual Network Sensor instance.
- Select the subnet as well as the compartment where the network load balancer resides.Select the subnet used by the Virtual Network Sensor management port.
- Enable Use network security groups to control traffic and select the compartment and network security group for the Virtual Network Sensor data port.
- Add security attributes and tags as needed and click Next.
- Specify a name for your listener.
- Select UDP/TCP/ICMP for the type of traffic your listener handles and click Next.
- Add backends for the network load balancer.
-
Specify a name for the backend set.
-
Click Add backends.
-
Select Compute instances for the backend type.
-
Select the compartment where your Virtual Network Sensor instance resides and select the Virtual Network Sensor instance.
-
Specify the IP address of the Virtual Network Sensor instance.The IP address is the one you recorded in step 19.
-
Click Add backends.
-
- Under Specify health check policy, select TCP for the protocol and specify 14789 for the port.
- Enable Fail open.
- Click Next, review the settings, and click Create network load balancer.When the creation is complete, the network load balancer details screen is displayed.
Note
Currently, the Virtual Network Sensor instance does not answer the health checks from the network load balancer, which causes the backend set status to appear as Critical. This status can be safely ignored, as the network load balancer can still move traffic to the Virtual Network Sensor for monitoring, provided that Fail open is enabled. - Record the IP Address on the Details tab.
- Click the navigation menu icon (
- Create a Virtual Test Access Point (VTAP) for mirroring traffic to the network load
balancer.
- Click the navigation menu icon (
) on the top left and go to .
- Click Create VTAP.
- Specify a name for your VTAP.
- Select a compartment.For simplicity and ease of management, keep the VTAP in the same compartment as the Virtual Network Sensor instance.
- Select the VCN where the Virtual Network Sensor instance resides.
- In the Source section, select your traffic mirroring source.
- In the Target section, select the subnet and the network load balancer created in step 2 as your traffic mirroring target.
- Click Select a capture filter and select Create new capture filter.
- Specify a name for your capture filter.
- Select a compartment.For simplicity and ease of management, keep the capture filter in the same compartment as the Virtual Network Sensor instance.
- Create a rule for inbound traffic.
-
Traffic direction: Ingress
-
Include/Exclude: Include
-
Source IPv4 CIDR or IPv6 prefix: 0.0.0.0/0
-
Destination IPv4 CIDR or IPv6 prefix: 0.0.0.0/0
-
IP protocol: All
-
- Click +Another rule and create a rule for outbound traffic.
-
Traffic direction: Egress
-
Include/Exclude: Include
-
Source IPv4 CIDR or IPv6 prefix: 0.0.0.0/0
-
Destination IPv4 CIDR or IPv6 prefix: 0.0.0.0/0
-
IP protocol: All
-
- Click Create capture filter.
- Click Create VTAP.The VTAP details screen is displayed.
- Click Start to start the VTAP.
- Click the navigation menu icon (
- Configure the Virtual Network Sensor to accept health check traffic from your network
load balancer.
- Click the navigation menu icon (
) on the top left and go to .
- Click the VCN where you have deployed the Virtual Network Sensor instance.
- On the details page, perform one of the following actions depending on the option
that you see:
- On the Security tab, go to the Network Security Groups section.
- Under Resources, select Network Security Groups.
- Click the network security group you created for the Virtual Network Sensor management port.
- Click the Security rules tab and then click Add Rules to add a rule for accepting traffic from the network load balancer:DirectionSource TypeSource CIDRIP ProtocolsSource Port RangeDestination Port RangePurposeIngressCIDRSpecify the IP address in CIDR notation of your NLB. The IP address is recorded in step 18.TCPAll14789For answering NLB health check
- Click the navigation menu icon (