Traffic direction to AWS vSensor
Configure AWS VPC Traffic Mirroring to send EC2 traffic to a vSensor (mirror filters, mirror targets, and mirror sessions).
Traffic Mirroring Configuration
Traffic mirroring can be accomplished using AWS VPC Traffic Mirroring or using 3rd party packet brokers using VXLAN. 3rd party packet brokers are not covered in this guide. Please work with that vendor and ensure that traffic is directed to the Sensor over UDP 4789.
AWS Traffic Mirror documentation is available here:
VPC Traffic Mirror functionality was release by Amazon Web Services released in June 2019. The VPC Traffic Mirror function emulates a more traditional SPAN or TAP that companies have been using on-premises for decades, now in the cloud. The traffic is delivered encapsulated in VXLAN packets delivered by Amazon Web Services directly to the TMT or Traffic Mirror Target over UDP port 4789. Additional information about VPC Traffic Mirroring is available here:
There are a few caveats with the current implementation that we should discuss. Some points to keep in mind:
Not all Nitro based instances are supported as a traffic mirror source:
Traffic mirrors need to be deployed manually, or they can be automated:
As a part of your deployment tooling, supported by both CloudFormation and Terraform.
They can be added as part of a lambda automation that is triggered by EC2 events:
They can be added by some Python code:
A packet can only be delivered once.
This means that if there is more than one packet mirror destination, a packet can only be delivered to ONE destination.
That is determined by the session number setting in the mirror session itself.
Lower values take precedence.
To configure the VPC traffic mirror, you need to setup three different objects within AWS. Our recommendation is that you configure them in the following order:
Create a single Mirror Filter.
Create a Mirror Target for each Sensor or network load balancer you have deployed.
Create a Mirror Session for each workload you would like to monitor.
Create a Mirror Filter
The VPC Traffic Mirror Filter will determine what packets from the source workload will be mirrored to the Traffic Mirror Target.
To create a Mirror Filter in one of your AWS accounts, select VPC, then Mirror Filters under Traffic Mirroring. You can provide a Name Description for the filter. The logic of the filter is most important. We recommend you check amazon-dns under Network Services – optional. Then create an inbound and outbound rule with these values.
Rule action – accept
Protocol – All Protocols
Source CIDR – 0.0.0.0/0
Destination CIDR – 0.0.0.0/0
This one Mirror Filter can be used for all the mirrors in your deployment.
Click create to commit this Traffic Filter. This filter will copy all the traffic from the source ENI to the TMT.
Creating a Mirror Target
Mirror Targets need to be created for each Sensor you deploy. The Mirror Target, once created, will create a TMT or a Traffic Mirror Target object. The TMT will then be used for each Mirror Session created.
If we look at an AWS vSensor you will see there are two ENIs on each one.
On the Vectra AWS vSensor each interface serves the following purpose:
Interface
Purpose
Default Security Group
eth0
Capture Interface
Sensor-TrafficSecurityGroup
eth1
Management Interface
Sensor-ManagementSecurityGroup
Create the Mirror Target using the Name and Description of your choice and point it to either the Network Interface or Network Load Balancer of your Sensor.
Creating a Mirror Session
Traffic Mirror Sessions are what instructs AWS to actually send traffic from the instances to the configured Mirror Target.
Select a Name and Description.
Select a Mirror Source (ENI of the instance that will send its traffic).
Select the Mirror Target you have created for your Sensor.
Session can just be set to 1 and all other options left blank.
Select the Mirror Filter you created earlier and then click Create.
Last updated
Was this helpful?