AWS Traffic Mirroring
This article explains how to copy network traffic running through a deployed AWS App to another App. For additional information about traffic mirroring, see AWS Documentation.
This is done by calling two hidden commands on the AWS cloud provider via the CloudShell Automation API:
CreateTrafficMirroring
: Deploys traffic mirror sessions, traffic targets and filters, and associates them with the sandbox VPCRemoveTrafficMirroring
: Tears down traffic mirroring sessions and related AWS resources.
Prerequisites
- Source EC2 instance must be a Nitro-based instance.
- Target EC2 instance must have UDP port 4789 opened for traffic from the source instance. You can do this via the
Set AppSecurityGroups
API method, setting the target instance to accept all sandbox traffic or using the Inbound Ports attribute on the App template. - Source and target NICs are required for the
CreateTrafficMirroring
call. Starting with cloudshell-cp-aws versions 2.4.3.x, NIC has been added to VM Details, to facilitate calling the resource command.
Limitations
- A source network interface may be tapped up to 3 sessions.
- A target may have open sessions with up to 10 different sources (some dedicated instance types can have more).
For details, see this AWS Documentation page: Traffic Mirroring Limits and Considerations.
Command interface
Mandatory parameters are indicated.
CreateTrafficMirroring
- DriverRequest:
- Actions: List containing the following:
- actionId: (Str)
- type: (Mandatory, Str) Must be “CreateTrafficMirroring”
- actionParams: List containing the following:
- type: (Mandatory, Str) Must be “CreateTrafficMirroringParams”
- sourceNicId: (Mandatory, Str) Network interface ID of the source EC2 instance
- targetNicId: (Mandatory, Str) Network interface ID of the target EC2 instance (the traffic mirror target)
- sessionNumber: (Str) Traffic mirror session number that determines the order in which sessions are evaluated when an interface is used by multiple sessions (smallest number takes priority). Every traffic mirror session requires one. If left empty, CloudShell will allocate a number.
- filterRules: List of the following:
- type: (Mandatory, Str) Must be “TrafficFilterRule”
- direction: (Mandatory, Str) Defines the traffic direction on the source NIC. Valid values are ingress (inbound) and egress (outbound)
- sourcePortRange: (Type) Port range (fromPort and toPort) of the source EC2 instance (from which the traffic is sent).
- destinationPortRange: (Type) Port range (fromPort and toPort) of the target EC2 instance (to which the traffic is sent).
- protocol: (Mandatory, Str) Port protocol (tcp, udp, etc.)
- sourceCidr: (Str) CIDR of the source EC2 instance (from which the traffic is sent)
- destinationCidr: (Str) CIDR of the target EC2 instance (to which the traffic is sent)
- Actions: List containing the following:
RemoveTrafficMirroring
- DriverRequest:
- Actions: List containing the following:
- actionId: (Str)
- type: (Mandatory, Str) Must be “RemoveTrafficMirroring”
- targetNicId: (Mandatory, Str) Network interface ID of the target EC2 instance (the traffic mirror target)
- sessionId: (Mandatory, Str) Traffic mirror session ID (this ID is automatically assigned by AWS and returned in the CreateTrafficMirroring output).
Notes:
- Make sure to include both the
sessionId
andTargetNicId
parameters, but provide a value only for one of them, as illustrated in the RemoveTrafficMirroring example. - You cannot use the
sourceNic
parameter to remove traffic mirroring sessions.
- Actions: List containing the following:
Examples
Using reservationId
to get NICs
If the EC2 instance has a single NIC:
If the EC2 instance has more than one NICs: