Having visibility into the Amazon VPC infrastructure is a foundational element that any cloud administrator needs to maintain and operate an AWS infrastructure that is secure and functional. Visibility into your AWS infrastructure becomes increasingly important as it scales, because it gives you the ability to make key planning decisions and maintain security. This session is intended for anyone wanting to learn about network visibility on AWS, and it includes information about partners and real-life customer use cases. Come see how you, too, can gain insights into the network traffic that is traversing your AWS infrastructure.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Network visibility into the traffic
traversing your AWS infrastructure
Miguel Cervantes
Partner Solutions Architect, Networking
AWS
S V C 2 1 3
Anoop Dawani
Senior Product Manager, EC2 Networking
AWS

2. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
?

3. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s take a closer look
AWS Region
Availability Zone 2Availability Zone 1
Private subnet Private subnet
Public subnet Public subnet
VPC CIDR 10.1.0.0/16 + Expand + IPv6
Amazon VPC
Amazon EC2
InstanceB
10.1.1.11/24
InstanceA
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
Internet
Amazon S3 Amazon
DynamoDB
AWS Lambda Amazon SQS Amazon SNS
AWS IoT

4. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NAT
InstanceB
10.1.1.11/24
Instance BNAT-GW
NAT-GW
0.0.0.0/0
AWS Region
Availability Zone 2Availability Zone 1
Private subnet
VGW
VPC
Peering
VPC
Flow Logs
VPN
The
internet
Private subnet
Public subnet
InstanceA
Public subnet
Amazon S3
VPC CIDR 10.1.0.0/16
10.1.0.11/24
InstanceC
10.1.2.11/24
InstanceD
10.1.3.11/24
DXGW
+ Expand + IPv6
IGWVPCE
10.1.0.0/16 Local
0.0.0.0/0 IGW
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
Intra or
Inter
region
10.1.0.0/16 Local
S3.prefix.list VPCE-123
On-premises VGW
VPC-B PCX-123
Destination Target
AWS PrivateLink
Service Provider VPC
NLB
On premises
VPC-B
EIP - 10.1.0.11 : 54.23.12.43
EIP - 10.1.1.11 : 54.19.12.23
Amazon
DynamoDB
AWS Lambda
AWS Direct
Connect
Amazon SQS Amazon SNS
AWS IoT
Amazon
CloudWatch
AWS
PrivateLink
Transit GW
Onpremises
AWS PrivateLink
Enabled Services
Other Routes TGW
Other Routes TGW
Amazon S3
AWS Global Accelerator

5. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How do I get visibility into my AWS network
traffic?

6. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Flow Logs

7. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Life of a VPC Flow Log
Subnet

8. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What does a flow log look like?

9. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Flow log contents

10. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs are a building block

11. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs use cases

12. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s dive into a simple example:
Amazon EC2 instance communication
within a VPC

13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Subnet Subnet
VPC
Flow Logs
VPC CIDR 10.1.0.0/16
10.1.1.15/24 Security Group - ABC 10.1.2.77/24Security Group - DEF
Security Group Inbound Rules
SG-DEF Receive all traffic from security group SG-ABC
Outbound Rules
Send all traffic to any destination
Security Group Inbound Rules
SG-ABC Receive all traffic from security group SG-DEF
Outbound Rules
Send all traffic to any destination What are we doing here?
✓

14. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Action
ACCEPT
Action
ACCEPT
What did that flow log look like?

15. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Subnet Subnet
VPC
Flow Logs
VPC CIDR 10.1.0.0/16
10.1.1.15/24 Security Group - ABC 10.1.2.77/24Security Group - DEF
Security Group Inbound Rules
SG-DEF Receive all traffic from security group SG-ABC
Outbound Rules
Send all traffic to any destination
Security Group Inbound Rules
SG-ABC Receive all traffic from 10.5.1.0/24
Outbound Rules
Send all traffic to any destination What are we doing here?
X

16. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Action
ACCEPT
Action
What did that flow log look like?

17. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs destinations

18. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch
Sending VPC Flow Logs to …

19. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3
Sending VPC Flow Logs to …

20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Athena
Analyzing VPC Flow Logs with …
https://amzn.to/2Fy4hq5

21. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enriched customer VPC Flow Logs

22. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Watch the full video here
https://bit.ly/2L7BAnt
Find the case study here
https://amzn.to/2KgxKJ1

23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hold on a second—didn’t we launch something
new a couple weeks ago?

24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Traffic Mirroring

25. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AngleofIncidence i
i
IncidentRay
ReflectedRay
(Partial Reflection)
} Normal
i
Angleof
Refraction
r
r
RefractedRay
Much in the sameway…
What is Amazon VPC Traffic Mirroring?

26. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon VPC Traffic Mirroring?
EC2
Instance
Inbound Packets
Outbound Packets
Monitoring
Instance
ENI-1 ENI-1
} Open-SourceTrafficAnalysis
BuildYourOwnTrafficAnalyzer
AWSTrafficMirroringPartners
IGW

27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why have we built VPC Traffic Mirroring?

28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vis ibility and
Troubles hooting
Detection of network
and s ecurity anomalies
Through using traffic mirroring, customers can analyze
specific traffic patterns to identify any vulnerable
“blind spots” or “choke points” between application
tiers and/or Amazon EC2 instances
VPC Traffic Mirroring will allow customers to extract
traffic of interest from any workload in a VPC and send it
to the right tools to detect and respond faster to attacks
often missed by traditional log-centric tools
Customers wanted…

29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What are some of the key benefits of VPC
Traffic Mirroring?

30. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
I m p r o v e d s e c u r i t y
p o s t u r e
S i m p l i f i e d n a t i v e
o p e ra t i o n
W i d e ra n g e o f
m o n i t o r i n g o p t i o n s
Through allowing packet
capture at the elastic network
interface level
Instead of using an agent to
have mirroring capability,
you now have VPC Traffic
Mirroring, natively…
Integrating with multiple tools
and partners, VPC Traffic
Mirroring allows you to mix and
match options

31. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Traffic Mirroring: Three components

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
SessionsTargets Filters
The destination for mirrored
traffic
A set of rules that define the traffic
that is copied in a Traffic Mirror
session
An entity that describes traffic
mirroring from a source to a target
using filters

33. Network load balancers
Elastic network interfaces
The destination for mirrored traffic

34. A Traffic Mirror target can be used in more than
one Traffic Mirror session
The destination for mirrored traffic

35. Security group associated with target: Allow VXLAN traffic (UDP
port 4879) from the Traffic Mirror source
The destination for mirrored traffic

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
SessionsTargets Filters
The destination for mirrored
traffic
A set of rules that defines the traffic
that is copied in a Traffic Mirror
session
An entity that describes traffic
mirroring from a source to a target
using filters

37. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EC2
Instance
Inbound Packets
Outbound Packets
Monitoring
Instance
ENI-1 ENI-1
Traffic mirroringfilter
Inbound Packets
Outbound Packets X
IGW
Traffic mirroring: Traffic filtering

38. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Overlay IP
Header
IP Header
Header
Checksum
Outer Src IP
Outer Dst IP
UDP Src Port
UDP Dst Port
(4789)
UDP Length
Checksum
VXLAN Flag
Reserved
VNID
Reserved
Traffic mirroring: Packet format...
Note: Any packet over 8,946 bytes will
be truncated

39. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic mirroring: Traffic filtering
Ingress TCP
Egress
Both
UDP
Any
List of
CIDRs
Source IP Single Source IP Single
Range
List of
CIDRs
Range
Y/N
Sample
(Bytes)

40. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic mirroring: Traffic filtering
Ingress TCP
List of
CIDRs
Single Source IP SingleIngress TCP Any
My server
IP
80
Range
List of
CIDRs
Range
Egress
Both
UDP
Any
Source IP Y/N
Sample
(Bytes)
No
0.0.0.0/0

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
SessionsTargets Filters
The destination for
mirrored traffic
A set of rules that define the traffic
that is copied in a Traffic Mirror
session
An entity that describes traffic
mirroring from a source to a target
using filters

42. The destination for mirrored traffic
A Traffic Mirror session establishes a relationship between a Traffic
Mirror source and a Traffic Mirror target

43. The destination for mirrored traffic
A Traffic Mirror session has three components:

44. The destination for mirrored traffic
Each Traffic Mirror source can support up to three sessions
Note: Session number determines priority, with
the lowest ID given the highest priority—a
packet can be mirrored only once

45. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
More advanced topics

46. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC Flow Logs vs. VPC Traffic Mirroring

47. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
vs.VPC Flow Logs VPC Traffic Mirroring
- Real network packets with the ability
to truncate
- Destination: Another elastic network
interface or Network Load Balancer
- Logs of network flows
- Each record captures the network
flow for a specific 5-tuple, for a
specific capture window
- Destination: Amazon S3 or Amazon
CloudWatch Logs
- Real network packets

48. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How does traffic mirroring affect the
performance of my EC2 instance?

49. and EC2 network performance
Monitoring
instance
ENI-1 ENI-1
EC2
instance
Instance traffic and mirror traffic both count toward
your overall instance’s performance

50. Monitoring
instance
ENI-1 ENI-1
EC2
instance
1 Gbps
1 Gbps
1+1 (Mirrored) =
}
} 2 Gbps
inbound
outbound
4 Gbps 2 Gbps
and EC2 network performance

51. Instance right-sizing of sources and targets
is an important consideration
and EC2 network performance

52. Note: Production traffic has a higher priority than
mirrored traffic when there is traffic congestion
and EC2 network performance

53. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s talk more about scale…

54. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EC2
instance
EC2
instance
AutoScalinggroup
EnableTrafficMirroring
ENI
Network Load
Balancer
Monitoring
instance
ENI
Monitoring
instance
ENI
Monitoring
instance
ENI
Monitoring
instance
ENI
ENI-1
IGW
VPC Traffic Mirroring: AWS Auto Scaling

55. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Load Balancer: Flow hashing
Network Load
Balancer
Monitoring
instance
ENI
Monitoring
instance
ENI
Monitoring
instance
ENI
Monitoring
instance
ENI
Traffic Mirroring is UDP only
Note: There must be UDP listeners on port 4789

56. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Load Balancer: Flow hashing
For UDP traffic, the load balancer selects a target using a flow hash algorithm based on:
• A UDP flow has the same source and destination, so it is consistently routed to a single target
throughout its lifetime
• Different UDP flows have different source ports, so they can be routed to different targets

57. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Decentralizing your traffic mirroring
deployment

58. Decentralized
Monitoring
instance
ENI-1 ENI-1
EC2
instance
With routing connectivity, Traffic Mirror sources and
destinations can be decentralized
CentralizedInfoSecVPC
VPC PeeringAWS Transit Gateway
Account 1 Account 2

59. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s check it out in the console

60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
traffic-mirroring-session
traffic-mirroring-session
eni-20003bd0e
tmt-0cd45c2defe98a55b

64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
traffic-mirroring-session
traffic-mirroring-session
eni-20003bd0e
tmt-0cd45c2defe98a55b

65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T

67. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What do you actually do with the packets?

68. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EC2
instance
Inbound packets
Outbound packets
Monitoring
instance
ENI-1 ENI-1
}
Internet gateway
Whatdoyouactuallydo withthe packets?
-APNPartners

69. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

70. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

71. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EC2
instance
Inbound packets
Outbound packets
Monitoring
instance
ENI-1 ENI-1
}
Whatdoyouactuallydo withthe packets?
-APNPartners
- Buildyourownanalyzer
IGW

72. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EC2
instance
Inbound packets
Outbound packets
Monitoring
instance
ENI-1 ENI-1
}
Whatdoyouactuallydo withthe packets?
-APNPartners
- Buildyourownanalyzer
User
Capture HTTP requests both in/out of an
EC2 instance

73. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s build the analyzer

74. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
vi dyi_traffic_mirroring.go

75. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
package main
import (
"fmt"
"github.com/google/gopacket"
"github.com/google/gopacket/layers"
"github.com/google/gopacket/pcap"
"strings"
)
func main() {
// Agent code ...
}
What are we doing here?

76. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s define the analyzer code

77. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
package main
import (
// imported packages ...
)
func main() {
// Bind to an EC2 Elastic Network Interface
handle, err := pcap.OpenLive("ens5", 9001, true, pcap.BlockForever)
if err != nil {
panic(err)
}
// Filter for UDP Packets
// VPC Traffic Mirroring sends mirrored traffic as encapsulated UDP packets
filter := "udp"
if err := handle.SetBPFFilter(filter); err != nil {
panic(err)
}
// Create a packet source from the ENI with an link type of Ethernet
packetSource := gopacket.NewPacketSource(handle, handle.LinkType())
// but wait, there’s more ...
}
What are we doing here?

78. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s grab the mirrored packet

79. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
// Grab every packet in/out of the Elastic Network Interface (ENI)
for overlayPacket := range packetSource.Packets() {
// Check if VXLAN header is inside the packet
vxlanLayer := overlayPacket.Layer(layers.LayerTypeVXLAN)
if vxlanLayer != nil {
// Grab the VXLAN packet
vxlanPacket, _ := vxlanLayer.(*layers.VXLAN)
// Create a new packet with the mirrored Ethernet Frame that is inside the VXLAN packet
packet := gopacket.NewPacket(vxlanPacket.LayerPayload(), layers.LayerTypeEthernet, gopacket.Default)
// Print out the contents of the mirrored packet
fmt.Println(packet.Dump())
}
}
What are we doing here?

80. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s build it and see what output we get

81. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
go build dyi_traffic_mirroring.go
sudo ./dyi_traffic_mirroring
-- FULL PACKET DATA (66 bytes) ------------------------------------
00000000 00 00 0c 07 ac 06 a4 5e 60 bc 60 0b 08 00 45 00 |.......^`.`...E.|
00000010 00 34 63 2d 40 00 80 06 c9 0c 0a 4e 23 29 9d f0 |.4c-@......N#)..|
00000020 03 23 d5 12 01 bb a9 c7 19 16 cd dc cf 3d 80 10 |.#...........=..|
00000030 0f fe 25 d1 00 00 01 01 08 0a 1a 44 fa 8c 10 28 |..%........D...(|
00000040 16 a5 |..|
--- Layer 1 ---
Ethernet {Contents=[..14..] Payload=[..52..] SrcMAC=aa:55:66:bc:10:0b DstMAC=00:00:09:01:bc:16 EthernetType=IPv4
Length=0}
00000000 00 00 0c 07 ac 06 a4 5e 60 bc 60 0b 08 00 |.......^`.`...|
--- Layer 2 ---
IPv4 {Contents=[..20..] Payload=[..32..] Version=4 IHL=5 TOS=0 Length=52 Id=25389 Flags=DF FragOffset=0 TTL=128
Protocol=TCP Checksum=51468 SrcIP=10.15.25.53 DstIP=1.2.3.4 Options=[] Padding=[]}
00000000 45 00 00 34 63 2d 40 00 80 06 c9 0c 0a 4e 23 29 |E..4c-@......N#)|
00000010 9d f0 03 23 |...#|
--- Layer 3 ---
TCP {Contents=[..32..] Payload=[] SrcPort=54546 DstPort=443(https) Seq=2848397590 Ack=3453800253 DataOffset=8
FIN=false SYN=false RST=false PSH=false ACK=true URG=false ECE=false CWR=false NS=false Window=4094 Checksum=9681 Urgent=0
Options=[TCPOption(NOP:), TCPOption(NOP:), TCPOption(Timestamps:440728204/271062693 0x1a44fa8c102816a5)] Padding=[]}
00000000 d5 12 01 bb a9 c7 19 16 cd dc cf 3d 80 10 0f fe |...........=....|
00000010 25 d1 00 00 01 01 08 0a 1a 44 fa 8c 10 28 16 a5 |%........D...(..|
...

82. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s capture HTTP requests

83. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
// Grab every packet in/out of the Elastic Network Interface (ENI)
for overlayPacket := range packetSource.Packets() {
// Check if VXLAN header is inside the packet
vxlanLayer := overlayPacket.Layer(layers.LayerTypeVXLAN)
if vxlanLayer != nil {
// Grab the VXLAN packet
vxlanPacket, _ := vxlanLayer.(*layers.VXLAN)
// Create a new packet with the mirrored Ethernet Frame that is inside the VXLAN packet
packet := gopacket.NewPacket(vxlanPacket.LayerPayload(), layers.LayerTypeEthernet, gopacket.Default)
// Check if contents in the Application Layer exists in the mirrored Packet
applicationLayer := packet.ApplicationLayer()
if applicationLayer != nil {
// Check if the Application Payload contains HTTP requests
if strings.Contains(string(applicationLayer.Payload()), "HTTP") {
// Print out the SRC IP and DEST IP
netFlow := packet.NetworkLayer().NetworkFlow()
src, dst := netFlow.Endpoints()
fmt.Printf("[SRC HOST IP: %s] [DEST HOST IP: %s]n", src, dst)
// Print out the HTTP Request
fmt.Printf("%sn", applicationLayer.Payload())
}
}
}
}
What are we doing here?

84. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s build it and see what output we get

85. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
[SRC HOST IP: 5.4.3.2]
[DEST HOST IP: 10.0.0.46]
GET / HTTP/1.1
Host: 3.2.5.4:8080
User-Agent: curl/7.54.0
Accept: */*
[SRC HOST IP: 10.0.0.46]
[DEST HOST IP: 5.4.3.2]
HTTP/1.0 200 OK
[SRC HOST IP: 10.0.0.46]
[DEST HOST IP: 5.4.3.2]
Server: SimpleHTTP/0.6 Python/2.7.12
Date: Tues, 25 Jun 2019 01:37:11 GMT
Content-type: text/html
Content-Length: 76
Last-Modified: Wed, 19 Jun 2019 00:10:07 GMT
<html>
<head><title>Traffic Mirroring</title></head>
<body><p>Hello World</p></body>
</html>
sudo ./dyi_traffic_mirroring
Destination Source
Serving HTTP on 0.0.0.0 port 8080
5.4.3.2 - - [21/Jun/2019 20:31:32] "GET /index.html
HTTP/1.1" 200 -
python –m SimpleHTTPServer 8080
Web Server
Traffic Mirroring
Hello World
http://3.2.5.4:8080
go build dyi_traffic_mirroring.go

86. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Done! Now what can I do from here?
Send

87. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EC2
instance
Inbound packets
Outbound packets
Monitoring
instance
ENI-1 ENI-1
}
IGW
Whatdoyouactuallydo withthe packets?
-APNPartners
-Buildyourownanalyzer
- Open-sourceIDS/IPStools
Working with open-source tools for traffic mirroring

88. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

89. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Working with Open-Source Tools for
Traffic Mirroring
https://amzn.to/2J6F07r

90. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Any other considerations?

91. Other considerations
1. Mirrored traffic is not subject to the outbound security group
2. Flow Logs do not capture mirrored traffic
3. Packets will be mirrored only if they pass the
inbound security group or ACL

92. Other considerations
4. Data transfer when mirroring traffic
5. Routing mirrored traffic
6. Prioritization of production traffic
7. MTU size of mirrored traffic

93. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How customers are planning to use Traffic
Mirroring…

94. • Continuous monitoring for sensitive workloads
• Deep and quick visibility for acquisitions
• On-demand access for incident responders

95. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Traffic Mirroring use case

96. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logs
Amazon CloudWatch
Events
Amazon
GuardDuty
1. GuardDuty
alert fires
AWS Lambda
2. Alert is sent to
Lambda
EC2
instance
Monitoring
instance
4. Lambda launches
monitoring AMI
5. Lambda enables VPC Traffic
Mirroring on instance
Amazon S3Amazon Athena
8. Athena inspects
logs
3. Lambda matches the alert and identifies
the instance/ENI that needs monitoring
ENI-1 ENI-1
Good
Bad
7. Logs from Zeek or
Suricata flow into Amazon
S3
9. Lambda can terminate the
mirroring instance
10. Lambda can terminate the
mirroring session
6. Packets are
forwarded on to the
mirroring instance
x x

97. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logs
Amazon API GatewayIncident Response
Human
1. Human provides
eni-id / vpc-id
AWS Lambda
2. API Gateway
interacts with
Lambda
EC2
instance
Monitoring
instance
4. Lambda launches
monitoring AMI
5. Lambda enables VPC Traffic
Mirroring on instance
Amazon S3Amazon Athena
8. Human can
inspect logs via
Athena
3. Given inputs, Lambda triggers an action
ENI-1 ENI-1
Good
Bad
7. Logs from Zeek or
Suricata flow into Amazon
S3
9. Lambda can terminate the
mirroring instance when asked, or
after duration
10. Lambda can terminate the
mirroring session
6. Packets are
forwarded on to the
mirroring instance
and type of
monitoring
(Zeek/Suricata)
and duration
x x

98. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logs
Logs
1. When a new
instance is created
AWS Lambda
Note: Behind the NLB, there are monitoring
hosts running Zeek or Suricata and logging to
Amazon S3 which can scale as needed
5. A mirror mapping is created, with
a filter, so any internal (east/west)
traffic is filtered out
2. Lambda looks at the CloudTrail event
and identifies the eni-id
A CloudTrail event is
created
EC2
instance
EC2
instance
AWS CloudTrail
Monitoring
instance
Monitoring
instance
Amazon S3Amazon Athena
7. Logs from Zeek or
Suricata flow into Amazon
S3
Athena inspects
logs
Network Load
Balancer
ENIENI
ENI
ENI

99. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Final thoughts…
VPC Flow Logs VPC Traffic
Mirroring

100. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
To practice five things under all circumstances constitutes perfect virtue;
these five are gravity, generosity of soul, sincerity, earnestness, and
kindness. - Confucius

101. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Miguel Cervantes
miguelaws@amazon.com