AWS traffic mirroring
  • 28 Apr 2022
  • 4 Minutes to read

AWS traffic mirroring


The topic explains deploying Traceable's platform agent using AWS CloudFormation template. The template also sets up traffic mirroring.


Traceable provides an AWS Cloud Formation template that automates data collection by using traffic mirroring. Traffic mirroring can be used to capture a copy of the original data from the source network interface without disrupting your existing infrastructure and without adding any latency to your requests. For example, this mirrored data can be used for telemetry, attack detection, and so on. Traceable uses open-source (AWS recommended) Suricata to capture mirrored traffic for further processing. The Cloud Formation template creates an EC2 instance and installs Traceable platform agent and Suricata on it.

 Traffic mirroring for out-of-band data collection


Before you begin

Make a note of the following before you process with deployment:

  • Make sure that you have an AWS account.
  • You have an understanding of CloudFormation. For more information, see AWS CloudFormation.
  • Keep Traceable's access token handy. It will be used when you configure the CloudFormation stack parameters. You can copy the access token by logging into your Traceable platform and navigating to Administration > Account > Access Token.

Support matrix

Following is a list of the traffic mirroring sources and traffic types that Traceable supports:

  • Traffic mirroring sources
    • Load balancer - ALB, CLB, and NLB
    • Target groups
    • ECS (EC2)
  • Supported traffic types
    • HTTP
    • gRPC-web

The following table lists the type of EC2 instances supported. 

EC2 Instance typeSupported instances
Xen-based hypervisor EC2 instanceC4, D2, G3, G3s, H1, I3, M4, P2, P3, R4, X1, and X1e
Virtualized Nitro-based hypervisor EC2 instance

C5, C5a, C5ad, C5d, C5n, C6g, C6gd, C6gn, D3, D3en, G4, I3en, Inf1, M5, M5a, M5ad, M5d, M5dn, M5n, M5zn, M6g, M6gd, M6i, p3dn.24xlarge, P4, R5, R5a, R5ad, R5b, R5d, R5dn, R5n, R6g, R6gd, T3, T3a, T4g, high memory (u-*), X2gd, and z1d

Permissions required

The following table lists the permissions required for AWS traffic mirroring using CloudFormation.

AWS service
Actions
Cloudformation
CloudformationCreateStack
CloudformationDescribe*
CloudformationEstimateTemplateCost
CloudformationGet*
CloudformationList*
CloudformationValidateTemplate
CloudformationDetect*
CloudformationDeleteStack
CloudformationUpdateStack
EC2
EC2Describe*
EC2CreateTrafficMirrorFilter
EC2DeleteTags
EC2ModifyTrafficMirrorFilterNetworkServices
EC2DeleteTrafficMirrorTarget
EC2AssociateVpcCidrBlock
EC2DeleteVolume
EC2ModifyTrafficMirrorSession
EC2StartInstances
EC2CreateSecurityGroup
EC2CreateTrafficMirrorFilterRule
EC2DeleteTrafficMirrorFilterRule
EC2DetachVolume
EC2ModifyVolume
EC2DeleteTrafficMirrorFilter
EC2CreateTrafficMirrorTarget
EC2ModifyTrafficMirrorFilterRule
EC2CreateTag
EC2ModifyNetworkInterfaceAttribute
EC2DeleteNetworkInterfac
EC2RunInstances
EC2ModifySecurityGroupRules
EC2DeleteTrafficMirrorSession
EC2CreateTrafficMirrorSession
EC2AllocateAddress
EC2CreateVolume
EC2CreateNetworkInterface
EC2DeleteSecurityGroup
EC2AssociateSubnetCidrBlock
EC2AttachNetworkInterface
EC2AssociateAddress
EC2AssociateIamInstanceProfile
EC2AuthorizeSecurityGroupIngress
EC2disassociateAddress
EC2TerminateInstances
EC2releaseAddress
Logs
LogsCreateLogGroup
LogsDeleteLogGroup
LogsPutRetentionPolicy
Events
EventsDescribeRule
EventsPutRule
EventsDeleteRule
EventsPutTargets
EventsRemoveTargets
IAM
IAMGet*
IAMList*
IAMCreateRole
IAMPutRolePolicy
IAMDeleteRolePolicy
IAMPassRole
IAMDeleteRole
IAMCreateInstanceProfile
IAMAddRoleToInstanceProfile
IAMRemoveRoleFromInstanceProfile
IAMDeleteInstanceProfile
SSM
SSMDescribe*
SSMGet*
SSMList*
Lambda
LambdaCreateFunction
LambdaDeleteFunction
LambdaGetFunction
LambdaInvokeFunction
LambdaAddPermission
LambdaRemovePermission

Installation

Traceable platform agent can be installed using CloudFormation by completing the following steps:

  1. Configure traffic mirroring source - This is typically your traffic load-balancer or traffic groups or ECS Cluster
  2. Configure traffic mirroring target - Amazon EC2 instance where traceable agent and Suricata will be installed
  3. Traceable platform agent configuration

Step 1 - Navigate to CloudFormation template

 Click on the button. Traceable's CloudFormation template is displayed.

Alternatively, you can also download the CloudFormation template from Traceable’s download site. Navigate to Install > traffic-mirroring > cf-template > latest. Download template.yml file. 

  • Login to your AWS account. Search for CloudFormation from the search bar.
  • On the CloudFormation page, click on Create stack button.

  • On the Create stack page, select Upload a template file option in the Specify template section. Upload the template that you downloaded from Traceable’s download site.

Click on Next. The CloudFormation template is displayed.

Step 2 - Configure CloudFormation parameters

Configure the CloudFormation parameters. The parameters are in the following three categories:

  • Traffic mirroring source
  • Amazon EC2 configuration
  • Traceable configuration

Traffic mirroring source

Configure only one of the following three options: 

  • MirrorSourceType - Select the type of source traffic from where traffic has to be mirrored.
  • MirrorSource - Provide the comma-separated list of mirror sources of the selected type. For ECS_CLUSTER, provide name of one ECS cluster. For MANUAL, leave this field empty.

Amazon EC2 configuration

  • InstanceType - Select the appropriate instance type from the drop-down list. The default value is m4.xlarge.
  • KeyName - Select the appropriate key name from the drop-down list to enable SSH access to the EC2 instance.
  • SubnetID - Select an existing SubnetID from the drop-down list. If you are selecting a private Subnet, make sure that the private Subnet is configured to access the public internet.

Traceable configuration

  • TraceableRefreshToken - Enter Traceable’s access token that you had copied and saved in the Before you begin section.
  • TraceableRefreshTokenSecretArn - ARN of secret where refresh token is stored. Key for secret must be refresh_token. For more information on Secrets Manager, see AWS Secrets Manager.
  • TraceableEnvironment - Provide the Traceable environment name, for example, QA, dev, production, and so on.
  • TraceableServiceName - Provide the service name for mirrored traffic. This is the name that would appear on the Traceable Dashboard for the mirrored traffic.

Step 3 - Acknowledge capabilities

Acknowledge that the stack might create IAM capabilities along with the capability to create nested stack.

Traceable's CloudFormation template takes care of autoscaling.

Verification

You can verify a successful installation of Traceable platform agent using CloudFormation by completing the following steps:

  1. Log into the Traceable platform.
  2. Select TraceableEnvironment from the Environment ()drop-down list.

 This would display the mirrored data on the Traceable platform.

It may take a few minutes for the data to show up the first time in the Traceable platform.

You can also see the list of installed traffic mirroring agents by navigating to Administration > Configuration > Data Collection section and searching for TMM agents.


Troubleshooting

If you do not see any data in Traceable's platform after a few minutes:

  1. Make sure that traffic is coming through your load-balancers, source-target groups, and source ECS cluster.
  2. Navigate to /var/traceable/log to view the log files. The log files are rotated and are timestamped. View the latest log file. All the stats are printed in the log file at a 5-minute duration.
     {"level":"info","time":"2021-09-03T13:19:13.302Z","message":"Stats", "service":"ext_cap","total":"412","post":"0","get":"387","put":"25", "delete":"0","head":"0","other":"0","20x":"412","30x":"0","40x":"0", "50x":"0","RCother":"0","header_summary_blobs_read":"0", "body_summary_blobs_read":"0","total_blobs_read":"496","queued_work": "0","active_routines":"0","queue_capacity":"5000","http1x":"412", "http2":"0","grpc":"0","errors":"0"}
  3. Check whether the correct access token is configured. You can copy the access token by logging into your Traceable platform and navigating to Administration ()>Account Access token.
  4. Check the status of the Traceable and Suricata services by entering the following commands. SSH to the Traceable ec2 instance created using the CloudFormation stack.  

Suricata service

sudo systemctl status suricata

 Traceable service

sudo systemctl status traceable

If you need further assistance, reach out to Traceable support.


Upgrade

To upgrade your current deployment, delete the current CloudFormation stack and rerun the CloudFormation template. For more information on deleting the CloudFormation stack, follow the steps mentioned in the Deleting a stack on the AWS CloudFormation console page.


Uninstall

To uninstall, delete the CloudFormation stack by following the steps mentioned in the Deleting a stack on the AWS CloudFormation console page. 


Was this article helpful?

What's Next