What is Traffic Mirroring? - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is Traffic Mirroring?

Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of type interface. You can then send the traffic to out-of-band security and monitoring appliances for:

  • Content inspection

  • Threat monitoring

  • Troubleshooting

The security and monitoring appliances can be deployed as individual instances, or as a fleet of instances behind either a Network Load Balancer with a UDP listener or a Gateway Load Balancer with a UDP listener. Traffic Mirroring supports filters and packet truncation, so that you only extract the traffic of interest to monitor by using monitoring tools of your choice.

Traffic Mirroring concepts

The following are the key concepts for Traffic Mirroring:

  • Source — The network interface to monitor.

  • Target — The destination for mirrored traffic.

  • Filter — A set of rules that defines the traffic that is copied in a traffic mirror session.

  • Session — An entity that describes Traffic Mirroring from a source to a target using filters.

Working with Traffic Mirroring

You can create, access, and manage your traffic mirror resources using any of the following:

  • Amazon Web Services Management Console— Provides a web interface that you can use to access your traffic mirror resources.

  • Amazon Command Line Interface (Amazon CLI) — Provides commands for a broad set of Amazon services, including Amazon VPC. The Amazon CLI is supported on Windows, macOS, and Linux. For more information, see Amazon Command Line Interface.

  • Amazon SDKs — Provide language-specific APIs. The Amazon SDKs take care of many of the connection details, such as calculating signatures, handling request retries, and handling errors. For more information, see Amazon SDKs.

  • Query API— Provides low-level API actions that you call using HTTPS requests. Using the Query API is the most direct way to access Amazon VPC. However, it requires that your application handle low-level details such as generating the hash to sign the request and handling errors. For more information, see the Amazon EC2 API Reference.

Traffic Mirroring benefits

Traffic Mirroring offers the following benefits:

  • Simplified operation — Mirror any range of your VPC traffic without having to manage packet forwarding agents on your EC2 instances.

  • Enhanced security — Capture packets at the elastic network interface, which cannot be disabled or tampered with from a user space.

  • Increased monitoring options — Send your mirrored traffic to any security device.


For information about pricing, see VPC pricing.