How to automate VPC Mirroring for Coralogix STA
After installing the Coralogix Security Traffic Analyzer (STA) and choosing a mirroring strategy suitable for your organization needs (if not, you can start by reading this) the next step would be to set the mirroring configuration in AWS. However, the configuration of VPC Traffic Mirroring in AWS is tedious and cumbersome – it requires you to create a mirror session per network interface of every mirrored instance, and just to add an insult to injury, if that instance terminates for some reason and a new one replaces it you’ll have to re-create the mirroring configuration from scratch. If you, like many others, use auto-scaling groups to automatically scale your services up and down based on the actual need, the situation becomes completely unmanageable.
Luckily for you, we at Coralogix have already prepared a solution for that problem. In the next few lines I’ll present a tool we’ve written to address that specific issue as well as few use-cases for it.
The tool we’ve developed can run as a pod in Kubernetes or inside a Docker container. It is written in Go to be as efficient as possible and will require only minimal set of resources to run properly. While it is running it will read its configuration from a simple JSON file and will select AWS EC2 instances by tags and then will select network interfaces on those instances and will create VPC Traffic Mirroring sessions for each network interface selected to the configured VPC Mirroring Target using the configured VPC Mirroring Filter.
The configuration used in this document will instruct the sta-vpc-mirroring-manager to look for AWS instances that have the tags “sta.coralogixstg.wpengine.com/mirror-filter-id” and “sta.coralogixstg.wpengine.com/mirror-target-id” (regardless of the value of those tags), collect the IDs of their first network interfaces (that are connected as eth0) and attempt to create a mirror session for each network interface collected to the mirror target specified by the tag “sta.coralogixstg.wpengine.com/mirror-target-id” using the filter ID specified by the tag “sta.coralogixstg.wpengine.com/mirror-filter-id” on the instance that network interface is connected to.
To function properly, the instance hosting this pod should have an IAM role attached to it (or the AWS credentials provided to this pod/container should contain a default profile) with the following permissions:
- ec2:Describe* on *
- elasticloadbalancing:Describe* on *
- autoscaling:Describe* on *
- ec2:ModifyTrafficMirrorSession on *
- ec2:DeleteTrafficMirrorSession on *
- ec2:CreateTrafficMirrorSession on *
Installation
This tool can be installed either as a kubernetes pod or a docker container. Here are the detailed instructions for installing it:
Installation as a docker container:
- To download the docker image use the following command:
docker pull coralogixrepo/sta-vpc-mirroring-config-manager:latest
- On the docker host, create a config file for the tool with the following content (if you would like the tool to report to the log what is about to be done without actually modifying anything set “dry_run” to true):
{ "service_config": { "rules_evaluation_interval": 10000, "metrics_exporter_port": ":8080", "dry_run": false }, "rules": [ { "conditions": [ { "type": "tag-exists", "tag_name": "sta.coralogixstg.wpengine.com/mirror-target-id" }, { "type": "tag-exists", "tag_name": "sta.coralogixstg.wpengine.com/mirror-filter-id" } ], "source_nics_matching": [ { "type": "by-nic-index", "nic_index": 0 } ], "traffic_filters": [ { "type": "by-instance-tag-value", "tag_name": "sta.coralogixstg.wpengine.com/mirror-filter-id" } ], "mirror_target": { "type": "by-instance-tag-value", "tag_name": "sta.coralogixstg.wpengine.com/mirror-target-id" } } ] } - Use the following command to start the container:
docker run -d -p <prometheus_exporter_port>:8080 -v <local_path_to_config_file>:/etc/sta-pmm/sta-pmm.conf -v <local_path_to_aws_profile>/.aws:/root/.aws -e "STA_PM_CONFIG_FILE=/etc/sta-pmm/sta-pmm.conf" coralogixrepo/sta-vpc-mirroring-config-manager:latest
Installation as a Kubernetes deployment:
-
- Use the following config map and deployment configurations:
apiVersion: v1 kind: ConfigMap data: sta-pmm.conf: | { "service_config": { "rules_evaluation_interval": 10000, "metrics_exporter_port": 8080, "dry_run": true }, "rules": [ { "conditions": [ { "type": "tag-exists", "tag_name": "sta.coralogixstg.wpengine.com/mirror-target-id" }, { "type": "tag-exists", "tag_name": "sta.coralogixstg.wpengine.com/mirror-filter-id" } ], "source_nics_matching": [ { "type": "by-nic-index", "nic_index": 0 } ], "traffic_filters": [ { "type": "by-instance-tag-value", "tag_name": "sta.coralogixstg.wpengine.com/mirror-filter-id" } ], "mirror_target": { "type": "by-instance-tag-value", "tag_name": "sta.coralogixstg.wpengine.com/mirror-target-id" } } ] } metadata: labels: app.kubernetes.io/component: sta-pmm app.kubernetes.io/name: sta-pmm app.kubernetes.io/part-of: coralogix app.kubernetes.io/version: '1.0.0-2' name: sta-pmm namespace: coralogix ---------- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: sta-pmm app.kubernetes.io/name: sta-pmm app.kubernetes.io/part-of: coralogix app.kubernetes.io/version: '1.0.0-2' name: sta-pmm namespace: coralogix spec: selector: matchLabels: app.kubernetes.io/component: sta-pmm app.kubernetes.io/name: sta-pmm app.kubernetes.io/part-of: coralogix template: metadata: labels: app.kubernetes.io/component: sta-pmm app.kubernetes.io/name: sta-pmm app.kubernetes.io/part-of: coralogix app.kubernetes.io/version: '1.0.0-2' name: sta-pmm spec: containers: - env: - name: STA_PM_CONFIG_FILE value: /etc/sta-pmm/sta-pmm.conf - name: AWS_ACCESS_KEY_ID value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - name: AWS_SECRET_ACCESS_KEY value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX image: coralogixrepo/sta-vpc-mirroring-config-manager:latest imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: "/" port: 8080 initialDelaySeconds: 5 timeoutSeconds: 1 name: sta-pmm ports: - containerPort: 8080 name: sta-pmm-prometheus-exporter protocol: TCP volumeMounts: - mountPath: /etc/sta-pmm/sta-pmm.conf name: sta-pmm-config subPath: sta-pmm.conf volumes: - configMap: name: sta-pmm-config name: sta-pmm-config
- Use the following config map and deployment configurations:
Configuration
To configure instances for mirroring, all you have to do is to make sure that the instances you would like their traffic to be mirrored to your STA, will have the tags “sta.coralogixstg.wpengine.com/mirror-filter-id” and “sta.coralogixstg.wpengine.com/mirror-target-id” pointing at the correct IDs of the mirror filter and target respectively. To find out the IDs of the mirror target and mirror filter that were created as part of the installation of the STA, enter the CloudFormation Stacks page in AWS Console and search for “TrafficMirrorTarget” and for “TrafficMirrorFilter” in the Resources tab:
To assign different mirroring policy to different instances, for example to mirror traffic on port 80 from some instances and mirror traffic on port 53 from other instances, simply create a VPC Traffic Mirror Filter manually with the correct filtering rules (just like in a firewall) and assign its ID to the “sta.coralogixstg.wpengine.com/mirror-filter-id” tag of the relevant instances.
Pro Tip: You can use AWS “Resource Groups & Tag Editor” to quickly assign tags to multiple instances based on an arbitrary criteria.
Good luck!
