Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Back to All Docs

Automate VPC Mirroring Automate VPC Mirroring

Last Updated: May. 29, 2024

After installing the Coralogix Security Traffic Analyzer (STA) and choosing a mirroring strategy that fits your organization’s needs, the next step is to configure the mirroring setup. This process filters the mirrored traffic to the STA, only analyzing relevant traffic.

This tutorial will guide you through the mirroring configuration process for each cloud provider.


Configuring VPC Traffic Mirroring in AWS requires creating a mirror session for each network interface of every mirrored instance. If an instance terminates and is replaced by a new one, you must recreate the mirroring configuration from scratch.

Each deployed STA instance holds a mirroring filter indicator tag. Not all instances support traffic mirroring. Supported instances include: C4, D2, G3, G3s, H1, I3, M4, P2, P3, R4, X1, X1e, A1, C5, C5d, C5n, I3en, M5, M5a, M5ad, M5d, p3dn.24xlarge, R5, R5a, R5ad, R5d, T3, T3a, and z1d. For further details, refer to AWS’s documentation on support for select non-Nitro instance types and VPC Traffic Mirroring. If your instance type is not supported, consider using a Virtual Tap.

Basic configuration

STEP 1. Locate the mirroring filter tag: Go to the deployed STA and find the tag sta.coralogix.com:mirror-filter-indicator-tagname. Copy its value (template: sta.<BUCKET_NAME>.coralogix.com:mirror-filter-id).

STEP 2. Find the relevant traffic mirror filter: Navigate to VPC -> Mirror filters and locate the filter named STA - Mirror Filter - <MIRROR_TYPE>.

STEP 3. Select the desired mirror filter: Choose the filter according to your strategy (All, Moderate, Essential) and copy the Filter ID value.

STEP 4. Tag the mirrored instance: Add the following tag to the instance:

  • Key: sta.<BUCKET_NAME>.coralogix.com:mirror-filter-id

Now, your instance is configured for mirroring to STA.

Advanced configuration

STEP 1. Create custom filtering rules: Add custom traffic mirror filters as tags.

STEP 2. Edit provided filters: Modify or add rules to the provided tmfs.

STEP 3. Rename tags: Tags can be renamed as preferred. Specify the tag names inside the sta.conf file, which can be configured in the STA and AWS S3 bucket.

Pro Tip: Use AWS “Resource Groups & Tag Editor” to quickly assign tags to multiple instances based on criteria.



To ensure proper functionality, the STA’s sniffing NIC must be on the same network as the mirrored instances’ NIC. Additionally, both the instances and the STA must reside within the same GCP project, region, and zone.

For information on potential costs, refer to the GCP Packet Mirroring documentation and the GCP Network Pricing guide.

Mirroring filters

There are three predefined filter JSON files located in the STA’s configuration storage under the mirroring-filters directory:

  • everything.json: Mirrors all traffic.
  • moderate.json: Mirrors only UDP, TCP, and ICMP traffic in the egress direction.
  • essential.json: Mirrors only ICMP traffic in both directions.

Basic configuration

STEP 1. Extract label key for instance mirroring: Connect to the STA machine and run msta-get-defacto-config | jq .automations. You’ll get VPC mirroring conditions with keys like tag-exists and traffic_filters. Find out more here.

STEP 2. Add label to instances: Select instances to mirror and add:

  • Key: traffic_filters (value found in the previous step)
  • Value: Filename without the suffix (use: “everything”, “moderate”, “essential”).

Now, your instance is configured for mirroring to STA.

Advanced configuration

STEP 1. Create custom filtering policies: Maintain the correct JSON structure.

STEP 2. Rename tags: Tags can be renamed as preferred. Specify the tag names inside the sta.conf file, configurable in the STA and AWS S3 bucket.

Best practices

When multiple STA instances operate in parallel, they need to manage communication between mirrored instances. The STAs use balancing algorithms to scan the mirroring instances and distribute the load. By leveraging the default mirror target type by-witness-bucket, the STAs cluster effectively balances the load among themselves.

Mirroring cost optimization

STA mirrors all cloud traffic relevant to the selected strategy, enhancing observability but potentially increasing costs. To optimize costs without compromising observability, STA offers:

  • Dynamic Mirroring: STA dynamically adjusts mirroring based on session relevance, temporarily stopping unnecessary mirroring.
  • Manual Mirroring: Users manually control mirroring sessions.

Define mirroring mode in sta.conf as follows:

    "automations": {
        "vpc-mirroring-auto-handler": {
            "mirror_handling_mode": "DYNAMIC" | "MANUAL"


Need help?

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to reach out to us via our in-app chat or by sending us an email to support@coralogix.com.

On this page