Our next-gen architecture is built to help you make sense of your ever-growing data Watch a 4-min demo video!

Back to All Docs

Automate VPC Mirroring Automate VPC Mirroring

Last Updated: Apr. 27, 2022

After installing the Coralogix Security Traffic Analyzer (STA) and choosing a mirroring strategy suitable for your organization’s needs, the next step would be to set the mirroring configuration in AWS. However, the configuration of VPC Traffic Mirroring in AWS is tedious and cumbersome – it requires you to create a mirror session per network interface of every mirrored instance, and just to add an insult to injury, if that instance terminates for some reason and a new one replaces it you’ll have to re-create the mirroring configuration from scratch.

If you, like many others, use auto-scaling groups to automatically scale your services up and down based on the actual need, the situation becomes completely unmanageable. Luckily, we at Coralogix have already prepared a solution for that problem. In the next few lines, we’ll present a tool we’ve written to address that specific issue as well as a few use cases for it.

The tool we’ve developed can run as a pod in Kubernetes or inside a Docker container. It is written in Go to be as efficient as possible and will require only a minimal set of resources to run properly. While it is running it will read its configuration from a simple JSON file and will select AWS EC2 instances by tags and then will select network interfaces on those instances and will create VPC Traffic Mirroring sessions for each network interface selected to the configured VPC Mirroring Target using the configured VPC Mirroring Filter.

The configuration used in this document will instruct the sta-vpc-mirroring-manager to look for AWS instances that have the tags “sta.coralogix.com/mirror-filter-id” and “sta.coralogix.com/mirror-target-id” (regardless of the value of those tags), collect the IDs of their first network interfaces (that are connected as eth0) and attempt to create a mirror session for each network interface collected to the mirror target specified by the tag “sta.coralogix.com/mirror-target-id” using the filter ID specified by the tag “sta.coralogix.com/mirror-filter-id” on the instance that network interface is connected to.

To function properly, the instance hosting this pod should have an IAM role attached to it (or the AWS credentials provided to this pod/container should contain a default profile) with the following permissions:

  1. ec2:Describe* on *
  2. elasticloadbalancing:Describe* on *
  3. autoscaling:Describe* on *
  4. ec2:ModifyTrafficMirrorSession on *
  5. ec2:DeleteTrafficMirrorSession on *
  6. ec2:CreateTrafficMirrorSession on *

Installation

This tool can be installed either as a Kubernetes pod or a Docker container. Here are the detailed instructions for installing it:

Installation as a docker container

To download the docker image use the following command:

docker pull coralogixrepo/sta-vpc-mirroring-config-manager:latest

On the docker host, create a config file for the tool with the following content (if you would like the tool to report to the log what is about to be done without actually modifying anything set “dry_run” to true):

{
      "service_config": {
         "rules_evaluation_interval": 10000,
         "metrics_exporter_port": ":8080",
         "dry_run": false
   },
   "rules": [
      {
         "conditions": [
            {
               "type": "tag-exists",
               "tag_name": "sta.coralogix.com/mirror-target-id"
            },
            {
               "type": "tag-exists",
               "tag_name": "sta.coralogix.com/mirror-filter-id"
            }
         ],
         "source_nics_matching": [
            {
               "type": "by-nic-index",
               "nic_index": 0
            }
         ],
         "traffic_filters": [
            {
               "type": "by-instance-tag-value",
               "value": "sta.coralogix.com/mirror-filter-id"
            }
         ],
         "mirror_target": 
            {
               "type": "by-instance-tag-value",
               "value": "sta.coralogix.com/mirror-target-id"
            }
         }
    ]
}

Use the following command to start the container:

docker run -d \
-p <prometheus_exporter_port>:8080 \
-v <local_path_to_config_file>:/etc/sta-pmm/sta-pmm.conf \
-v <local_path_to_aws_profile>/.aws:/root/.aws \
-e "STA_PM_CONFIG_FILE=/etc/sta-pmm/sta-pmm.conf" \
coralogixrepo/sta-vpc-mirroring-config-manager:latest

Installation as a Kubernetes deployment – via kubectl

Use the following config map and deployment configurations:

apiVersion: v1
kind: ConfigMap
data:
   sta-pmm.conf: |
      {
         "service_config": {
            "rules_evaluation_interval": 10000,
            "metrics_exporter_port": 8080,
            "dry_run": true
      },
         "rules": [
            {
               "conditions": [
                  {
                     "type": "tag-exists",
                     "tag_name": "sta.coralogix.com/mirror-target-id"
                  },
                  {
                     "type": "tag-exists",
                     "tag_name": "sta.coralogix.com/mirror-filter-id"
                  }
               ],
               "source_nics_matching": [
                  {
                     "type": "by-nic-index",
                     "nic_index": 0
                  }
               ],
               "traffic_filters": [
                  {
                     "type": "by-instance-tag-value",
                     "value": "sta.coralogix.com/mirror-filter-id"
                  }
               ],
               "mirror_target": {
                  "type": "by-instance-tag-value",
                  "value": "sta.coralogix.com/mirror-target-id"
               }
            }
      ]
}
metadata:
   labels:
      app.kubernetes.io/component: sta-pmm
      app.kubernetes.io/name: sta-pmm
      app.kubernetes.io/part-of: coralogix
      app.kubernetes.io/version: '1.0.0-2'
   name: sta-pmm
   namespace: coralogix
----------
apiVersion: apps/v1
kind: Deployment
metadata:
   labels:
      app.kubernetes.io/component: sta-pmm
      app.kubernetes.io/name: sta-pmm
      app.kubernetes.io/part-of: coralogix
      app.kubernetes.io/version: '1.0.0-2'
   name: sta-pmm
   namespace: coralogix
spec:
   selector:
   matchLabels:
      app.kubernetes.io/component: sta-pmm
      app.kubernetes.io/name: sta-pmm
      app.kubernetes.io/part-of: coralogix
   template:
      metadata:
         labels:
            app.kubernetes.io/component: sta-pmm
            app.kubernetes.io/name: sta-pmm
            app.kubernetes.io/part-of: coralogix
            app.kubernetes.io/version: '1.0.0-2'
         name: sta-pmm
      spec:
         containers:
            - env:
               - name: STA_PM_CONFIG_FILE
                 value: /etc/sta-pmm/sta-pmm.conf
               - name: AWS_ACCESS_KEY_ID
                 value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
               - name: AWS_SECRET_ACCESS_KEY
                 value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
               image: coralogixrepo/sta-vpc-mirroring-config-manager:latest
               imagePullPolicy: IfNotPresent
               livenessProbe:
                  httpGet:
                     path: "/"
                     port: 8080
                  initialDelaySeconds: 5
                  timeoutSeconds: 1
               name: sta-pmm
               ports:
                  - containerPort: 8080
                    name: sta-pmm-prometheus-exporter
                    protocol: TCP
               volumeMounts:
                  - mountPath: /etc/sta-pmm/sta-pmm.conf
                    name: sta-pmm-config
                    subPath: sta-pmm.conf
               volumes:
                  - configMap:
                    name: sta-pmm-config
                    name: sta-pmm-config

Installation as a Kubernetes deployment – via helm

To install this tool via helm simply add the Coralogix helm repository by running the following command:

helm repo add coralogix https://cgx.jfrog.io/artifactory/helm/

Then, install the helm chart by running the following command:

helm upgrade --install coralogix/sta-vpc-mirroring-config-manager

Configuration

To configure instances for mirroring, all you have to do is to make sure that the instances you would like their traffic to be mirrored to your STA, will have the tags “sta.coralogix.com/mirror-filter-id” and “sta.coralogix.com/mirror-target-id” pointing at the correct IDs of the mirror filter and target respectively. To find out the IDs of the mirror target and mirror filter that were created as part of the installation of the STA, enter the CloudFormation Stacks page in AWS Console and search for “TrafficMirrorTarget” and for “TrafficMirrorFilter” in the Resources tab:

To assign different mirroring policies to different instances, for example, to mirror traffic on port 80 from some instances and mirror traffic on port 53 from other instances, simply create a VPC Traffic Mirror Filter manually with the correct filtering rules (just like in a firewall) and assign its ID to the “sta.coralogix.com/mirror-filter-id” tag of the relevant instances.

Pro Tip: You can use AWS “Resource Groups & Tag Editor” to quickly assign tags to multiple instances based on arbitrary criteria.

Good luck!

On this page