Request Demo

How to automate VPC Mirroring for Coralogix STA

After installing the Coralogix Security Traffic Analyzer (STA) and choosing a mirroring strategy suitable for your organization needs (if not, you can start by reading this) the next step would be to set the mirroring configuration in AWS. However, the configuration of VPC Traffic Mirroring in AWS is tedious and cumbersome – it requires you to create a mirror session per network interface of every mirrored instance, and just to add an insult to injury, if that instance terminates for some reason and a new one replaces it you’ll have to re-create the mirroring configuration from scratch. If you, like many others, use auto-scaling groups to automatically scale your services up and down based on the actual need, the situation becomes completely unmanageable.

Luckily for you, we at Coralogix have already prepared a solution for that problem. In the next few lines I’ll present a tool we’ve written to address that specific issue as well as few use-cases for it.

The tool we’ve developed can run as a pod in Kubernetes or inside a Docker container. It is written in Go to be as efficient as possible and will require only minimal set of resources to run properly. While it is running it will read its configuration from a simple JSON file and will select AWS EC2 instances by tags and then will select network interfaces on those instances and will create VPC Traffic Mirroring sessions for each network interface selected to the configured VPC Mirroring Target using the configured VPC Mirroring Filter.

The configuration used in this document will instruct the sta-vpc-mirroring-manager to look for AWS instances that have the tags “sta.coralogix.com/mirror-filter-id” and “sta.coralogix.com/mirror-target-id” (regardless of the value of those tags), collect the IDs of their first network interfaces (that are connected as eth0) and attempt to create a mirror session for each network interface collected to the mirror target specified by the tag “sta.coralogix.com/mirror-target-id” using the filter ID specified by the tag “sta.coralogix.com/mirror-filter-id” on the instance that network interface is connected to.

To function properly, the instance hosting this pod should have an IAM role attached to it (or the AWS credentials provided to this pod/container should contain a default profile) with the following permissions:

  1. ec2:Describe* on *
  2. elasticloadbalancing:Describe* on *
  3. autoscaling:Describe* on *
  4. ec2:ModifyTrafficMirrorSession on *
  5. ec2:DeleteTrafficMirrorSession on *
  6. ec2:CreateTrafficMirrorSession on *

Installation

This tool can be installed either as a kubernetes pod or a docker container. Here are the detailed instructions for installing it:

Installation as a docker container:

  1. To download the docker image use the following command:
    docker pull coralogixrepo/sta-vpc-mirroring-config-manager:latest
  2. On the docker host, create a config file for the tool with the following content (if you would like the tool to report to the log what is about to be done without actually modifying anything set “dry_run” to true):
    {
      "service_config": {
        "rules_evaluation_interval": 10000,
        "metrics_exporter_port": ":8080",
        "dry_run": false
      },
      "rules": [
        {
          "conditions": [
            {
              "type": "tag-exists",
              "tag_name": "sta.coralogix.com/mirror-target-id"
            },
            {
              "type": "tag-exists",
              "tag_name": "sta.coralogix.com/mirror-filter-id"
            }
          ],
          "source_nics_matching": [
            {
              "type": "by-nic-index",
              "nic_index": 0
            }
          ],
          "traffic_filters": [
            {
              "type": "by-instance-tag-value",
              "tag_name": "sta.coralogix.com/mirror-filter-id"
            }
          ],
          "mirror_target": {
            "type": "by-instance-tag-value",
            "tag_name": "sta.coralogix.com/mirror-target-id"
          }
        }
      ]
    }
    
  3. Use the following command to start the container:
    docker run -d \
       -p <prometheus_exporter_port>:8080 \
       -v <local_path_to_config_file>:/etc/sta-pmm/sta-pmm.conf \
       -v <local_path_to_aws_profile>/.aws:/root/.aws \
       -e "STA_PM_CONFIG_FILE=/etc/sta-pmm/sta-pmm.conf" \
       coralogixrepo/sta-vpc-mirroring-config-manager:latest

Installation as a Kubernetes deployment:

    1. Use the following config map and deployment configurations:
      apiVersion: v1
      kind: ConfigMap
      data:
        sta-pmm.conf: |
          {
            "service_config": {
              "rules_evaluation_interval": 10000,
              "metrics_exporter_port": 8080,
              "dry_run": true
            },
            "rules": [
              {
                "conditions": [
                  {
                    "type": "tag-exists",
                    "tag_name": "sta.coralogix.com/mirror-target-id"
                  },
                  {
                    "type": "tag-exists",
                    "tag_name": "sta.coralogix.com/mirror-filter-id"
                  }
                ],
                "source_nics_matching": [
                  {
                    "type": "by-nic-index",
                    "nic_index": 0
                  }
                ],
                "traffic_filters": [
                  {
                    "type": "by-instance-tag-value",
                    "tag_name": "sta.coralogix.com/mirror-filter-id"
                  }
                ],
                "mirror_target": {
                  "type": "by-instance-tag-value",
                  "tag_name": "sta.coralogix.com/mirror-target-id"
                }
              }
            ]
          }
      
      metadata:
        labels:
          app.kubernetes.io/component: sta-pmm
          app.kubernetes.io/name: sta-pmm
          app.kubernetes.io/part-of: coralogix
          app.kubernetes.io/version: '1.0.0-2'
        name: sta-pmm
        namespace: coralogix
      
      ----------
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        labels:
          app.kubernetes.io/component: sta-pmm
          app.kubernetes.io/name: sta-pmm
          app.kubernetes.io/part-of: coralogix
          app.kubernetes.io/version: '1.0.0-2'
        name: sta-pmm
        namespace: coralogix
      spec:
        selector:
          matchLabels:
            app.kubernetes.io/component: sta-pmm
            app.kubernetes.io/name: sta-pmm
            app.kubernetes.io/part-of: coralogix
        template:
          metadata:
            labels:
              app.kubernetes.io/component: sta-pmm
              app.kubernetes.io/name: sta-pmm
              app.kubernetes.io/part-of: coralogix
              app.kubernetes.io/version: '1.0.0-2'
            name: sta-pmm
          spec:
            containers:
              - env:
                  - name: STA_PM_CONFIG_FILE
                    value: /etc/sta-pmm/sta-pmm.conf
                  - name: AWS_ACCESS_KEY_ID
                    value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                  - name: AWS_SECRET_ACCESS_KEY
                    value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                image: coralogixrepo/sta-vpc-mirroring-config-manager:latest
                imagePullPolicy: IfNotPresent
                livenessProbe:
                  httpGet:
                    path: "/"
                    port: 8080
                  initialDelaySeconds: 5
                  timeoutSeconds: 1
                name: sta-pmm
                ports:
                  - containerPort: 8080
                    name: sta-pmm-prometheus-exporter
                    protocol: TCP
                volumeMounts:
                  - mountPath: /etc/sta-pmm/sta-pmm.conf
                    name: sta-pmm-config
                    subPath: sta-pmm.conf
            volumes:
              - configMap:
                  name: sta-pmm-config
                name: sta-pmm-config
      

Configuration

To configure instances for mirroring, all you have to do is to make sure that the instances you would like their traffic to be mirrored to your STA, will have the tags “sta.coralogix.com/mirror-filter-id” and “sta.coralogix.com/mirror-target-id” pointing at the correct IDs of the mirror filter and target respectively. To find out the IDs of the mirror target and mirror filter that were created as part of the installation of the STA, enter the CloudFormation Stacks page in AWS Console and search for “TrafficMirrorTarget” and for “TrafficMirrorFilter” in the Resources tab:

To assign different mirroring policy to different instances, for example to mirror traffic on port 80 from some instances and mirror traffic on port 53 from other instances, simply create a VPC Traffic Mirror Filter manually with the correct filtering rules (just like in a firewall) and assign its ID to the “sta.coralogix.com/mirror-filter-id” tag of the relevant instances.

Pro Tip: You can use AWS “Resource Groups & Tag Editor” to quickly assign tags to multiple instances based on an arbitrary criteria.

 

Good luck!

Start solving your production issues faster

Let's talk about how Coralogix can help you

Managed, scaled, and compliant monitoring, built for CI/CD

Get a demo

No credit card required

Get a personalized demo

Jump on a call with one of our experts and get a live personalized demonstration