- Release Notes and Announcements
- Tencent Cloud Network Overview
- Product Introduction
- Purchase Guide
- Quick Start
- Operation Guide
- Network Topology
- Virtual Private Cloud (VPC)
- Subnets
- Route Tables
- IPs and ENIs
- Bandwidth Package
- Network Connection
- Security Management
- Diagnostic Tools
- Alarming and Monitoring
- Sharing VPC Subnet Resource
- Best Practices
- View the Total Bandwidth for Single-Region Traffic-Based Billing
- Migrating from the Classic Network to VPC
- Best Practices of Security Group Change
- Configuring CVM Instance as Public Gateway
- Building HA Primary/Secondary Cluster with HAVIP + Keepalived
- Creating a High-availability Database by Using HAVIP + Windows Server Failover Cluster
- Hybrid Cloud Primary/Secondary Communication (DC and VPN)
- Hybrid Cloud Primary/Secondary Communication (CCN and VPN)
- CVM Access to Internet Through EIP
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- VPC APIs
- DeleteTrafficPackages
- DescribeUsedIpAddress
- DescribeAccountAttributes
- CreateDefaultVpc
- CreateVpc
- ModifyVpcAttribute
- DescribeVpcs
- DescribeVpcPrivateIpAddresses
- DescribeVpcInstances
- DeleteVpc
- AttachClassicLinkVpc
- DescribeClassicLinkInstances
- DetachClassicLinkVpc
- AssignIpv6CidrBlock
- DescribeVpcIpv6Addresses
- UnassignIpv6CidrBlock
- CreateAssistantCidr
- ModifyAssistantCidr
- DescribeAssistantCidr
- CheckAssistantCidr
- DeleteAssistantCidr
- DescribeVpcResourceDashboard
- ModifyLocalGateway
- DescribeLocalGateway
- DeleteLocalGateway
- CreateLocalGateway
- AdjustPublicAddress
- DescribeTrafficPackages
- Subnet APIs
- Route Table APIs
- EIP APIs
- Highly Available Virtual IP APIs
- ENI APIs
- AssignPrivateIpAddresses
- UnassignPrivateIpAddresses
- ModifyNetworkInterfaceAttribute
- DetachNetworkInterface
- DescribeNetworkInterfaces
- CreateNetworkInterface
- AttachNetworkInterface
- MigratePrivateIpAddress
- MigrateNetworkInterface
- DeleteNetworkInterface
- ModifyPrivateIpAddressesAttribute
- UnassignIpv6Addresses
- ModifyIpv6AddressesAttribute
- AssignIpv6Addresses
- DescribeNetworkInterfaceLimit
- DisassociateNetworkInterfaceSecurityGroups
- AssociateNetworkInterfaceSecurityGroups
- CreateAndAttachNetworkInterface
- IP Location APIs
- Bandwidth Package APIs
- NAT Gateway APIs
- DescribeNatGateways
- ResetNatGatewayConnection
- ModifyNatGatewayDestinationIpPortTranslationNatRule
- ModifyNatGatewayAttribute
- DisassociateNatGatewayAddress
- DescribeNatGatewayDestinationIpPortTranslationNatRules
- DeleteNatGatewayDestinationIpPortTranslationNatRule
- DeleteNatGateway
- CreateNatGatewayDestinationIpPortTranslationNatRule
- CreateNatGateway
- AssociateNatGatewayAddress
- ModifyNatGatewaySourceIpTranslationNatRule
- DescribeNatGatewaySourceIpTranslationNatRules
- DeleteNatGatewaySourceIpTranslationNatRule
- CreateNatGatewaySourceIpTranslationNatRule
- RefreshDirectConnectGatewayRouteToNatGateway
- DescribeNatGatewayDirectConnectGatewayRoute
- VPN Gateway APIs
- GenerateVpnConnectionDefaultHealthCheckIp
- ResetVpnGatewayInternetMaxBandwidth
- ResetVpnConnection
- RenewVpnGateway
- ModifyVpnGatewayAttribute
- ModifyVpnConnectionAttribute
- ModifyCustomerGatewayAttribute
- InquiryPriceResetVpnGatewayInternetMaxBandwidth
- InquiryPriceRenewVpnGateway
- InquiryPriceCreateVpnGateway
- DownloadCustomerGatewayConfiguration
- DescribeVpnGateways
- DescribeVpnConnections
- DescribeCustomerGateways
- DescribeCustomerGatewayVendors
- DeleteVpnGateway
- DeleteVpnConnection
- DeleteCustomerGateway
- CreateVpnGateway
- CreateVpnConnection
- CreateCustomerGateway
- ModifyVpnGatewayCcnRoutes
- DescribeVpnGatewayCcnRoutes
- ModifyVpnGatewayRoutes
- DescribeVpnGatewayRoutes
- DeleteVpnGatewayRoutes
- CreateVpnGatewayRoutes
- SetVpnGatewaysRenewFlag
- Direct Connect Gateway APIs
- ReplaceDirectConnectGatewayCcnRoutes
- DescribeDirectConnectGatewayCcnRoutes
- DeleteDirectConnectGatewayCcnRoutes
- CreateDirectConnectGatewayCcnRoutes
- CreateDirectConnectGateway
- ModifyDirectConnectGatewayAttribute
- DescribeDirectConnectGateways
- DeleteDirectConnectGateway
- DisassociateDirectConnectGatewayNatGateway
- AssociateDirectConnectGatewayNatGateway
- InquirePriceCreateDirectConnectGateway
- Cloud Connect Network APIs
- SetCcnRegionBandwidthLimits
- ModifyCcnAttribute
- EnableCcnRoutes
- DisableCcnRoutes
- DetachCcnInstances
- DescribeCcns
- DescribeCcnRoutes
- DescribeCcnRegionBandwidthLimits
- DescribeCcnAttachedInstances
- DeleteCcn
- CreateCcn
- AttachCcnInstances
- ResetAttachCcnInstances
- RejectAttachCcnInstances
- AcceptAttachCcnInstances
- ModifyCcnRegionBandwidthLimitsType
- GetCcnRegionBandwidthLimits
- DescribeCrossBorderCompliance
- AuditCrossBorderCompliance
- ModifyCcnAttachedInstancesAttribute
- Security Group APIs
- ReplaceSecurityGroupPolicies
- DeleteSecurityGroup
- DescribeSecurityGroupPolicies
- ModifySecurityGroupAttribute
- CreateSecurityGroup
- CreateSecurityGroupPolicies
- DescribeSecurityGroups
- DeleteSecurityGroupPolicies
- ModifySecurityGroupPolicies
- ReplaceSecurityGroupPolicy
- DescribeSecurityGroupAssociationStatistics
- DescribeSecurityGroupReferences
- CreateSecurityGroupWithPolicies
- CloneSecurityGroup
- Network ACL APIs
- Network Parameter Template-Related APIs
- CreateAddressTemplate
- CreateAddressTemplateGroup
- CreateServiceTemplate
- CreateServiceTemplateGroup
- DeleteAddressTemplate
- DeleteAddressTemplateGroup
- DeleteServiceTemplate
- DeleteServiceTemplateGroup
- DescribeAddressTemplateGroups
- DescribeAddressTemplates
- DescribeServiceTemplateGroups
- DescribeServiceTemplates
- ModifyAddressTemplateAttribute
- ModifyAddressTemplateGroupAttribute
- ModifyServiceTemplateAttribute
- ModifyServiceTemplateGroupAttribute
- Network Detection-Related APIs
- Flow Log APIs
- Gateway Traffic Monitor APIs
- Private Link APIs
- CreateVpcEndPointService
- DescribeVpcEndPointService
- ModifyVpcEndPointServiceAttribute
- DeleteVpcEndPointService
- CreateVpcEndPointServiceWhiteList
- DescribeVpcEndPointServiceWhiteList
- ModifyVpcEndPointServiceWhiteList
- EnableVpcEndPointConnect
- DeleteVpcEndPointServiceWhiteList
- DescribeVpcEndPoint
- CreateVpcEndPoint
- ModifyVpcEndPointAttribute
- DeleteVpcEndPoint
- DisassociateVpcEndPointSecurityGroups
- Snapshot Policy APIs
- Other APIs
- Data Types
- Error Codes
- FAQs
- Contact Us
- Glossary
- Release Notes and Announcements
- Tencent Cloud Network Overview
- Product Introduction
- Purchase Guide
- Quick Start
- Operation Guide
- Network Topology
- Virtual Private Cloud (VPC)
- Subnets
- Route Tables
- IPs and ENIs
- Bandwidth Package
- Network Connection
- Security Management
- Diagnostic Tools
- Alarming and Monitoring
- Sharing VPC Subnet Resource
- Best Practices
- View the Total Bandwidth for Single-Region Traffic-Based Billing
- Migrating from the Classic Network to VPC
- Best Practices of Security Group Change
- Configuring CVM Instance as Public Gateway
- Building HA Primary/Secondary Cluster with HAVIP + Keepalived
- Creating a High-availability Database by Using HAVIP + Windows Server Failover Cluster
- Hybrid Cloud Primary/Secondary Communication (DC and VPN)
- Hybrid Cloud Primary/Secondary Communication (CCN and VPN)
- CVM Access to Internet Through EIP
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- VPC APIs
- DeleteTrafficPackages
- DescribeUsedIpAddress
- DescribeAccountAttributes
- CreateDefaultVpc
- CreateVpc
- ModifyVpcAttribute
- DescribeVpcs
- DescribeVpcPrivateIpAddresses
- DescribeVpcInstances
- DeleteVpc
- AttachClassicLinkVpc
- DescribeClassicLinkInstances
- DetachClassicLinkVpc
- AssignIpv6CidrBlock
- DescribeVpcIpv6Addresses
- UnassignIpv6CidrBlock
- CreateAssistantCidr
- ModifyAssistantCidr
- DescribeAssistantCidr
- CheckAssistantCidr
- DeleteAssistantCidr
- DescribeVpcResourceDashboard
- ModifyLocalGateway
- DescribeLocalGateway
- DeleteLocalGateway
- CreateLocalGateway
- AdjustPublicAddress
- DescribeTrafficPackages
- Subnet APIs
- Route Table APIs
- EIP APIs
- Highly Available Virtual IP APIs
- ENI APIs
- AssignPrivateIpAddresses
- UnassignPrivateIpAddresses
- ModifyNetworkInterfaceAttribute
- DetachNetworkInterface
- DescribeNetworkInterfaces
- CreateNetworkInterface
- AttachNetworkInterface
- MigratePrivateIpAddress
- MigrateNetworkInterface
- DeleteNetworkInterface
- ModifyPrivateIpAddressesAttribute
- UnassignIpv6Addresses
- ModifyIpv6AddressesAttribute
- AssignIpv6Addresses
- DescribeNetworkInterfaceLimit
- DisassociateNetworkInterfaceSecurityGroups
- AssociateNetworkInterfaceSecurityGroups
- CreateAndAttachNetworkInterface
- IP Location APIs
- Bandwidth Package APIs
- NAT Gateway APIs
- DescribeNatGateways
- ResetNatGatewayConnection
- ModifyNatGatewayDestinationIpPortTranslationNatRule
- ModifyNatGatewayAttribute
- DisassociateNatGatewayAddress
- DescribeNatGatewayDestinationIpPortTranslationNatRules
- DeleteNatGatewayDestinationIpPortTranslationNatRule
- DeleteNatGateway
- CreateNatGatewayDestinationIpPortTranslationNatRule
- CreateNatGateway
- AssociateNatGatewayAddress
- ModifyNatGatewaySourceIpTranslationNatRule
- DescribeNatGatewaySourceIpTranslationNatRules
- DeleteNatGatewaySourceIpTranslationNatRule
- CreateNatGatewaySourceIpTranslationNatRule
- RefreshDirectConnectGatewayRouteToNatGateway
- DescribeNatGatewayDirectConnectGatewayRoute
- VPN Gateway APIs
- GenerateVpnConnectionDefaultHealthCheckIp
- ResetVpnGatewayInternetMaxBandwidth
- ResetVpnConnection
- RenewVpnGateway
- ModifyVpnGatewayAttribute
- ModifyVpnConnectionAttribute
- ModifyCustomerGatewayAttribute
- InquiryPriceResetVpnGatewayInternetMaxBandwidth
- InquiryPriceRenewVpnGateway
- InquiryPriceCreateVpnGateway
- DownloadCustomerGatewayConfiguration
- DescribeVpnGateways
- DescribeVpnConnections
- DescribeCustomerGateways
- DescribeCustomerGatewayVendors
- DeleteVpnGateway
- DeleteVpnConnection
- DeleteCustomerGateway
- CreateVpnGateway
- CreateVpnConnection
- CreateCustomerGateway
- ModifyVpnGatewayCcnRoutes
- DescribeVpnGatewayCcnRoutes
- ModifyVpnGatewayRoutes
- DescribeVpnGatewayRoutes
- DeleteVpnGatewayRoutes
- CreateVpnGatewayRoutes
- SetVpnGatewaysRenewFlag
- Direct Connect Gateway APIs
- ReplaceDirectConnectGatewayCcnRoutes
- DescribeDirectConnectGatewayCcnRoutes
- DeleteDirectConnectGatewayCcnRoutes
- CreateDirectConnectGatewayCcnRoutes
- CreateDirectConnectGateway
- ModifyDirectConnectGatewayAttribute
- DescribeDirectConnectGateways
- DeleteDirectConnectGateway
- DisassociateDirectConnectGatewayNatGateway
- AssociateDirectConnectGatewayNatGateway
- InquirePriceCreateDirectConnectGateway
- Cloud Connect Network APIs
- SetCcnRegionBandwidthLimits
- ModifyCcnAttribute
- EnableCcnRoutes
- DisableCcnRoutes
- DetachCcnInstances
- DescribeCcns
- DescribeCcnRoutes
- DescribeCcnRegionBandwidthLimits
- DescribeCcnAttachedInstances
- DeleteCcn
- CreateCcn
- AttachCcnInstances
- ResetAttachCcnInstances
- RejectAttachCcnInstances
- AcceptAttachCcnInstances
- ModifyCcnRegionBandwidthLimitsType
- GetCcnRegionBandwidthLimits
- DescribeCrossBorderCompliance
- AuditCrossBorderCompliance
- ModifyCcnAttachedInstancesAttribute
- Security Group APIs
- ReplaceSecurityGroupPolicies
- DeleteSecurityGroup
- DescribeSecurityGroupPolicies
- ModifySecurityGroupAttribute
- CreateSecurityGroup
- CreateSecurityGroupPolicies
- DescribeSecurityGroups
- DeleteSecurityGroupPolicies
- ModifySecurityGroupPolicies
- ReplaceSecurityGroupPolicy
- DescribeSecurityGroupAssociationStatistics
- DescribeSecurityGroupReferences
- CreateSecurityGroupWithPolicies
- CloneSecurityGroup
- Network ACL APIs
- Network Parameter Template-Related APIs
- CreateAddressTemplate
- CreateAddressTemplateGroup
- CreateServiceTemplate
- CreateServiceTemplateGroup
- DeleteAddressTemplate
- DeleteAddressTemplateGroup
- DeleteServiceTemplate
- DeleteServiceTemplateGroup
- DescribeAddressTemplateGroups
- DescribeAddressTemplates
- DescribeServiceTemplateGroups
- DescribeServiceTemplates
- ModifyAddressTemplateAttribute
- ModifyAddressTemplateGroupAttribute
- ModifyServiceTemplateAttribute
- ModifyServiceTemplateGroupAttribute
- Network Detection-Related APIs
- Flow Log APIs
- Gateway Traffic Monitor APIs
- Private Link APIs
- CreateVpcEndPointService
- DescribeVpcEndPointService
- ModifyVpcEndPointServiceAttribute
- DeleteVpcEndPointService
- CreateVpcEndPointServiceWhiteList
- DescribeVpcEndPointServiceWhiteList
- ModifyVpcEndPointServiceWhiteList
- EnableVpcEndPointConnect
- DeleteVpcEndPointServiceWhiteList
- DescribeVpcEndPoint
- CreateVpcEndPoint
- ModifyVpcEndPointAttribute
- DeleteVpcEndPoint
- DisassociateVpcEndPointSecurityGroups
- Snapshot Policy APIs
- Other APIs
- Data Types
- Error Codes
- FAQs
- Contact Us
- Glossary
A traffic mirror provides a traffic collection service that enables you to filter the traffic from the specified ENI by using quintuple and other rules. Then you can copy the filtered traffic to CVM instances in the same VPC. This feature is applicable to use cases including security audit, risk monitoring, troubleshooting, and business analysis. This document describes how to create a traffic mirror.
Note:
The traffic mirror feature is currently in beta test. To try it out, submit a ticket for application. Save the link to the Traffic Mirror console for later logins; otherwise, you may need to apply again.
Prerequisites
Make sure that the source IP and target ENI are in the same VPC and that the source IP has a route table pointing to the target ENI.
Directions
Step 1. Create a traffic mirror source
1. Log in to the VPC console.
2. Click Diagnostic Tools > Traffic Mirror on the left sidebar and select the target region.
3. Click +New.
Note:
Up to five traffic mirrors can be created in a VPC.
4. In the pop-up window, configure as follows:
Enter the traffic mirror name (up to 60 characters).
Choose Network.
Select ENI for Collection Scope. That is, all traffic in the VPC will be collected, excluding the traffic of the ENI that is bound to the receiving IPs. If you select this option, you need to select the specific ENI.
Select Collection type: Select the traffic direction as needed. There are three options: All traffic, Traffic out, and Traffic in.
Select Traffic filtering: Select a method to filter out unnecessary traffic and keep the mirror small and lightweight.
N/A: All traffic configured will be collected.
Quintuple: The traffic that meets quintuple conditions will be collected. After selecting this option, specify Protocol, Source IP range, Destination IP range, Source port, and Destination port. You can click Add to create another filter. Only the traffic that meets all of the filters will be collected.
The next hop is the NAT gateway: Collect traffic whose next hop address is the NAT gateway. After selecting this option, select the specific NAT gateway next to Condition.
5. After completing the configuration, click Next.
Step 2. Create a traffic mirror target
1. On the Create Traffic Mirror Target page, configure the following items:
Target type: Select the target ENI to receive the forwarded traffic.
Note:
At least one target ENI needs to be selected.
Traffic to the target ENI from inside the VPC will not be collected.
Balance method:
Evenly distribute traffic: All traffic is distributed among all target ENIs evenly.
HASH by ENI: Traffic from an ENI is always forwarded to a fixed target ENI.
2. Click OK.
Result Validation
Note:
This document takes creating a traffic mirror that collects the outbound traffic of the 10.0.0.14 ENI accessing the www.qq.com website as an example.
1. Return to the Traffic Mirror page. If the created traffic mirror is displayed in the list with Collect Traffic enabled, it has been created successfully.
2. Perform the following steps to verify whether the collected traffic is mirrored to the receiving IP.
2.1 Generate the ENI traffic. For example, you can log in to the source CVM and run the "ping public IP" command.
Source data:
2.2 Log in to the destination CVM and run the following command to capture data and save it as a
.cap or .pcap file. This document uses the .pcap file as an example.tcpdump -i eth0 -w capture-2020-10-27.pcap # Enter the actual filename.
Destination packets:
2.3 Use a terminal simulator (such as SecureCRT) to log in to the destination CVM and export the file saved in Step ii.
sz -bye capture-2020-10-27.pcap
2.4 Use a packet parser (such as Wireshark) to get the data from the downloaded
capture-2020-10-27.pcap file. In this sample, 12 mirrored packets of the source CVM instance are obtained from the destination CVM instance.Packet verification:
3. If an abnormal packet is obtained or packets cannot be obtained, submit a ticket for assistance.
Yes
No
Was this page helpful?