Traffic mirroring

Common use cases

Security: intrusion detection

Capture all packets of a specific flow for inspection by proprietary or third-party security software to detect vulnerabilities and intrusions in real time.
Auditing: financial or government compliance

Mirror instance traffic to a unified audit platform to meet financial or regulatory compliance requirements.
O&M: network troubleshooting

Analyze TCP retransmissions and other traffic patterns to troubleshoot network issues without logging on to an ECS instance.

How it works

Workflow

A traffic mirror session defines the forwarding path. After it starts, the session performs the following steps:

Copies packets from the traffic mirror source that match filter conditions.

Only ENIs are supported as traffic mirror sources.

A traffic mirror filter contains inbound and outbound rules. Each rule matches traffic by 5-tuple (source CIDR block, source port, destination CIDR block, destination port, and protocol) and is evaluated by priority.
Encapsulates the copied packets in the standard VXLAN packet format.
- VXLAN Network Identifier (VNI): Distinguishes mirrored data across sessions. Assigned randomly if unspecified.
- Source IP: The primary IP of the traffic mirror source.
- Source port: Derived from the packet 5-tuple hash.
- Destination IP: The primary IP of the traffic mirror destination.
- Destination port: Port 4789 is used by default and cannot be modified.
Forwards mirrored packets to the destination. If source and destination are in different VPCs, configure a VPC peering connection.

Supported destinations: ENIs, internal-facing CLBs, and Gateway Load Balancer (GWLB) endpoints.

The regions that support forwarding traffic to GWLB endpoints are China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Shenzhen), Singapore, US (Silicon Valley), and US (Virginia).

Copied packets bypass security groups and network ACLs at the source. However, the destination security group and network ACL must allow inbound UDP traffic on port 4789.

When the destination is an internal-facing CLB, configure a UDP listener on port 4789. A GWLB listens on all ports.

Matching rules

Each packet from a given source can be mirrored only once, even if it matches multiple sessions.

Using inbound traffic as an example:

If a source belongs to one session, inbound rules are evaluated by priority against the 5-tuple. The first match determines the action. Unmatched traffic is not mirrored.
If a source belongs to multiple sessions, filters are evaluated by session priority. When no rules match in one session, the next session is checked. Unmatched traffic across all sessions is not mirrored.

Packet size at the destination

Fragmented service packets

If a service packet exceeds the link MTU, it is fragmented before transmission.

Example: a 2,000-byte packet with a 1,500-byte link MTU is fragmented into 1,500 bytes and 500 bytes.

The default link MTU in Alibaba Cloud is 1,500 bytes. Some components such as VPN gateways have a lower MTU.

If TSO or UFO is enabled on the source ECS instance, fragmented packets may be mirrored differently. To receive all fragments, disable TSO/UFO (may affect performance) or use a seventh-generation instance family or later.

The generation number appears in the instance family name, such as ecs.g7se.xlarge.

Mirroring behavior of service packets for different instance types

Source ECS instance type (MTU = 1500)	- Instances of the seventh generation or later - Instances earlier than the seventh generation with TSO and UFO disabled	Instances earlier than the seventh generation with TSO or UFO enabled
Service packet length	2,000
Link MTU	1,500
Mirroring behavior	First, the complete service packet is fragmented, and then each fragmented packet is mirrored. - Mirrored fragmented packet 1: 1,500 bytes - Mirrored fragmented packet 2: 500 bytes	First, the complete service packet is mirrored, and then the service packet is fragmented. Mirrored packet: 2,000 bytes

Mirrored packet truncation: If a mirrored packet (original + 50-byte VXLAN header) exceeds the forwarding path MTU, the system truncates it.

In the China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Shenzhen), Singapore, US (Silicon Valley), and US (Virginia) regions, mirrored packet size is limited by the destination MTU. Eighth-generation primary instance families support jumbo frames (MTU 8500). Enable them on the destination to prevent truncation.

Mirrored packet truncation behavior

When the service packet is 1,500 bytes and the destination MTU is also 1,500, the mirrored packet is truncated. Enabling jumbo frames (MTU 8500) on the destination allows full forwarding.

Service packet length	500	1500	1500
MTU of traffic mirror destination	1500	1500	8500
Size of mirrored packets received by the traffic mirror destination	550 = 500 (length of the actual mirrored service packet) + 50 (length of the VXLAN header)	1500 = 1450 (length of the actual mirrored service packet) + 50 (length of the VXLAN header)	1550 = 1500 (length of the actual mirrored service packet) + 50 (length of the VXLAN header)

In other regions, mirrored packet size is limited by the default link MTU (1,500 bytes).

Mirrored packet truncation behavior

Even if the link MTU exceeds 1,500 bytes (for example, 8,500 bytes), the system truncates packets to the default 1,500-byte MTU.

Service packet length	500	1500	1500
Link MTU	1500	1500	8500
Size of mirrored packets received by the traffic mirror destination	550 = 500 (length of the actual mirrored service packet) + 50 (length of the VXLAN header)	1500 = 1450 (length of the actual mirrored service packet) + 50 (length of the VXLAN header)	1500 = 1450 (length of the actual mirrored service packet) + 50 (length of the VXLAN header)

To capture only packet headers up to a specific length, set the Mirrored Packet Length. The system truncates the service packet beyond this length before forwarding.

Mirror a packet of a specific length

Limits

Source and destination: The same ENI cannot serve as both source and destination. Managed ENIs are not supported as sources or destinations.
Region and account: Source and destination must be in the same account and region, but can be in different VPCs. Cross-region and cross-account mirroring is not supported.
IP version: Only IPv4 is supported.
Bandwidth: Mirroring consumes instance bandwidth. When bandwidth is fully used, mirrored packets are dropped to prioritize service traffic.
Traffic type: Traffic dropped by network ACLs or security groups, flow log traffic, ARP traffic, and DHCP traffic cannot be mirrored.

Create or delete a traffic mirror session

The system evaluates source traffic against the associated filter rules. A rule match is determined by the Priority, Protocol Type, Source CIDR Block, Destination CIDR Block, Source Port, and Destination Port. On a match, the system executes the specified action to determine whether to mirror the traffic. Mirrored data is then forwarded to the destination.

Priority determines the priority of a rule. The value ranges from 1 to 16777216. A smaller value indicates a higher priority. The priorities of inbound or outbound rules in the same traffic mirror filter must be unique.
For TCP(6) or UDP(17), set the port range (0–65535) in the format start port/end port. Other protocol types do not support port ranges. Default: -1/-1 (no port restriction).

Console

When using traffic mirroring for the first time, activate the service. Log on to the Traffic mirror activation page and follow the instructions.

Create a traffic mirror

Create filter criteria

If you already have a suitable filter, skip this step and create a session directly.
1. Go to the VPC console - Filter page. In the top navigation bar, select the target region. Click Create Filter.
2. Configure inbound and outbound rules to specify which traffic to mirror. A filter with no rules mirrors no traffic.
  
  You can configure up to 10 inbound and 10 outbound rules during creation. You can add, edit, or delete rules afterward.
  
  To delete a filter, disassociate it from all sessions first, then click Delete in the Actions column.
Create a traffic mirror session
1. Go to the VPC console - Traffic Mirror Session page. In the top navigation bar, select the target region. Click Create Traffic Mirror Session.
2. Configure the traffic mirror session:
  1. VNI: A virtual network ID that distinguishes mirrored data across sessions. Valid values: 0 to 16777215. If unspecified, the system assigns one randomly.
  2. Configure Priority: When a source belongs to multiple sessions, traffic is mirrored based on session Priority. Valid values: 1 to 32766. A smaller value indicates higher priority. Priorities must be unique across sessions in the same region and account.
  3. To capture only packet headers up to a specific length, set the Mirrored Packet Length. The system truncates the service packet beyond this length before forwarding.
3. Configure the associated filter, source, and destination.
Start the traffic mirror session
1. After creating the session, enable it. Alternatively, return to the session list and click Start in the Actions column.
2. If source traffic matches the filter, run tcpdump -i name of the NIC corresponding to the traffic mirror destination udp port 4789 -nne on the destination to view mirrored packets.

Modify a traffic mirror

On the session details page, you can Change the destination and filter, Add or Delete sources, or modify the VNI, priority, and mirrored packet length.

Stop or delete a traffic mirror session

In the Actions column for the target session, click Stop or Delete.

API

Create a traffic mirror

Before first use, call the OpenTrafficMirrorService operation to activate the service.

Call the CreateTrafficMirrorFilter operation to create a traffic mirror filter.
Call the CreateTrafficMirrorFilterRules operation to create inbound or outbound rules for the traffic mirror filter.
Call the CreateTrafficMirrorSession operation to create a traffic mirror session.
Call the UpdateTrafficMirrorSessionAttribute operation and set the Enabled parameter to true to start the traffic mirror session.

Modify a traffic mirror

Call the AddSourcesToTrafficMirrorSession or RemoveSourcesFromTrafficMirrorSession operation to add or remove sources from a session.
Call the UpdateTrafficMirrorSessionAttribute operation to modify a session's configuration or change its destination or filter.

Modify or delete filter criteria

Call the CreateTrafficMirrorFilterRules operation to create inbound or outbound rules for the traffic mirror filter.
Call the DeleteTrafficMirrorFilterRules operation to delete inbound or outbound rules of a traffic mirror filter.
Call the DeleteTrafficMirrorFilter operation to delete a traffic mirror filter.

Stop or delete a traffic mirror

Call the UpdateTrafficMirrorSessionAttribute operation and set the Enabled parameter to false to stop the traffic mirror session.
Call the DeleteTrafficMirrorSession operation to delete a traffic mirror session.

Terraform

This example mirrors only inbound and outbound TCP traffic. Adjust filter rules based on your requirements.

Resources: alicloud_vpc_traffic_mirror_filter, alicloud_vpc_traffic_mirror_session

# Specify the region where you want to create the traffic mirror.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Specify the ID of the traffic mirror source.
variable "traffic_mirror_source_id" {
  default = "eni-hp3e******" # Replace with the actual ID of the ENI.
}

# Specify the ID of the traffic mirror destination.
variable "traffic_mirror_target_id" {
  default = "eni-hp3h******" # Replace with the actual ID of the ENI.
}


# Create a traffic mirror filter and configure inbound and outbound rules to collect all TCP traffic that enters and leaves the traffic mirror source.
resource "alicloud_vpc_traffic_mirror_filter" "example_vpc_traffic_mirror_filter" {
  traffic_mirror_filter_name = "example_vpc_traffic_mirror_filter_name"
  egress_rules {
    priority               = 1
    protocol               = "TCP"
    action                 = "accept"
    destination_cidr_block = "0.0.0.0/0"
    destination_port_range = "-1/-1"
    source_cidr_block      = "0.0.0.0/0"
    source_port_range      = "-1/-1"
  }
  ingress_rules {
    priority               = 1
    protocol               = "TCP"
    action                 = "accept"
    destination_cidr_block = "0.0.0.0/0"
    destination_port_range = "-1/-1"
    source_cidr_block      = "0.0.0.0/0"
    source_port_range      = "-1/-1"
  }
}

# Create a traffic mirror session.
resource "alicloud_vpc_traffic_mirror_session" "example_vpc_traffic_mirror_session" {
  traffic_mirror_session_name = "example_vpc_traffic_mirror_session"
  priority                    = 1                                                                       # Specify the priority of the traffic mirror session. If a traffic mirror source is added to multiple traffic mirror sessions, the traffic is mirrored to a destination based on the priority of the traffic mirror sessions. Valid values: 1 to 32766. A smaller value indicates a higher priority. The priorities of traffic mirror sessions created in the same region with the same account must be unique.
  virtual_network_id          = 10                                                                      # Specify the VNI of the traffic mirror session. It is used to distinguish mirrored data from different sessions. Valid values: 0 to 16777215. If you do not specify a VNI, the system randomly assigns one.
  traffic_mirror_filter_id    = alicloud_vpc_traffic_mirror_filter.example_vpc_traffic_mirror_filter.id # Specify the associated traffic mirror filter.
  traffic_mirror_source_ids   = [var.traffic_mirror_source_id]                                          # Specify the traffic mirror source.
  traffic_mirror_target_type  = "NetworkInterface"                                                      # Specify the type of the traffic mirror destination.
  traffic_mirror_target_id    = var.traffic_mirror_target_id                                            # Specify the traffic mirror destination.
  #packet_length               = 1500                                                                   # If you only need to view the header of a mirrored packet of a specific length, you can set the mirrored packet length. The system truncates the part of the service packet from the traffic mirror source that exceeds this value and then forwards it to the traffic mirror destination.
}

Examples

Mirror inbound TCP traffic to an ENI

Mirror inbound TCP/UDP traffic to different destinations

Mirror traffic from outside a VPC to another VPC

Configure a filter to monitor traffic entering and leaving a VPC from external sources.

Use rule priority to exclude intra-VPC traffic and mirror all other inbound traffic.

If source and destination are in different VPCs, connect them with a VPC peering connection and configure routes in both VPCs.

More information

Billing

Billable items

Traffic mirror fee = instance fee + data processing fee

Instance fee = Number of traffic mirror sources with active sessions (count) × Active duration of sessions (hours) × Unit price of instance fee (CNY/count/hour)
Data processing fee = Total mirrored data (GB) × Unit price (CNY/GB)

Billable item	Unit price
Instance fee	0.1 (CNY/count/hour)
Data processing fee	0.05 (CNY/GB)

Billing rules

Data processing fees are waived until March 31, 2027.
You are charged hourly per source with an active session. Usage under one hour is rounded up.
If multiple sessions share a source, the instance fee is charged once. Billable duration is the cumulative active time across all sessions. Example: 5 hours in session 1 plus 4 hours in session 2 = 9 billable hours.

Billing example

Five ENIs in a VPC have traffic mirror sessions enabled 24 hours a day for 30 days. Total mirrored data: 20 GB.

Instance fee = 5 × 30 × 24 × 0.1 = CNY 360
Data processing fee = 20 × 0.05 = CNY 1
Total traffic mirroring fee = 360 + 1 = CNY 361

Overdue payments and top-ups

Overdue payments and renewals

If your account has an overdue payment within the service suspension protection quota, the traffic mirror feature is not affected.

With service suspension protection, after a pay-as-you-go resource has an overdue payment, you can continue to use the service for a period or within a specific quota. You are charged for usage during the protection period.
If your account has an overdue payment that exceeds the service suspension protection quota, traffic mirroring stops and active sessions are automatically stopped.
If you top up your account and settle the overdue payment within 15 days after suspension, the service is automatically re-enabled. Suspended sessions are automatically restored.
If traffic mirroring remains unpaid for more than 15 days after suspension, sessions are deleted. Deleted instances and their configurations are permanently removed and cannot be recovered.

Supported regions

Supported public cloud regions

Area	Regions
Asia Pacific - China	China (Hangzhou), China (Shanghai), China (Nanjing - Local Region) Closing Down, China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), and China (Fuzhou - Local Region, Closing Down)
Asia Pacific - Others	Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Thailand (Bangkok), Philippines (Manila)
Europe & Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)
Middle East	SAU (Riyadh - Partner Region)

Supported regions for Finance Cloud

Area	Regions
Asia Pacific	China North 2 Finance (Preview), China East 1 Finance, China East 2 Finance

Regions supported by Alibaba Gov Cloud

Area	Regions
Asia Pacific	China North 2 Ali Gov 1

Quotas

Quota name	Description	Default limit	Adjustable
trafficmirror_quota_source_num_per_session	Traffic mirror sources per session.	10	Yes. Go to the Quota Management page or Quota Center to request a quota increase.
vpc_quota_traffic_mirror_source_num_per_large_ecs_target	Traffic mirror sources supported by a traffic mirror destination when the destination is an ENI and the ENI is attached to an ECS instance of one of the following instance types. ECS instance type ecs.ebmc7.32xlarge, ecs.ebmg7.32xlarge, ecs.ebmr7.32xlarge, ecs.ebmhfg7.48xlarge, ecs.ebmhfc7.48xlarge, ecs.ebmhfr7.48xlarge, ecs.ebmc7a.64xlarge, ecs.ebmg7a.64xlarge, ecs.ebmg7se.32xlarge, ecs.ebmg6a.64xlarge, ecs.ebmg6e.26xlarge, ecs.ebmc6a.64xlarge, ecs.ebmc6e.26xlarge, ecs.ebmr7a.64xlarge, ecs.ebmr6a.64xlarge, ecs.ebmr6e.26xlarge, ecs.c8i.48xlarge, ecs.g8i.48xlarge, ecs.c7nex.32xlarge, ecs.g7nex.32xlarge, ecs.g7ne.24xlarge, ecs.c7.32xlarge, ecs.g7.32xlarge, ecs.r7.32xlarge, ecs.r6e.26xlarge, ecs.g7t.32xlarge, ecs.g6t.26xlarge, ecs.g6e.26xlarge, ecs.c7t.32xlarge, ecs.c6t.26xlarge, ecs.c6e.26xlarge, ecs.g5ne.18xlarge, ecs.r7t.32xlarge	200
vpc_quota_traffic_mirror_source_num_per_small_ecs_target	Traffic mirror sources supported by a traffic mirror destination when the destination is an ENI and the ENI is not attached to an ECS instance of one of the following instance types. ECS instance type ecs.ebmc7.32xlarge, ecs.ebmg7.32xlarge, ecs.ebmr7.32xlarge, ecs.ebmhfg7.48xlarge, ecs.ebmhfc7.48xlarge, ecs.ebmhfr7.48xlarge, ecs.ebmc7a.64xlarge, ecs.ebmg7a.64xlarge, ecs.ebmg7se.32xlarge, ecs.ebmg6a.64xlarge, ecs.ebmg6e.26xlarge, ecs.ebmc6a.64xlarge, ecs.ebmc6e.26xlarge, ecs.ebmr7a.64xlarge, ecs.ebmr6a.64xlarge, ecs.ebmr6e.26xlarge, ecs.c8i.48xlarge, ecs.g8i.48xlarge, ecs.c7nex.32xlarge, ecs.g7nex.32xlarge, ecs.g7ne.24xlarge, ecs.c7.32xlarge, ecs.g7.32xlarge, ecs.r7.32xlarge, ecs.r6e.26xlarge, ecs.g7t.32xlarge, ecs.g6t.26xlarge, ecs.g6e.26xlarge, ecs.c7t.32xlarge, ecs.c6t.26xlarge, ecs.c6e.26xlarge, ecs.g5ne.18xlarge, ecs.r7t.32xlarge	20
vpc_quota_traffic_mirror_rules_num_per_filter	Filter rules per filter.	20
None	Traffic mirror sessions per account in a region.	20,000	No.
	Traffic mirror sessions per traffic mirror source.	3
	Traffic mirror sources supported by a traffic mirror destination when the destination is a private Classic Load Balancer (CLB) instance.	500
	Traffic mirror sources supported by a traffic mirror destination when the destination is a Gateway Load Balancer endpoint (GWLBe).	500
	Filters per account in a region.	100
	Traffic mirror sessions per filter.	2,000