Packet Mirroring

Available in VPC

Packet Mirroring allows you to capture packets from a designated server (Network Interface) within a VPC network and transfer them to a server you select. To use the Packet Mirroring feature, you need to create a Mirror Resource and Mirror Filter, then apply them to the Mirror Tunnel.

Note

When configuring a Mirror Tunnel across accounts, network costs will be incurred as it uses the VPC Peering section.

Caution

Configuration is only possible within the same Region.
Mirror Tunnel cannot be created within the same subnet.
Cautions for configuring Mirror Destination's NIC
- Servers in a standard VPC can only be configured with a single NIC (eth0).
- KVM servers in a Transit VPC can be configured with all NICs (eth0, eth1, eth2).
When the Mirror Source and Mirror Destination are configured with Mirror Tunnels across different VPCs or accounts, they are connected through VPC Peering.
- VPC Peering and Route Table configurations must be in place before setting up the Mirror Tunnel.
- See Guide configuring VPC Peering
If configuring an SFC Inline Load Balancer as the Mirror Destination, you need to set up a Transit VPC Connect to establish connectivity with the Transit VPC.
- See Guide to configuring SFC

Packet Mirroring components

The Packet Mirroring service consists of Mirror Resource, Mirror Filter, and Mirror Tunnel.

Mirror Resource

Create and manage the Mirror Source (the target of packet mirroring) and Mirror Destination (the destination of mirrored packets) to which packet mirroring will be applied

Mirror Source
- Network Interface
Mirror Destination
- Network Interface
- Inline Loadbalancer

Mirror Filter

Create and manage Packet Mirroring Filter Policy

Mirror Filter
- Inbound Rules
- Outbound Rules

Mirror Tunnel

Create and manage a Mirror Tunnel by combining the Mirror Source (the target of packet mirroring), Mirror Destination (the destination of mirrored packets), and Mirror Filter (Packet Mirroring Policy) to enable packet mirroring

Mirror Source
Mirror Destination
Mirror Filter

Create Packet Mirroring

The procedure for configuring Packet Mirroring proceeds in the following order: Mirror Resource, Mirror Filter -> Mirror Tunnel. To proceed:

In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Networking > Packet Mirroring.
Click Mirror Resource.
- Click [Create].
  - Mirror Resource name: Name of Mirror Resource.
  - Mirror Resource purpose: Definition of the Mirror Resource purpose.
    - Mirror Source: Set as the purpose of Mirror Source.
    - Mirror Destination: Configured for use as a Mirror Destination.
  - Mirror Resource type: Definition of the Mirror Resource type purpose.
    - Network interface: Configured as the server NIC type.
    - Load Balancer: Set as the SFC Inline Load Balancer type, only applicable for Mirror Destination.
  - Mirror Resource target: Target for the Mirror Resource configuration.
  Caution
  
  The Mirror Destination target requires an ACG/NACL Inbound Rule (Protocol UDP, Port 4789) Permit for the Mirror Source IP.
  - Note: Enter necessary explanations related to the Mirror Resource you want to create within 1,000 bytes.
- Click [Create].
- Check the created Mirror Resource from the Mirror Resource list.
Click the Mirror Filter menu.
- Click [Create].
  - Filter name: The name of Mirror Filter you want to create.
  - Note: Enter necessary explanations related to the Mirror Filter you want to create within 1,000 bytes.
- Check the created Mirror Filter from the Mirror Filter list.
- Set the rule.
Click the Mirror Tunnel menu.
- Click [Create].
  - Mirror Tunnel name: The name of Mirror Tunnel.
  - Mirror Source VPC: The name of Mirror Tunnel Source's VPC.
  - Mirror Source: The resource name created for the Mirror Source.
  - Accepted Mirror Destination: Differentiates the Mirror Tunnel settings between accounts.
    - My Account: Configured when connecting within your own account.
    - Another Account: Configured when connecting to another account.
  - Mirror Resource type
    - Network interface: VM's Network interface type.
    - LoadBalancer : Inline LoadBalancer
  - Mirror Destination VPC: The name of Mirror Tunnel Destination VPC.
  - Mirror Destination: The resource name of Mirror Destination.
  - Mirror Filter: The name of Mirror Filter.
  - VNI: The virtual interface number set in person by the customer.
  - Packet length: The maximum packet length that can be processed.
  - Note: Enter necessary explanations related to the Mirror Tunnel you want to create within 1,000 bytes.
  Caution
  - The Mirror Destination configured in a Mirror Tunnel between accounts cannot be modified.
  - If the packet length is not entered, the entire packet will be mirrored (KVM: 1450 bytes, XEN: 8,900 bytes)
  - When configuring G2(Xen) G3(KVM) servers in a Mirror Tunnel on a normal VPC, errors may occur during packet processing due to differences in MTU sizes supported by the two server types. Therefore, the packet length should be set based on the MTU size of the server with the smaller MTU.
  - For G3 (KVM) configurations available in a Transit VPC, the MTU supports 64–8,900 bytes, so you can configure it without restrictions.
- Click [Create].
Check the created Mirror Tunnel from the Mirror Tunnel list.

Accept Mirror Tunnel between accounts

When a Mirror Tunnel configuration request is made between accounts, the accepting party's account must accept the response to request for the connection to be established. To accept or reject in Mirror Tunnel:

In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Networking > Packet Mirroring.
Click the Mirror Tunnel menu.
Click [Pending approval] in Mirror Tunnel and when the [Details] interface appears, click the Accept or Reject enabled in the response to request.
- The status of the acceptance request is as follows:
  - Waiting: Awaiting acceptance.
  - Setting: Configuring.
- When the accepting party selects Accept, the Mirror Tunnel connection between accounts is established.
- When the accepting party selects Reject, the Mirror Tunnel connection between accounts is denied, and the Mirror Tunnel is deleted immediately.

Delete Mirror Tunnel between accounts

You can delete a Packet Mirroring that has been created and is in operation. To delete:

Note

Mirror Tunnel accepted and fully configured by another account: Both the requester and the acceptor can delete it.
Mirror Tunnel requested to another account and awaiting a response: The requester can delete it immediately. (However, the accepting party cannot delete it, and can only accept or reject.)
If the acceptor rejects a Mirror Tunnel that was requested to another account and is awaiting a response: The system deletes the Mirror Tunnel.

Delete Mirror Tunnel

To delete a Mirror Tunnel:

In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Networking > Packet Mirroring.
Click the Mirror Tunnel menu.
Select the Mirror Tunnel you want to delete and click [Delete].
When the Delete Mirror Tunnel popup appears, click [Delete].
Check the status of Mirror Tunnel you want to delete from the Mirror Tunnel list.
- Shutting down: Mirror Tunnel deletion in progress

Deleting Mirror Resource

To delete a Mirror Resource:

In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Networking > Packet Mirroring.
Click the Mirror Resource menu.
Select the Mirror Resource you want to delete and click [Delete].
When the Delete Mirror popup. appears, click [Delete].
Check whether it is deleted from the Mirror Resource list.

Deleting Mirror Filter

To delete a Mirror Filter:

In the VPC environment of the NAVER Cloud Platform console, navigate to > Services > Networking > Packet Mirroring.
Click the Mirror Filter menu.
Click to select the Mirror Filter you want to delete and click [Delete].
When the Delete Mirror Filter popup appears, click [Delete].
Check whether it is deleted from the Mirror Filter list.