This document lists the steps to setup a VM mirroring monitoring in an AWS environment. This will enabling listening to the traffic on a given VM instance, and report to the Traceable Platform Agent. The steps documented below would install Traceable Platform Agent, and setup Traffic Mirroring for the VM Instance.
This method of instrumentation uses the VPC Traffic Mirroring feature of AWS to mirror the traffic and report to the Traceable Platform Agent. The process would need the following things and should be available beforehand:
- VPC of the Subnet which contains the VM whose traffic is to be mirrored.
- Eg - vpc-04e12852152ba897f
- Subnet ID of the subnet to which the VM is connected to and whose traffic is to be mirrored.
- Eg - subnet-053ab9eaa6f70d42d
- Network Interface ID of the Network Interface attached to the VM to be monitored.
- Eg - eni-03e5121995324a00e
- Traceable Refresh Token
- Copy the Refresh Token from the Traceable Platform and keep it handy through the instrumentation process. Either generate a new token, or use an existing token.
- Create a Secret in the AWS Secret Manager for this token generated in step (a)
The name of the Key should be refresh_token.
Initiate CloudFormation Template
The CloudFormation Template can be initiated at:
This initiates the CloudFormation Template which will create the required resources.
VPC Mirror Targets
Ensure that VPC Mirroring Target is created.
VPC Mirror Filter
Ensure that the VPC Mirror filter is created
Create A New Mirror Session
In the VPC-> Traffic Mirror Sessions console create a new Mirror Session.
Update Traffic Mirror Filter
The Cloudformation Stack creates a Blank Filter that will be used by the Mirror Session to Mirror the traffic on the given Network Interface. Specify the Inbound and Outbound rules in the created Traffic Mirror Filter. This would define which Inbound and Outbound Network calls should be mirrored (and consequently Monitored) by Traceable.
The images below provide a simple sample of rules defining inbound and outbound traffic on a single port. The actual rules will depend on the Application or Service being monitored and should be defined appropriately. The example below will primarily capture the ingress traffic to the application hosted on the VM
Sample Inbound Rule for Ingress Capture:
Sample Outbound Rule for Ingress Capture:
The following is an example of capturing only the Egress traffic from the application hosted on the VM. The images below show sample inbound and outbound rules for the egress configuration:
Sample Inbound Rules for Egress Capture
Sample Outbound Rules for Egress Capture
Traceable Platform Agent
Validate EC2 Instance
One the setup is successful you should see the EC2 instance created for the Traceable Platform Instance:
Validate Agent Logs
You can log into the machine and verify the logs to see that there are no errors seen in the logs.
Before you can log in to the machine, you would need to add inbound rules to the associated Security Group to allow incoming SSH connections. Please refer to the following screenshots for an example of how to add the in-bound rules to allow ssh access to the VM:
Once SSH Access has been has been allowed, run the following to connect to the EC2 instance and check the logs
$ ssh firstname.lastname@example.org
When the instrumentation is successful, you should see the Environment and the Service created, and the API End-points detected.
Issues with Setup
In case any issues are observed with the setup (Data not reporting, errors in the logs etc.) please reach out to Traceable at email@example.com.