...
AWS provides a serverless application to automate setting up traffic mirroring based on VPCs, subnets, or tags as input. See figure below for the application architecture. Blue Hexagon has packaged the application in an easy-to-use CloudFormation template, which you can launch by clicking on “Launch Stack” below. Select the VPCs or subnets you would like to monitor, and the serverless application will set up traffic mirroring sessions on existing instances or instances launched in the future in the VPCs or subnets selected. You can also specify instance tags, and the serverless application will set up traffic mirroring sessions on instances (existing or launched in the future) with matching tags.
...
...
| Note |
|---|
Note that Subnets take precedence over VPCs, and Tags take precedence over Subnets and VPCs; meaning if you select instances for mirroring based on subnets, your VPCs setting will be ignored; whereas if you select instances for mirroring based on tags, your subnets and VPCs settings will both be ignored. If you do not wish to specify a source, you must leave the default value in place. |
| Info |
|---|
When you specify tags, each tag must be specified in "Key"="Value" format with the quotes. To specify multiple tags; combine them either via the | operator, e.g. "Key1"="Value1" | "Key2"="Value2" to mean select instances with either of the specified tags, or via the & operator, e.g. "Key1"="Value1" & "Key2"="Value2" to mean select instances having all of the specified tags. You cannot combine the | and & operators at this time. |
To delete all traffic mirroring sessions in your account, use the command below. Remove --dry-run to actually delete the sessions.aws ec2 describe-traffic-mirror-sessions | jq .TrafficMirrorSessions[].TrafficMirrorSessionId | xargs -I {} aws ec2 delete-traffic-mirror-session --traffic-mirror-session-id {} --dry-run
...