Announcing VTAP for Oracle Cloud Infrastructure

We’re pleased to announce the general availability of virtual test access point (VTAP) for Oracle Cloud Infrastructure (OCI). VTAP functionality is sometimes referred to as traffic mirroring. It copies traffic that traverses a specific point in the network and sends the mirrored traffic to a network packet collector or network analytics tool for further analysis. VTAP supports both IPv4 and IPv6 traffic mirroring.

Common use cases

A VTAP is like a virtual version of port mirroring except, instead of mirroring a port, we mirror traffic at a specific Oracle resource, such as OCI Database service, Exadata virtual machine (VM) cluster, instance virtual network interface cards (VNICs), load balancer as a service (LBaaS), or Autonomous Data Warehouse. You can decide to mirror all traffic at this source or use a capture filter to only mirror traffic you’re interested in. Mirrored traffic is then sent to a VTAP target network load balancer, behind which you can host the monitoring tool of your choice where it can be captured or inspected in real time. You can use it for the following use cases and more:

• Threat monitoring and forensic analysis: IT organizations and administrators are always interested in gaining comprehensive visibility into their network traffic to identify granular anomalies. Continuously mirror traffic to a network analytics tool to allow for deep inspection and investigation later or use it to detect ongoing anomalous behavior, such as intrusions or security breaches.

• Compliance: Adhere to compliance requirements which mandate monitoring and logging of specific traffic by mirroring required traffic to a network monitoring appliance.

• Troubleshooting: Use VTAP to help with the diagnosis of any networking issues. You can capture traffic and send it to the VTAP target where it can be further analyzed with a network packet collector like tcpdump or Wireshark. This process is helpful for scenarios such as identifying issues, which can impact the performance of your applications or when more in-depth visibility is needed than what is available with virtual cloud network (VCN) flow logs.

Getting started with VTAP

Each VTAP consists of the following components:

• VTAP source: This resource exists inside a VCN that your VTAP monitors. Traffic at this source is mirrored and then sent to the VTAP target. A VTAP source can be an OCI database, Exadata VM cluster, instance VNIC, LBaaS, or an Autonomous Data Warehouse.

• VTAP target: The target that receives the mirrored traffic from the selected VTAP source. The VTAP target must be a network load balancer with a user datagram protocol (UDP) listener on port 4789 in the same VCN as the VTAP source. Configure your destination network packet collector or analytics tool as the backend for this target network load balancer.

• Capture filter: A capture filter is associated with a VTAP and defines what type of traffic to mirror at the VTAP source. Create multiple rules inside a capture filter with include or exclude actions, such as direction (ingress and egress), source and destination CIDRs, protocol (TCP, UDP, and ICMP), source, and destination port. Rules inside a capture filter are analyzed top to bottom, like with an access list, to determine what traffic is mirrored. A VTAP must have a capture filter associated with it, and each capture filter must have at least one rule.

Traffic captured at the VTAP source is encapsulated in VXLAN according to RFC 7348 and then sent to the VTAP target. You can specify different VXLAN network identifiers (VNI) for each VTAP to differentiate between multiple VTAPs at the target. If a specific VNI is not selected, an unused one is automatically assigned to your VTAP.

Before configuring a VTAP, you need a configured VCN with the relevant subnets. Ensure that appropriate security list and network security group rules are in place to allow the traffic that you want to mirror. Your VTAP source must already be provisioned and available inside your VCN with the network load balancer target and a UDP listener on port 4789. Configure your network load balancer backend to include a Compute instance with network packet collector software or a network analytics tool of your choice.

Other features

• Max packet size: Packets are mirrored exactly as they arrive at the VTAP source. However, VTAP also allows you to configure packet truncation for use cases where your network monitoring tool of choice doesn’t support full jumbo frames or if you’re only interested in analyzing each packet’s header and the payload is irrelevant.

• Priority mode: Mirrored traffic generated at the VTAP source counts against the total available bandwidth of the VNIC. If congestion occurs, OCI prioritizes production traffic, and mirrored traffic is dropped first. You can enable priority mode for VTAP and allow for mirrored traffic to be given the same priority as production traffic. This option is important for use cases such as compliance where capturing all network traffic is critical.

Sample use case and setup

Now that we’ve covered the basics, let’s discuss a sample use case where you can use a VTAP and how to configure it. In this case, I have a public flexible load balancer with a web server backend serving a publicly accessible website. I want to enable a VTAP on this LBaaS to capture all HTTP traffic, which is then mirrored and sent to my network monitoring tool behind a network load balancer for further analysis and to identify any potential anomalies and malicious behavior.

To begin configuring a VTAP, open the Oracle Cloud Console and browse to the VCN where your VTAP source is located. On the left side of the page, under Resources, click VTAP. This selection takes you to the VTAP overview page, where you can configure a VTAP, capture filter, and view all pertinent status information for already configured VTAPs.

Click the Create VTAP button to begin the process of configuring a VTAP. You also configure and associate a capture filter for your VTAP.

After giving your VTAP a name, define the VTAP source, where traffic is mirrored from. First select the source type (for this example, a load balancer), the subnet where the LBaaS has been provisioned, and the specific LBaaS. You also need to select the compartment if your subnet or load balancer is in a different one.

Next, the VTAP target needs to be selected. The VTAP target must be a network load balancer. Like the VTAP source configuration, select the subnet where your network load balancer is located, and then select the specific network load balancer where you want to send your mirrored traffic. You also need to select the compartment if your subnet or network load balancer is in a different one.

After the VTAP source and target has been selected, configure the associated capture filter.

Click Create new capture filter from the menu, which opens another configuration pane where you can configure your capture filter rules.

Capture filter rules are analyzed top to bottom until a match is found. For this VTAP, I want to capture all HTTP traffic in both directions so that both traffic for the client request and web server response is mirrored. So, I create two include rules, one for each direction. Only traffic matching the created rules is mirrored.

After all your capture filter rules have been configured, click the Create capture filter button to save your capture filter. After being saved, the capture filter is automatically selected in the menu for your VTAP configuration.

Now that a VTAP source, target, and capture filter have been selected, click the Create VTAP button to create your VTAP.

Whenever a new VTAP is created, the default status is Stopped, meaning it doesn’t begin mirroring traffic until the VTAP is manually started. Click the Start button at the top of the VTAP details page for the specific VTAP to begin mirroring traffic.

Now that the VTAP has been configured and started, I can go to my network monitoring tool of choice, which has already been configured as a backend for my network load balancer and confirm that I’m receiving the mirrored traffic.

Conclusion

Thank you for your interest in Oracle Cloud Infrastructure and the new VTAP feature. We’re pleased to bring you this new dynamic and flexible solution for your monitoring needs.

VTAP supports multiple different source types, allowing you to capture traffic that you’re interested in and deploying your monitoring tool of choice on any Compute instance shape that fits your needs. When specifying a resource, you can rest assured that if any underlying infrastructure supporting that resource changes, such as adding more VMs to your Exadata cluster, that the VTAP dynamically updates and continues capturing the relevant traffic.

We encourage you to learn more about VTAP in the available VTAP documentation and look forward to any product feedback you have.