Skip to main content
Metlo supports AWS Traffic Mirroring to capture API traffic without modifying your application code. This is ideal for production environments where you cannot deploy agents.

Overview

AWS Traffic Mirroring allows you to copy network traffic from:
  • EC2 Instances - Individual virtual machines
  • ECS Services - Containerized applications
  • Network Interfaces - Elastic Network Interfaces (ENIs)
  • Load Balancers - Application and Network Load Balancers
Traffic is mirrored to a Metlo collector instance running in your VPC.

Prerequisites

  • AWS account with appropriate permissions
  • VPC with source resources to mirror
  • Metlo collector deployed (or will be deployed by the CLI)
  • AWS CLI configured with credentials
  • Metlo CLI installed

Installation

Install the Metlo CLI: 
npm install -g @metlo/cli
Or use with npx: 
npx @metlo/cli

Setup Traffic Mirroring

1

Run Metlo CLI setup

Execute the AWS traffic mirroring setup command:
metlo traffic-mirror aws setup
The CLI will guide you through an interactive setup process.
2

Select AWS region

Choose the AWS region where your resources are located:
? Select your AWS region:
❯ us-east-1
  us-east-2
  us-west-1
  us-west-2
  eu-west-1
  ...
3

Choose source type

Select the type of source to mirror:
? Select mirror source type:
❯ EC2 Instance
  Network Interface
  ECS Service
  Load Balancer
4

Select specific source

Choose the specific instance, interface, or service to mirror:For EC2 instances:
? Select the id of your EC2 Instance:
❯ web-server-1: i-0123456789abcdef0
  api-server-1: i-0123456789abcdef1
  ...
5

Configure mirror target

The CLI will create or select a mirror target (the Metlo collector instance).If no collector exists, it will create:
  • Network Load Balancer for the mirror target
  • Target group
  • Mirror session
6

Verify setup

Once complete, verify the mirror session:
metlo traffic-mirror aws list

Source Types

EC2 Instance

Mirror traffic from a specific EC2 instance:
  • Captures all traffic from all network interfaces attached to the instance
  • Useful for monitoring individual application servers
  • Supports instances with multiple ENIs

Network Interface

Mirror traffic from a specific ENI:
  • Fine-grained control over which traffic is captured
  • Useful for complex networking setups
  • Can mirror interfaces from instances, load balancers, or other resources

ECS Service

Mirror traffic from ECS tasks:
  • Automatically discovers ENIs from ECS tasks
  • Monitors containerized applications
  • Supports both EC2 and Fargate launch types

Load Balancer

Mirror traffic from Application or Network Load Balancers:
  • Captures all traffic passing through the load balancer
  • Ideal for monitoring API gateways
  • Mirrors from load balancer ENIs

Mirror Session Configuration

The Metlo CLI automatically creates:

Mirror Filter

  • Protocol: All traffic or specific protocols (TCP, UDP)
  • Direction: Ingress, egress, or both
  • Port ranges: Optional filtering by port

Mirror Target

  • Network Load Balancer receiving mirrored traffic
  • Forwards traffic to Metlo collector instances
  • Configured with appropriate target groups

Mirror Session

  • Links source (your resources) to target (Metlo collector)
  • Configurable session number (1-32766)
  • VNI (Virtual Network Identifier) for packet encapsulation

Traffic Filtering

By default, Metlo mirrors all traffic. You can filter to reduce volume: 
// Filter configuration (in CLI source code)
{
  sourcePortRange: { from: 443, to: 443 },  // HTTPS only
  protocol: Protocols.TCP,
  direction: "ingress"  // Inbound traffic only
}
Filtering options are configured through the CLI’s interactive prompts or by modifying the setup parameters.

List Mirror Sessions

View all active mirror sessions: 
metlo traffic-mirror aws list
Output shows:
  • Session ID
  • Source type and ID
  • Target information
  • Mirror status

Remove Mirror Session

Delete a specific mirror session: 
metlo traffic-mirror aws remove
The CLI will prompt you to select which session to remove.
Removing a mirror session stops traffic collection immediately. Ensure you have alternative monitoring in place if needed.

Architecture

┌─────────────────┐
│  EC2 Instance   │
│  (Source)       │
└────────┬────────┘
         │ Mirrored Traffic
         │ (VXLAN encapsulated)

┌─────────────────┐
│ Network Load    │
│ Balancer        │
│ (Mirror Target) │
└────────┬────────┘


┌─────────────────┐
│ Metlo Collector │
│ Instance        │
└─────────────────┘

Supported Instance Types

Not all EC2 instance types support traffic mirroring. Supported types include:
  • C5, C5n, C6i, C6in
  • M5, M5n, M6i, M6in
  • R5, R5n, R6i, R6in
  • T3 (with some limitations)
  • And more…
See AWS documentation for the complete list.

Pricing Considerations

AWS Traffic Mirroring incurs additional costs:
  • Mirror session fees: ~$0.015 per hour per ENI
  • Data transfer: Standard AWS data transfer rates
  • Collector instance: EC2 instance costs for running Metlo collector
  • Network Load Balancer: NLB hourly and data processing charges
Estimate costs before deployment, especially for high-traffic environments.

Troubleshooting

Check:
  • Mirror session status is “active”
  • Metlo collector instance is running
  • Security groups allow VXLAN traffic (UDP port 4789)
  • Source instance type supports traffic mirroring
  • Network ACLs don’t block mirrored traffic
Verify:
  • AWS credentials are configured correctly
  • You have permissions to describe EC2 instances
  • You’re in the correct AWS region
  • Resources exist in the selected VPC
Ensure:
  • You have permissions to create NLB and target groups
  • VPC has available IP addresses
  • Subnet configuration is correct
  • Service quotas allow additional resources
To reduce costs:
  • Use traffic filtering to capture only API traffic
  • Mirror only production-critical resources
  • Monitor data transfer volumes
  • Consider using on-demand instead of continuous mirroring

Security Considerations

  • Encrypted traffic: Mirrored TLS/SSL traffic is still encrypted; Metlo analyzes metadata
  • Sensitive data: Ensure Metlo collector has appropriate security controls
  • Network isolation: Deploy collector in a secure subnet with restricted access
  • IAM permissions: Use least-privilege IAM policies for CLI operations

Required IAM Permissions

The AWS account used by the CLI needs: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeTrafficMirrorSessions",
        "ec2:DescribeTrafficMirrorTargets",
        "ec2:DescribeTrafficMirrorFilters",
        "ec2:CreateTrafficMirrorSession",
        "ec2:CreateTrafficMirrorTarget",
        "ec2:CreateTrafficMirrorFilter",
        "ec2:DeleteTrafficMirrorSession",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "ecs:DescribeClusters",
        "ecs:DescribeServices",
        "ecs:ListTasks",
        "ecs:DescribeTasks"
      ],
      "Resource": "*"
    }
  ]
}

Next Steps

GCP Mirroring

Set up traffic mirroring on Google Cloud Platform

View API Inventory

Explore APIs discovered through traffic mirroring

Build docs developers (and LLMs) love

Get started for freeTalk to us