Traffic mirror source and target connectivity options - Amazon Virtual Private Cloud

Traffic mirror source and target connectivity options

The traffic mirror source and the traffic mirror target (monitoring appliance) can be in the same VPC, or different VPCs, connected using an intra-Region VPC peering connection or with a transit gateway using a Gateway Load Balancer endpoint to connect to a Gateway Load Balancer in a different VPC.

The traffic mirror target can be owned by an AWS account that is different from the traffic mirror source.

The mirrored traffic is sent to the traffic mirror target using the source VPC route table. Before you configure Traffic Mirroring, make sure that the traffic mirror source can route to the traffic mirror target.

The following table describes the available resource configurations.

Source owner Source VPC Target owner Target VPC Connectivity option
Account A VPC 1 Account A VPC1 No additional configuration
Account A VPC 1 Account A VPC 2 Intra-Region peering or a transit gateway or Gateway Load Balancer endpoint
Account A VPC 1 Account B VPC 2 Cross-account intra-Region peering connection, a transit gateway, or a Gateway Load Balancer endpoint
Account A VPC 1 Account B VPC 1 VPC sharing