Akto - API Security platform
Akto WebsiteStart freeBook a demoDiscordGitHub
  • Github Open Source Repo
  • What is Akto?
  • AktoGPT
  • Getting Started
    • Deployment Types
    • Akto Cloud
      • Connect Akto with Hybrid SaaS
      • Migrate From Self Hosted Setup To SaaS
      • Setting up proxy
    • Akto Self Hosted
      • AWS deploy
        • AWS multi-VPC deploy
        • AWS Cross-Region Cross-VPC deploy
        • Custom subdomain on Akto on AWS
      • Helm Deploy
      • Azure Deploy
      • Openshift Deploy
      • Heroku
      • GCP Deploy
    • Local Deploy
    • FAQs on data concerns
  • Traffic Connector
    • Traffic Data Sources
    • eBPF
      • Connect Akto with eBPF
      • Connect Akto with eBPF on mTLS
    • Kubernetes
      • Connect Akto with Kubernetes in AWS
    • API Gateways
      • Connect Akto with Envoy
      • Connect Akto with NGINX
      • Connect Akto with Istio
      • Connect Akto with HAProxy
      • Connect Akto with Azure API Management
      • Connect Akto with F5
      • Connect Akto with 3Scale
      • Connect Akto with Layer7 API Gateway
      • Connect Akto with Citrix
      • Connect Akto with Kong
      • Connect Akto with Kong Mesh
      • Connect Akto with Cloudflare
      • Connect Akto with IBM Connect
      • Connect Akto with Mulesoft Flex Gateway
      • Connect Akto with Apigee
    • Mirroring
      • Connect Akto with AWS Traffic Mirroring
      • Connect Akto with GCP Packet Mirroring
    • AWS Services
      • Connect Akto with AWS Beanstalk
      • Connect Akto with AWS API Gateway
      • Connect Akto with AWS Lambda
      • Connect Akto with AWS API Gateway with CloudWatch OAM
      • Connect Akto with AWS API Gateway with service account (Temporary Credentials)
      • Connect Akto with AWS Fargate
      • Connect Akto with AWS EKS
      • Connect Akto with AWS ECS
    • GCP Services
      • Connect Akto with GCP Packet Mirroring
      • Connect Akto with Apigee
      • Connect Akto with Google Cloud Run Functions
      • Connect Akto with Google Cloud Run
      • Connect Akto with GKE
    • Azure Services
      • Connect Akto with Azure App Services
      • Connect Akto with Azure API Management
      • Connect Akto with AKS
      • Connect Akto with Azure OpenShift
      • Connect Akto with Azure Container App
      • Connect Akto with Azure Functions
    • Akto SDK
    • Source Code
      • GitHub
      • Bitbucket
      • GitLab
      • API inventory from source code
      • Source code installation
    • Virtual Machines
      • Connect Akto with Docker
      • Connect Akto on TLS service
      • Connect Akto with TCP Agent
    • Manual
      • Connect Akto with Burp suite
      • Connect Akto with Postman
      • Connect Akto with OpenAPI
      • Add API traffic to Akto using HAR file upload
      • API Import: WSDL in Akto
    • Configure TLS on kafka
  • API Inventory
    • Concepts
      • API Endpoints
      • Meta Properties of API Endpoint
      • API Collection
      • Explore mode
      • Data Types
      • API Groups
      • Environment Type
      • Protocol Support in Akto
      • API Changes
      • Third Party APIs
      • Tags
      • API Dependency Graph
      • Sensitive Data
      • Alerts
      • Shadow APIs
      • Risk Score
      • Auth types
      • Access Type
      • API discovery from source code
      • Advanced Filter Option
    • How-To
      • Enable Tree view for API collections
      • Export an API Collection to Postman
      • Export an API Collection to Burp
      • Create API group
      • Collection-Based RBAC
      • Descriptions for API Collections & Endpoints
      • Remove API(s) from API group
      • Deactivate an API Collection
      • Add collection using Explore Mode
      • De-merge API
      • Create Swagger File Using Akto
      • Copy API Endpoints Data
      • Add an API Collection
      • Set environment type
      • Delete an API Collection
      • Create a Custom Data Type
      • Reset Data Types in Akto
      • Set Sensitivity of a Data Type
      • De-activate a data type
      • Add a Custom Auth Type
      • Reset an Auth Type
      • Configure Access Types
      • View New API Endpoint
      • Add Private CIDRs list
      • View New Parameters
      • Configure alerts on API changes
      • Create a custom collection
      • Redact sensitive data
      • Extract APIs from github hosted source code using our Github Action
      • Extract APIs from source code using our Docker based CLI
      • Remove Bad Endpoints
      • Create New Tags
      • Edit Tags
  • API Protection
    • Overview
    • Concepts
      • Threat Policy
  • WAF
    • AWS WAF
    • Cloudflare WAF
  • Test Editor
    • Concepts
      • Overview
      • Test YAML
      • Test Library
      • Custom Test
      • Test YAML Syntax (Detailed)
        • ID
        • Info
        • Wordlists
        • Auth
        • API Selection Filters
        • Execute
        • Validation
        • Contexts
        • Strategy
        • Conditional flows
      • Template YAMLs
        • Local File Inclusion with Akto
      • Dynamic severity
    • How To
      • Edit Test
      • Create a Custom Test
      • Deactivate Test
      • Play in Test Editor Background
      • Copy Test Content
      • Opening Endpoint in Test Editor
      • Add a New Test Library
      • Contribute to Test Library
  • API Security Testing
    • Concepts
      • Severity Levels
      • Test
      • Result types
      • Test Role
      • User Config
      • Test Result
      • JSON Recording for Automated Auth Tokens
    • How To
      • Run Test
      • Auto-Create Jira Tickets
      • Edit Test Settings
      • Install testing module in your Cloud
        • Ephemeral Storage for Hybrid Runtime
        • gRPC Testing in Hybrid Testing Module
      • Create Custom Test Suites
      • Recalculate Issue Counts
      • Testing Module Selector in Akto
      • Run Tests by Category
      • Export Vulnerability Report from Test Results
      • Test Multiple APIs
      • Schedule Tests
      • Stop Tests
      • Run Test on Any One Endpoint
      • Configure global rate limit
      • Rescan Specific Issues Resolved
      • Configure Pre-request Script
      • Set Up JSON Recording for Auth Tokens
      • Create a Test Role
      • Edit Auth Flow in Test Roles
      • Restrict Access to a Test Role Using RBAC
      • Play in Test Editor Playground
      • Conduct Role-Based Testing
      • Run tests in CLI using Akto
      • Secure GraphQL APIs using Akto
      • Secure REST APIs using Akto
      • Secure SOAP APIs using Akto
      • Create and Edit Auth Types
  • Issues
    • Concepts
      • Overview
      • Values
      • Vulnerability Report
      • Remediation
    • How To
      • Jira Integration
      • Azure DevOps Boards Integration
      • Triage Issues
        • Review Issues Marked as False Positives
      • Export Selected Issues to Reports
      • Export Vulnerability Report
  • CI/CD
    • GitHub Actions
      • Create GitHub App
    • Jenkins
    • Azure DevOps
    • GitLab
    • Generic CI/CD
    • How To
      • Run tests in CI/CD
      • Add test to CI/CD Pipeline
      • Get API Credentials
      • Test ID from Akto test
  • Account
    • Invite User
      • Change role of a User
    • Create a New Account
    • How to Switch Between Accounts in Akto
    • Understanding Role Permissions
    • Custom roles
    • Audit Logs
    • SSO
      • Azure AD SAML
      • Okta OIDC
      • Github OIDC
      • Google Workspace SSO
      • Add Members From SSO
  • API security posture
    • Concepts
      • Overview
  • Alerts
    • Slack Webhook
    • Microsoft Teams Webhook
    • Setup alerts for Akto test run results
  • Pricing
    • Pricing Plans
    • How To
      • Upgrade Your Plan
      • Downgrade Your Plan
      • Sync Usage Data
  • API reference
    • API reference
  • Components
    • Dashboard
    • Testing module
    • Traffic mirroring module
    • Runtime analyzer
    • Context analyzer
    • Puppeteer server
    • Other OSS
    • robots.txt
  • Troubleshooting
    • How to get logs
    • How to disable logging
    • How to update helm deployments
  • Stay Updated on New Releases
  • Support
Powered by GitBook
On this page
  • Introduction
  • Pre-requisites to add data to Akto AWS using Traffic Mirroring
  • Configuring Traffic Mirroring in Akto Dashboard
  • Creating AWS Policy
  • Selecting loadbalancers to mirror traffic to Akto
  • What's next?
  • Frequently Asked Questions (FAQs)
  • Troubleshooting Guide
  • Get Support for your Akto setup

Was this helpful?

  1. Traffic Connector
  2. Mirroring

Connect Akto with AWS Traffic Mirroring

Learn how to send API traffic data using AWS traffic mirroring to Akto from your environment.

PreviousMirroringNextConnect Akto with GCP Packet Mirroring

Last updated 7 months ago

Was this helpful?

Introduction

needs your staging, production or other environment's traffic to Discover APIs and analyze for AP misconfiguration. It does so by connecting to one of your traffic sources. One such source is AWS Traffic Mirroring.

Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of type interface.

is non intrusive and allows you to send traffic to Akto in a completely out-of-band manner.

Traffic mirroring is our recommended way to receive data as it is completely non-intrusive. Akto's traffic analyzer analyzes this traffic to create your application's APIs request and response, understand API metadata and find misconfigurations. Akto can work with high traffic scale though you can always configure the amount of traffic you want to send to Akto dashboard.

Pre-requisites to add data to Akto AWS using Traffic Mirroring

  1. You should have installed Akto dashboard in the same VPC as your application server EC2 instances

  2. You have permissions to create and assign roles to InstanceProfiles

  3. Your application should be receiving unencrypted traffic. SSL, if any, should be terminated before it reaches your application server EC2 instance. Usually, SSL termination happens at API Gateway or Load balancer.

  4. Not all AWS Instances support traffic mirroring. If you have any of , we suggest you go with a different AWS traffic connector.

Configuring Traffic Mirroring in Akto Dashboard

To start capturing traffic from your staging, production ( or any other environment), you will need to sign-in to your dashboard and follow the steps below.

  1. Navigate to the Quick Start page on dashboard.

2. Click connect traffic data.

Creating AWS Policy

Below steps create a policy with AWS permissions in your account that allows Akto to capture API traffic from your selected loadbalancers.

  1. Grab the policy JSON from your Akto dashboard in the first step as shown in the screenshot. Click on the link mentioned in Step 1.

2. This will take you to the policy page of AWS. Navigate to JSON tab.

3. Copy the policy from dashboard and paste here.

4. Click on review policy.

5. Name the policy AktoDashboardPolicy.

6. Click create policy. Once policy is created, go back to the dashboard.

You have now given Akto the permissions to read loadbalancer names from your AWS account.

Selecting loadbalancers to mirror traffic to Akto

  1. Refresh the dashboard now.

  2. You will be able to see a list of all the loadbalancers.

  3. Select loadbalancers under my connections section. Select only those loadbalancers from which you want to mirror the traffic to Akto dashboard.

4. Click Apply to start traffic mirroring.

5. Wait for a couple of minutes. Mirroring is being setup on the loadbalancers you selected above.

6. Once mirroring is complete, head to the API discovery page and see all the APIs Akto has discovered.

What's next?

Frequently Asked Questions (FAQs)

The mirrored traffic will contain a lot of sensitive data - does it leave my VPC?

Mirrored data remains strictly within your VPC. You can verify it by looking at VPC > Traffic mirror Targets. The NLB there & its listeners are all within your VPC. Akto doesn't take data out of your VPC at all.

Does Traffic mirroring have any impact on performance, latency or network bandwidth?

My traffic volume is of the order of TBs/hour. How much will traffic mirroring cost me?

Do I have to install an agent or any service on my application server?

No. AWS Traffic mirroring is a completely non-intrusive way to collect and analyze server-side traffic. Absolutely no need to install or change any of your network settings at all.

I already have traffic mirroring setup on my application servers. Can I still use traffic mirroring?

AWS can't send same mirrored traffic to 2 diff targets. You should delete the existing session or use a diff traffic connector.

Troubleshooting Guide

I can't see my Load balancer in the AWS Traffic mirroring section on Akto dashboard

Most likely, it is not in the same VPC as Akto dashboard. Please ensure your Akto dashboard is setup in the same VPC as your application server.

When I hit apply, it says "Something went wrong". How can I fix it?

Akto runs a Cloudformation template behind the scenes to setup the data processing stack and traffic mirroring sessions with your application servers' EC2 instances. This error means the Cloudformation setup failed.

  1. Go to AWS > Cloudformation > Search for "mirroring"

  2. Click on Akto-mirroring stack and go to Events tab

  3. Scroll down to the oldest error event.

The Cloudformation template failed with "Client.InternalError: Client error on launch.". How should I fix it?

The Cloudformation template failed with "We currently do not have sufficient capacity in the Availability Zone you requested... Launching EC2 instance failed."

You can reinstall Akto in a diff availability zone or you can go to Template tab and save the cloudformation template in a file. Search for "InstanceType" and replace all the occurrences with a type that is available in your availability zone. You can then go to AWS > Cloudformation > Create stack and use this new template to setup Traffic mirroring.

I don't see my error on this list here.

Please send us all details at support@akto.io or reach out via Intercom on your Akto dashboard. We will definitely help you out.

Get Support for your Akto setup

There are multiple ways to request support from Akto. We are 24X7 available on the following:

  1. In-app intercom support. Message us with your query on intercom in Akto dashboard and someone will reply.

  2. Contact help@akto.io for email support.

Akto is and if you find any issues or you don't see in the list, you can create an issue in our open source repo .

You can now go to your API Inventory to see all the API traffic Akto has captured. Head to to learn more. Once you start seeing inventory, you can run API Security tests on your APIs. See to select tests you want to run on your APIs.

AWS Traffic mirroring is guaranteed to have 0 impact on performance and latency. It will definitely double your instance bandwidth usage. In case of bandwidth congestion, AWS will always prioritize your production traffic. You can read more about it .

AWS Traffic mirroring is independent of volume of traffic. It is proportional to number of traffic mirroring sessions and not related to volume of data. See here.

This is a known AWS common error. Follow the steps .

Join our for community support.

Open Source
traffic connectors
here
API Discovery
Akto's test library
here from AWS documentation
AWS pricing details
here
discord channel
Akto
Traffic mirroring
these instance types
Click on Quickstart
Click on connect traffic data
Click on AWS policy link
Policy page of AWS
Copy policy JSON
Paste in AWS
Policy created in AWS
Select Loadbalancer in Akto
Click apply
Wait for a few mins
Click on Quickstart
Click on connect traffic data
Click on AWS policy link
Policy page of AWS
Copy policy JSON
Paste in AWS
Policy created in AWS
Select Loadbalancer in Akto
Click apply
Wait for a few mins