Decrypted Visibility With Amazon VPC Traffic Mirroring

August 06, 2019


Erik Freeland

READ TIME: ~ 6 minutes 30 seconds

Amazon Web Services joined a growing number of native cloud tap providers today with its announcement of Amazon VPC traffic mirroring. Nubeva is a participating company at the launch of Amazon VPC traffic mirroring. Together, we are collaborating on creating and unlocking traffic visibility in the AWS Cloud.


The new Amazon VPC traffic mirroring feature creates agentless, infrastructure-level packet traffic directly from the Elastic Network Interface (ENI) level of AWS workloads to in-cloud tools for network and security monitoring, troubleshooting and pcap storage. 


Nubeva delivers complete TLS decryption and visibility for Amazon VPC traffic mirroring.  This includes key extraction, storage and decryption for any TLS server or client - including the new TLS 1.3 standard. Modern AWS workloads are decentralized and operate as both clients and servers for many kinds of TLS communication. Nubeva’s key identification, extraction, storage and retrieval uses advanced, AI-based rules for both real-time, multi-destination, decentralized decryption of mirrored traffic, as well as instant decryption and replay of mirrored and encrypted pcaps. The data then can be stored for future investigation, compliance or inspection.


Cloud Encryption On The Rise

Inter and Intra-cloud encryption of traffic is on the rise. More than 72% of all network traffic is currently encrypted[1]. In fact, end-to-end transport level encryption is the number one recommendation for keeping public cloud environments secure. This is especially true as containers and microservice based architectures accelerate the decentralization of cloud workloads. Enterprises need to monitor their applications across Amazon VPCs for both security, compliance, application performance and diagnostics reasons. Traditional man-in-the-middle decryption and brokering techniques offered by some legacy firewalls and inline security devices either don’t work in the cloud or require constrictive architectural designs that erode much of the value of the cloud’s elasticity.


Moreover, newer encryption standards with Perfect Forward Secrecy (PFS), such as TLS 1.3, as well as new ciphers like CHACHA, are rendering traditional man-in-the-middle decryption methods ineffective. With TLS 1.3, RSA key exchange is removed, which renders passive decryption devices unusable. Using the  TLS 1.3 encryption protocol, all post-handshake packets are also encrypted rendering processes like legacy style identification of self-signed certificates unusable. Yet security teams must still monitor cloud content.


The operational benefits of moving more workloads to AWS is massive. Neither packet access to cloud workloads nor packet encryption should be a barrier to cloud adoption. Securing the cloud and full, decrypted visibility should never conflict with one another.

Now, with Nubeva TLS Decryption Solution and Amazon VPC traffic mirroring, enterprises can have both.

How AWS Mirrors and Nubeva TLS Decryption Work

Nubeva TLS Decrypt and Amazon VPC Traffic Mirroring

Amazon VPC traffic mirroring lets customers copy network traffic from ENI of their Amazon EC2 instances in their Amazon VPCs, and send it to their security and monitoring appliances. These tools - whether homegrown or third-party - can be deployed as individual instances or as a fleet of instances behind a Network Load Balancer (NLB).

Watch our short video demonstration: Video: Nubeva TLS Decrypt with Amazon VPC Traffic Mirroring


Without packet traffic visibility, enterprises use log-centric tools for security and compliance purposes. However, log-centric tools make it difficult to detect and investigate complex threats in a timely manner because they do not have full visibility into the traffic. Amazon VPC traffic mirroring allows customers to extract traffic of interest from any workload in a VPC and send it to the right tools and destinations of their choosing to detect and respond faster to attacks often missed by traditional log-centric tools.


While the Amazon VPC traffic mirroring copies network traffic from the workload and sends it to the tool destination, the Nubeva TLS Decrypt solution is hard at work. The Nubeva TLS Decrypt solution requires a container-based NuAgent on the source workload and a Nubeva Receiver agent on the destination tool. Any SSL / TLS decryption requires an agent on the workload. This is because RSA key sharing or certificate inspection is not allowed in TLS 1.3. The Nubeva NuAgent uses advanced, AI-based rules for passive detection of TLS sessions, and key extraction. It can identify and extract TLS keys from client or server containers and VMs all without requiring configuration settings or workload restarts.


Because the NuAgents are cloud native and container-based, they can scale alongside the source workload without impacting workload performance. Once the key is identified, it is securely sent to a key database in the client’s VPC.


The Nubeva Decrypt KeyDB is cloud-based and runs in the user’s Amazon VPC. Nubeva provides convenient CloudFormation Templates (CFTs) that stand up Amazon DynamoDB with push-button ease. The power of the Nubeva Decrypt cloud-based KeyDB is that it keeps all client keys available for all their tools so that they are able to perform decryption when and where needed; in real-time or historical replays of saved pcaps that were encrypted and held in storage, like an Amazon S3 bucket, Moloch or other tools.


The Nubeva Receiver agent is also a container-based agent with a very small footprint that sits on the client’s destination tool system. The Nubeva Receiver agent matches incoming encrypted packet traffic with keys from the KeyDB. This ensures that no packets are dropped and that time stamps and packet headers are properly matched. Once the encrypted traffic is received from Amazon VPC traffic mirroring, the Nubeva Receiver agent decrypts it to transform the packet stream into expected, usable, readable output for the tool.


The management of unlocked AWS cloud visibility is easier and more convenient than ever before. Amazon VPC traffic mirroring makes acquiring packet traffic easy by allowing customers to natively mirror their VPC traffic, without using additional packet-forwarding agents. The Nubeva Decrypt solution has a convenient SaaS-based management console that runs in AWS. Configuration, deployment, reporting and monitoring is secure, easy and fast. Simple, drag-and-drop graphical UI makes set up intuitive and fast.


Together, Amazon VPC traffic mirroring and Nubeva Decrypt provide complete and unlocked visibility on the AWS cloud.


Nubeva’s breakthrough TLS decryption capability for AWS is modular, easy to deploy, and scales to meet any traffic load without any configuration overhead or architectural constraints. Cloud DevOps teams can decrypt SSL / TLS traffic inside their AWS environments to enable security, performance, and diagnostic systems and processes.


Nubeva’s solution is based on a patent-pending innovation, which enables our lightweight agents to handle PFS and extract keys, from all TLS ciphers used today including TLS 1.2, TLS 1.3, Elliptic-curve Diffie-Hellman, AES-GCM and CHACHA20 (AEAD). The new, AI-based agent technology eliminates the need for certificate management or man-in-the-middle architectures, which are increasingly ineffective with new encryption models. State-of-the-art key-matching and decryption techniques synchronize keys to PCAPs and mirror-delivered traffic streams for effective decryption.


Nubeva TLS Decrypt solution is part of Nubeva’s  cloud network visibility system and is available for public preview today.  For more information about Nubeva, visit:



Tags: cloud security network security public cloud visibility AWS traffic visibility cloud visibility network monitoring public cloud cloud monitoring
View video