As known in the art, a virtual private cloud (VPC) is a logically isolated virtual network that is created as an overlay on top of a cloud service provider's public cloud infrastructure. FIG. 1 depicts an example VPC 100 according to an embodiment. As shown, VPC 100 includes a number of hosts that are implemented using virtual machines (VMs) 102, 104, 106, and 108. VMs 102 and 104 are part of a first subnet 110 of VPC 100 defined by subnet mask 10.0.1.0/24. VMs 106 and 108 are part of a second subnet 112 of VPC 100 defined by subnet mask 10.0.2.0/24. Subnets 110 and 112 are in turn connected to a virtual router 114, which can route VPC traffic between the subnets as well as to the Internet via an Internet Gateway (IGW) 116.
Many cloud service providers rely on software-defined networking (SDN) technology to provision and manage VPCs within their public cloud infrastructure. For instance, FIG. 1 depicts an SDN controller 118 that is in communication with VPC 100. SDN controllers such as controller 118 can enable cloud service providers to define and configure the virtual network resources that are needed to bring up and maintain a VPC, without making changes to the underlying physical network.
One challenge faced by customers that use VPCs provided by cloud service providers is how to maintain compliance with rules and regulations that govern workloads being processed in the cloud (e.g., Payment Card Industry (PCI) regulations, Federal Information Security Management Act (FISMA) regulations, etc.). Many of these rules/regulations require network traffic to be collected and monitored on a periodic basis for auditing and reporting purposes. In a conventional network environment that is owned/operated by the customer, the customer can achieve this by enabling hardware port mirroring on one or more ports of a physical switch/router in the network (e.g., a top-of-rack switch) and thereby mirror port traffic to a collector tool. The collector tool can then aggregate and analyze the mirrored traffic as required by the relevant rules/regulations. However, in a VPC, enabling port mirroring is more complicated because the cloud infrastructure is owned and operated by the cloud service provider rather than the customer using the VPC. Accordingly, the customer may not have appropriate privileges to access the network elements in the cloud infrastructure in order to turn on or configure port mirroring functionality.