Virtual Test Access Points (VTAPs)
A Virtual Test Access Point (VTAP) provides a way to mirror traffic from a selected source to a selected target to help in troubleshooting, security analysis, and data monitoring.
The VTAP uses a capture filter, which contains a set of rules governing what traffic a VTAP mirrors. A VTAP is STOPPED by default at creation, so you need to click the Start VTAP before it mirrors traffic as intended. 
You can create a capture filter while you create a VTAP, or assign an existing capture filter to a new VTAP.
VTAP sources and targets
The VTAP source is the resource the VTAP monitors. Traffic on this resource is mirrored and sent to a chosen target. The VTAP source and target must be hosted in the same VCN. They can be in different compartments or subnets provided you have the required permissions to view and work with these resources. VTAP sources can be:
- A single Compute instance VNIC in a subnet
- A Load Balancer
- A Database system
- An Exadata VM Cluster
- An Autonomous AI Lakehouse instance using a private endpoint
For Compute instances, specify the OCID of the attached VNIC. For the other source types, specify the service resource's OCID.
The target is the resource that receives traffic mirrored from a VTAP. VTAP targets can be:
When a resource used as a VTAP's source or target is deleted, the VTAP can no longer function and the Console puts the VTAP in the stopped state. To restart the VTAP, choose a new resource to replace the missing resource.
This diagram shows a sample implementation of a VTAP.
In this example, the virtual machine in Subnet-A is sending traffic to another virtual machine in Subnet-B. The VTAP in Subnet-A checks traffic leaving the virtual machine. Because this traffic matches the capture filter in use, the VTAP mirrors the traffic to the target (in this case a network load balancer in Subnet-C). The backend set can then perform the appropriate analysis on the mirrored traffic.
Capture filters and rules
Capture filter rules select what is included in the traffic mirrored from the source to the target. Many VTAPs can use the same capture filter, so changing a capture filter's rules impacts all VTAPs that use that capture filter. A capture filter must have at least one rule, and can have up to 10 rules. Capture filter rules are examined in the sequence order you define. When a match is found, that rule is applied. If no match is found on a particular rule, the next rule in the sequence is evaluated and run if matched. Reordering the rules can change the capture filter behavior.
A capture filter can take an action (either include or exclude a packet) based on the following types of criteria:
- The packet is part of ingress or egress traffic
- The packet is bound for or coming from a specific source or destination IPv4 CIDR block or IPv6 prefix
- The packet uses a specific IP protocol parameter (TCP or UDP port range, ICMP, ICMPv6) used by the traffic, or any protocols (using the default, All)
If a rule doesn't specify a CIDR block or prefix or IP protocol, all IP addresses or IP protocols are accepted for that rule.
Here's a working example of how you might structure a set of rules. The intent is that all traffic from 10.1.0.0/16 is included except 10.1.1.1, which is excluded:
- Source CIDR: 10.1.1.1/32, Exclude
- Source CIDR: 10.1.0.0/16, Include
- Source CIDR: 10.1.1.0/24, Include
The capture filter evaluates each packet in the traffic against the rules in the defined sequence order. A packet from 10.1.1.1 matches the first rule and is excluded from the mirrored traffic. The packet isn't compared against the other rules in the set. The rule set works as intended.
If the first rule is moved to be third in the sequence order, the set of rules no longer works as intended:
- Source CIDR: 10.1.0.0/16, Include
- Source CIDR: 10.1.1.0/24, Include
- Source CIDR: 10.1.1.1/32, Exclude
Because the capture filter rules evaluate each packet in the traffic in the defined sequence order, a packet from 10.1.1.1 now matches the first rule and is included in the mirrored traffic. Further rule evaluations are skipped. This example uses CIDR blocks, but rules are evaluated the same way no matter which source type you select.
For more information, see Capture Filters.
Advanced VTAP Features
VXLAN network identifier (VNI): Enter a VNI to uniquely identify the VXLAN encapsulation tunnel. If you don't specify a VNI, one is automatically generated for you.
If a VTAP is enabled on a particular supported source, the overhead generated by the mirroring of packets consumes network bandwidth. Network bandwidth capacity is decided by the underlying shape of the instance to which a VNIC is attached. A VTAP is implemented on the VNIC.
If you're using greater than 30% of the available network bandwidth supported by the service and you want to enable a VTAP, we recommend that you upgrade the underlying service shape.
Alternately, you can specify a smaller max packet size when you configure a VTAP to use an MTU of 1500 or smaller to achieve better overall performance and bandwidth usage.
For truncated mirrored packets, packet header parameters of the payload such as length and checksum aren't updated.
Priority mode: Using this option gives equal priority to monitored and mirrored traffic when there is congestion at the source. By default, production traffic is prioritized ahead of VTAP mirrored traffic. When you enable priority mode, monitored traffic and VTAP mirrored traffic are assigned equal priority. When this option is selected, mirrored traffic might cause some monitored traffic to be dropped whenever the source is congested. If this packet loss is detected you can either disable priority mode or upgrade the source shapes to accommodate more bandwidth.
Requirements and Preparation
Implementing a VTAP requires at least one valid source and one valid target, both in the same VCN. These resources must exist before you create a VTAP. The target can be in different subnet than the source.
Dependencies
Working with VTAPs requires understanding some crucial dependencies:
- A VTAP must always have a source, a target, and an associated capture filter.
- A capture filter must always have at least one associated rule.
- A VNIC can't ever be a source for more than one VTAP. See VTAP sources and targets for more details.
You could see the following expected behaviors:
- You can't create a VTAP without choosing a source and target and associating it with an existing capture filter. You can edit which capture filter is associated with the VTAP. You can't ever have a VTAP that doesn't have an associated capture filter.
- You're prevented from deleting a capture filter associated with a VTAP. To delete a capture filter that one or more VTAPs use, you need to associate a different capture filter to those VTAPs before you delete the capture filter.
- You're prevented from creating an empty capture filter or editing a capture filter to no longer contain any rules.
- If a VTAP source or target is deleted, the VTAP is automatically put into the
            STOPPEDstate. To restart a VTAP stopped for this reason, edit the VTAP to assign a new valid source or target, which causes the VTAP to be put back in theRUNNINGstate.
Required IAM Policy
To use Oracle Cloud Infrastructure, an administrator must be a member of a group granted security access in a policy by a tenancy administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with the tenancy administrator what type of access you have and which compartment your access works in.
For administrators: see IAM Policies for Networking.
Limits on IAM Resources
For a list of applicable limits and instructions for requesting a limit increase, see Limits by Service. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.See VTAP Limits for a list of limits specific to this service.
Validated Oracle Partner Solutions
Some members of the Oracle Partner Network (OPN) have verified solutions available in the Oracle Marketplace that function with a VTAP. You can deploy these solutions when you use a VTAP to send mirrored traffic to a Network Load Balancer target.
You can use other solutions with VTAP, but these solutions are validated by Oracle.
VTAP Tasks
You can perform the following tasks using the VTAP service: