Need to monitor your cloud network traffic, but don’t want to learn about all of the convoluted cloud mechanics of standard infrastructure technologies? Then a software test access point”TAP” might be for you. Basically, because it works at layer 2 of the OSI model, a VPN interface on a cloud node can receive duplicated packets from the production interface and this allows us to mirror all traffic over the VPN connection using something like daemonlogger or netsniff-ng. Clear enough?
Instructions are available here: https://docs.securityonion.net/en/16.04/cloud-client.html