We’re using AWS VPC traffic mirroring to monitor EKS host traffic and send it to Suricata. Since EKS nodes have both a primary ENI (for host-level traffic) and multiple secondary ENIs (used by the AWS VPC CNI for pod traffic), I’m trying to determine whether mirroring just the primary ENI is sufficient for effective monitoring.
Has anyone used Suricata in this setup? Would love to hear your experience or recommendations on whether monitoring both primary and secondary ENIs is necessary.