Monitoring traffic on VPC

I’ve got a cluster set up in the cloud with a Master and two workers all in separate VPC. They are talking using VPN and I can see the traffic from the workers in the the master. What I’m trying to do is to have the worker monitor the whole VPC as there will be other VMs such as honeypots etc.

I have tried port forwarding (forwarding all the traffic from the other instances into the bro worker) however with no luck as AWS doesn’t allow port forwarding apparently.

My question is can Bro monitor whole subnets? Or is there a better solution to monitor all of the traffic in a VPC?

I tackled this problem in AWS (using Suricata and Bro) by forcing all data through a handful of NAT instances. That allowed me to centralize the data flows and install VTUN and daemonlogger at those points to transfer the network traffic to a few dedicated IDS instances. Amazon’s routing makes even this challenging, and I can get in to more detail about that directly if you’d like.

There are many downsides to that approach, but it worked reliably for my needs (providing IDS services in AWS and complying with regulations).