Yes, an Alert Logic® appliance is required for a customer to collect threat traffic. Alert Logic appliances are able to collect network traffic either directly from a span (mirrored) port from a network switch or from Alert Logic agents, which can be deployed on any host that you wish to protect.
In the case of span ports, network traffic can only be sent to an appliance that is sitting locally to the network switch. Similarly, agents can only send network traffic to a local appliance.
Alert Logic appliances come in both physical and virtual (.ova) options. Physical appliances are able to work with both agents and network spans, while virtual appliances only work with agents.