Acquire Traffic using Customer Orchestrated Source with Gateway Load Balancing

This section outlines the workflow for acquiring traffic with Customer Orchestrated Source and deploying GigaVUE Fabric Components with a Gateway Load Balancer. Refer to the following topics for instructions on configuring traffic acquisition, processing, and forwarding to your desired destination.

Install GigaVUE-FM on AWS

This step is optional and applies only when an existing GigaVUE-FM instance is not available.
Refer to Install GigaVUE-FM on AWS for steps to install GigaVUE‑FM on AWS and the steps to start GigaVUE‑FM instance and configure it.

Configure the permissions required in AWS

If you are using inline policy or basic authentication, then you must update the policy with the relevant IAM service. For more information, see Minimum Permissions Required for Inline Policies and Basic Authentication.

This policy allows you to acquire traffic using Traffic Mirroring with Gateway Load Balancer and authenticate using an IAM instance role.

Copy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DescribeTargetHealth",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeAddresses",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeSecurityGroups",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeImages",
                "ec2:DescribeVolumes",
                "ec2:CreateTrafficMirrorFilterRule",
                "ec2:CreateTrafficMirrorTarget",
                "ec2:CreateTrafficMirrorSession",
                "ec2:CreateTrafficMirrorFilter",
                "ec2:DeleteTrafficMirrorTarget",
                "ec2:DeleteTrafficMirrorSession",
                "ec2:DeleteTrafficMirrorFilter",
                "ec2:DescribeTrafficMirrorSessions",
                "ec2:DescribeTrafficMirrorTargets",
                "ec2:DescribeTrafficMirrorFilters",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcEndpoints",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:ListAccountAliases",
                "kms:ListAliases",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*"
        }
    ]
}

For more information regarding policies and permissions, refer to AWS Documentation.

If you are using inline policy or basic authentication, then you must update the policy with the relevant IAM service. For more information, see GigaVUE-FM Instance Multi Account Support Using Amazon STS.

Create the AWS Credentials

You can monitor workloads across multiple AWS accounts within one Monitoring Domain.

  • After launching GigaVUE‑FM in AWS, if the IAM is attached to the running instance of FM, then the EC2 Instance Role authentication credential is automatically added to the Credential page as the default credential. You must attach the IAM prior to creating a Monitoring Domain.
  • If you use the Basic Credentials authentication credentials, you must add these to the GigaVUE‑FM on the AWS Settings page, or on the Monitoring Domain creation page.

For details, refer to Create a Monitoring Domain.

To create AWS credentials:

  1. Go to Inventory > VIRTUAL > AWS, and select Settings > Credentials
  2. On the Credential page, select Add. The Credential Configure page appears.

  3. Enter a name to identify the AWS Credential in the Name Field.
  4. Basic Credentials is selected as the default Authentication Type. For more information, refer to AWS Security Credentials
  5. Enter the credential of an IAM user or the AWS account root user in the Access Key field.
  6. Enter the security password or key in the Secret Access Key field.
  7. Select Save. You can view the list of available credentials on the AWS Credential page.

Configure Gateway Load Balancer and deploy GigaVUE V Series Nodes

Prerequisites

  • Create or update Security Group policies of GigaVUE Cloud Suite components. For details, refer to Security Group topic for detailed information.
  • Create or update route tables in the VPCs across all mirrored AWS accounts. Ensure each mirrored account VPC can connect to the target account VPC where you deploy the Gateway Load Balancer. For details, refer to Subnet and Security Group for Amazon VPC.
  • Create or update an IAM role for GigaVUE-FM in the centralized VPC. Establish a trust relationship between the mirrored and the target account for GigaVUE-FM to execute the above permissions at the IAM role level. For details, refer to Permissions and Privileges (AWS).
    For more information on AWS recommended design for Gateway Load Balancer implementation with inline services, such as firewall. see Getting started with Gateway Load Balancers - Elastic Load Balancing (amazon.com)
  • Create a VPC endpoint and endpoint service. For more information, see Create endpoint service
  • Create a routing table. For more information, see Amazon documentation.
  • Configure a token in the User Management page. For details, refer to Configure Tokens.

Points to Note:

When configuring Gateway Load Balancer, you need to deploy the GigaVUE V Series Nodes using Third Party Orchestration.

Perform the following steps to configure an external load balancer in AWS:

  1. Create a Target Group
  2. Create a Load Balancer
  3. Create a Launch Template for Auto Scaling group
  4. Create an Auto Scaling group using a Launch Template

Create a Target Group

Enter or select the following details as mentioned in the table to configure target groups in AWS.

Parameters

Description

Reference

Mandatory field

Basic Configuration

Choose a target type

Select IP address as the target type

Create a target group for your Gateway Load Balancer

 

 

Yes

Protocol

Verify that Protocol is GENEVE

Yes

Port

Verify that the port value is 6081

Yes

Health Checks

HealthCheckProtocol

Select TCP as the protocol.

Health checks for Gateway Load Balancer target groups

 

 

Yes

HealthCheckPort

Enter 8889 as the port.

Yes

HealthCheckIntervalSeconds

Enter 10 seconds as the approximate amount of time, in seconds.

Yes

Create a Load Balancer

Enter or select the following details as mentioned in the table to configure a load balancer in AWS.

Parameters

Description

Reference

Mandatory field

Network Mapping

VPC

Select the VPC for your targets (GigaVUE V Series Node)

Create a Gateway Load Balancer

Yes

IP Listener routing

Default action

Select the target group to receive traffic. If you don't have a target group, choose Create target group.

Create a target group

Yes

Create a Launch Template for Auto Scaling group

Enter or select the following details to create a launch template for auto scaling groups in AWS.

Parameters

Description

Reference

Mandatory field

Launch Template contents

Application and OS Images (Amazon Machine Image)

Select the AMI of the GigaVUE V Series Node.

Create a launch template for an Auto Scaling group

 

 

 

Yes

Instance type

Select c5n.xlarge as the instance type.

Yes

Key pair name

Select a Key pair for the instance.

Yes

Network Settings

Device Index

Add 2 Network Interfaces for the GigaVUE V Series Node with device index as 0 and 1 (mgmt and data interface respectively) and for the interfaces,

Create a launch template for an Auto Scaling group

Yes

Firewall (security groups)

Keep this blank and configure one or more security groups as part of the network interface.

Security Group

Yes

Advanced Settings

Advanced details

Enter the User data as text in the following format and deploy the instance. The GigaVUE V Series Nodes uses this user data to generate config file (/etc/gigamon-cloud.conf) used to register with GigaVUE-FM using Third Party Orchestration.

Copy 
#cloud-config
 write_files:
 - path: /etc/gigamon-cloud.conf
   owner: root:root
   permissions: '0644'
   content: |
     Registration:
        groupName: <Monitoring Domain Name>
        subGroupName: <VPC Name>
        token: <Token>
        remoteIP: <IP address of the GigaVUE-FM>
        remotePort: 443

Create a launch template using advanced settings

Yes

Create an Auto Scaling group using a Launch Template

Enter or select the following details to create an auto scaling group and launch the fabric components using the launch template in AWS.

Parameters

Description

Reference

Mandatory field

Configure group size and scaling policies

Group Size

Enter the Desired capacity as 0. The Desired capacity value must be less than the Maximum Capacity value.

Note: Once the monitoring Domain and connection is configured, edit this value to the number of GigaVUE V Series Node.

Creating an Auto Scaling group using a launch template

Yes

Automatic Scaling

Select Target tracking scaling policy and enter the following details to define a policy:

Metric Type: 1000000000 (bytes)

Instance warmup: 300 seconds

Create a target tracking scaling policy

Yes

Add tag

Provide a tag key and value for each tag.

Tag Auto Scaling groups and instances

No

In the Instances page, you can view the GigaVUE V Series Node instance that the load balancer deploys.

Deploy Visibility Fabric with Gateway Load Balancer

You can deploy GigaVUE V Series Node across the AWS accounts with Gateway Load Balancing in GigaVUE‑FM.

To deploy,

  1. In the Monitoring Domain Configuration page, select VPC Traffic Mirroring or Customer Orchestrated Source or Inline as the Traffic Acquisition method. For details, refer to Create a Monitoring Domain.
  2. Enter the Monitoring Domain Name and the Connection Name as mentioned in the user data provided during the template launch in AWS. For details, refer to Configure a Gateway Load Balancer in AWS.
  3. For the Use Load Balancer field, select Yes.
  4. Select No for the Use FM to Launch Fabric option. This allows you to deploy the fabric components using Third Party Orchestration.

  5. Select Save. The Monitoring Domain is created successfully and you are navigated to the AWS Fabric Launch Configuration page.
  6. In the AWS Fabric Launch Configuration page, perform the following for the load balancer.
    1. Select the VPC from the drop down list.
    2. Select the Load Balancer configured in AWS.
    3. Select the Auto Scaling Group configured in AWS.
  7. Select Save to save the configuration.

Once the Monitoring Domain is successfully configured, edit the Desire capacity value for the Auto Scaling Group in AWS. For details, refer to Configure a Gateway Load Balancer in AWS.

Configure and Deploy Monitoring Session

In GigaVUE-FM, you must do the following to configure and deploy the Monitoring Session. Refer to Configure Monitoring Session section for more details.

1.   Access the Monitoring Session Page:
a. In GigaVUE-FM, go to Traffic > Virtual > Orchestrated Flows > AWS.
b. After creating a new Monitoring Session or on an existing Monitoring Session, navigate to the TRAFFIC PROCESSING tab. The GigaVUE-FM Monitoring Session canvas page appears.
2. Add components to the canvas:
a. Drag and drop the required components to the canvas.
b. From the Applications expand menu, drag and drop the required applications to the graphical workspace.
3. Deploy the Monitoring Session:
a. From the Actions menu, select Deploy.
b. After successful deployment on all the V Series Nodes, the status appears as Success on the Monitoring Sessions Sources tab.

What to do Next

You can view the detailed statistics of an individual traffic processing element in the TRAFFIC PROCESSING tab. For more details, refer to View Monitoring Session Statistics (AWS).