Acquire Traffic using Customer Orchestrated Source with Network Load Balancer

This section outlines the workflow for acquiring traffic using Customer Orchestrated Source with Network Load Balancer. Refer to the following topics for instruction on configuring traffic acquisition, processing, and forwarding to your desired destination.

Install GigaVUE-FM on AWS
Configure the permissions required in AWS
Create the AWS Credentials
Configure Role-Based Access for Third Party Orchestration
Configure Tokens
Configure Network Load Balancer and deploy GigaVUE V Series Nodes
Deploy Visibility Fabric with Network Load Balancer
Configure and Deploy Monitoring Session

Install GigaVUE-FM on AWS

This step is optional and applies only when an existing GigaVUE-FM instance is not available.
Refer to Install GigaVUE-FM on AWS for steps to install GigaVUE‑FM on AWS and the steps to start GigaVUE‑FM instance and configure it.

Configure the permissions required in AWS

If you are using inline policy or basic authentication, then you must update the policy with the relevant IAM service. For more information, see Minimum Permissions Required for Inline Policies and Basic Authentication.

These are the minimum permissions that are required to acquire traffic using Traffic Mirroring with Network Load Balancer and authenticate using an IAM instance role.

Copy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DescribeTargetHealth",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeAddresses",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeSecurityGroups",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeImages",
                "ec2:DescribeVolumes",
                "ec2:CreateTrafficMirrorFilterRule",
                "ec2:CreateTrafficMirrorTarget",
                "ec2:CreateTrafficMirrorSession",
                "ec2:CreateTrafficMirrorFilter",
                "ec2:DeleteTrafficMirrorTarget",
                "ec2:DeleteTrafficMirrorSession",
                "ec2:DeleteTrafficMirrorFilter",
                "ec2:DescribeTrafficMirrorSessions",
                "ec2:DescribeTrafficMirrorTargets",
                "ec2:DescribeTrafficMirrorFilters",
                "ram:CreateResourceShare",
                "ram:DeleteResourceShare",
                "ram:GetResourceShareInvitations",
                "ram:AcceptResourceShareInvitation",
                "ram:DisassociateResourceShare",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:ListAccountAliases",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:ListAliases",
            ],
            "Resource": "*"
        }
    ]
}

For more information regarding policies and permissions, refer to AWS Documentation.

If you are using inline policy or basic authentication, then you must update the policy with the relevant IAM service. For more information, see GigaVUE-FM Instance Multi Account Support Using Amazon STS.

Create the AWS Credentials

You can monitor workloads across multiple AWS accounts within one Monitoring Domain.

After launching GigaVUE‑FM in AWS, if the IAM is attached to the running instance of FM, then the EC2 Instance Role authentication credential is automatically added to the Credential page as the default credential. You must attach the IAM prior to creating a Monitoring Domain.
If you use the Basic Credentials authentication credentials, you must add these to the GigaVUE‑FM on the AWS Settings page, or on the Monitoring Domain creation page.

For details, refer to Create a Monitoring Domain.

To create AWS credentials:

Go to Inventory > VIRTUAL > AWS, and select Settings > Credentials
On the Credential page, select Add. The Credential Configure page appears.
Enter a name to identify the AWS Credential in the Name Field.
Basic Credentials is selected as the default Authentication Type. For more information, refer to AWS Security Credentials
Enter the credential of an IAM user or the AWS account root user in the Access Key field.
Enter the security password or key in the Secret Access Key field.
Select Save. You can view the list of available credentials on the AWS Credential page.

Configure Role-Based Access for Third Party Orchestration

If you do not want to use an Admin Profile to deploy GigaVUE V Series through a Third Party orchestrator, you can create the required users, roles, and user groups in GigaVUE-FM.

Create a Custom User

You can add users only if you are a user with fm_super_admin role or a user with either read or write access to the GigaVUE-FM security Management category.

To add users:

Go to Settings and select Authentication > GigaVUE-FM User Management > Users.

On the User page, select New User.

In the Add User page, enter the following details:

Name: Actual name of the user

Username: User name configured in GigaVUE-FM

Email: Email ID of the user

Password/Confirm Password: Password for the user.

For details, refer to Change Your Password.

User Group: Select the desired User Group to associate the user.

GigaVUE‑FM prompts for your password.

Click Ok. The new user is added.

Create a Custom Role and Assign the User

A user role defines permission for users to perform any task or operation in GigaVUE‑FM or on the managed device. You can associate a role with user.

Note: A user with read-only access cannot perform configurations on the screen. The menus and action buttons in the UI pages are disabled appropriately.

To create a role:

Go to Settings and select Authentication> GigaVUE-FM User Management >Roles.

Select New Role.

In the New Role page, select or enter the following details:

Role Name: Name of the role.

Description: Description of the role.

Select Permission: From the Select Permissions tab, select Third Party Orchestration, and provide write permissions.

Select Apply to save the configuration.

Create a Custom User Group and Assign the Custom Role and the User

A user group consists of a set of roles and set of tags associated with users in that group. You can associate the user to one or more groups.

To create a new user group:

Go to Settings, and then select Authentication> GigaVUE-FMUser Management >User Groups.

Select New Group.

In the New User Group page, select Next to progress forward and Back to navigate backward.

In the Group Info tab, enter the Group Name and Description details:

In the Assign Roles tab, select the role that you want to assign to the user group.

In the Assign Tags tab, select the required tag key and tag value.

In the Assign Users tab, select the required users.

Select Apply to save the configuration. The new user group is added.

Configure Tokens

GigaVUE‑FM allows you to generate a token only if you are an authenticated user and based on your privileges in accessing the GigaVUE‑FM. You can create multiple tokens if required.

You can create tokens only if you are a user with fm_super_admin role or a user with write access to the GigaVUE-FM security Management category.

To create a token:

Go to Settings > Authentication > GigaVUE‑FM User Management. The User Management page appears.

Select Current User Tokens from the Tokens drop-down list.

Click New Token. The New Token pop-up appears.

Enter a name for the new token in the Name field.

Enter the days until the token is valid in the Expiry field.

Select the user group for which you are privileged to access the GigaVUE-FM from the User Group drop-down list. The token inherits the read or write RBAC privileges of this group.

Select OK to generate a new token. You can copy and use the generated token to authenticate the GigaVUE-FM REST APIs.

Configure Network Load Balancer and deploy GigaVUE V Series Nodes

You can configure an external Network Load Balancer (NLB) in AWS for GigaVUE Cloud Suite.

Prerequisites

Create or update Security Group policies of GigaVUE Cloud Suite components. For details, refer to Security Group.
Create or update routes in various VPCs across participating mirrored AWS accounts so that all mirrored account VPCs can connect to the target account VPC where the AWS Network Load Balancer is deployed.
Note: GigaVUE‑FM considers the target account VPC as the centralized VPC. Use the connections towards all other mirrored account VPCs either through 1 : 1 VPC peering or via 1 : M transit gateway (that connects all participating VPCs across mirrored AWS accounts). VPC peering has no bandwidth limitation and no additional cost within the same region (recommended). Transit gateway costs more and also has a limitation of 50 Gbps burst per VPC.
Create or update existing IAM role for GigaVUE‑FM in the centralized VPC. In addition, you need to create trust relationship between the mirrored and the target account for GigaVUE‑FM to execute the above permissions at the IAM role level. For details, refer to Permissions and Privileges (AWS).
When configuring Network Load Balancer, you need to deploy the GigaVUE V Series Nodes using Third Party Orchestration.
You need to configure Token \in the User Management page. For details, refer to Configure Tokens.

Perform the following steps to configure an external network load balancer in AWS:

Create a Target Group
Create a Load Balancer
Create a Launch Template for Auto Scaling group
Create an Auto Scaling group using a Launch Template

Create a Target Group

Enter or select the following details to configure target groups in AWS.

Parameters	Description	Reference	Mandatory field
Basic Configuration
Choose a target type	Select IP address as the target type	Create a target group for your Network Load Balancer	Yes
Protocol	Select UDP as the protocol from the drop-down list		Yes
Port	Enter 4789 as the port value		Yes
Health Checks
HealthCheckProtocol	Select TCP as the protocol.	Health checks for Network Load Balancer target groups	Yes
HealthCheckPort	Enter 8889 as the port.		Yes
HealthCheckIntervalSeconds	Enter 10 seconds as the approximate amount of time, in seconds.		Yes

Create a Load Balancer

Enter or select the following details to configure a load balancer in AWS.

Parameters	Description	Reference	Mandatory field
Basic Configuration
Scheme	Select Internal as the scheme for the load balancer	Create a Network Load Balancer	Yes
Network Mapping
VPC	Select the VPC for your targets (GigaVUE V Series Node)	Create a Network Load Balancer	Yes
Listeners and routing
Protocol	Select UDP as the protocol.	Create a Network Load Balancer	Yes
Port	Enter 4789 as the port.	Create a Network Load Balancer	Yes

Create a Launch Template for Auto Scaling group

Enter or select the following details to create a launch template for auto scaling groups in AWS.

Parameters	Description	Reference	Mandatory field
Launch Template contents
Application and OS Images (Amazon Machine Image)	Select the AMI of the GigaVUE V Series Node.	Create a launch template for an Auto Scaling group	Yes
Instance type	Select t3a.xlarge as the instance type.		Yes
Key pair name	Select a Key pair for the instance.		Yes
Network Settings
Device Index	Add 2 Network Interfaces for the GigaVUE V Series Node with device index as 0 and 1 (mgmt and data interface respectively) and for the interfaces,	Create a launch template for an Auto Scaling group	Yes
Firewall (security groups)	Keep this blank and configure one or more security groups as part of the network interface.	Create a launch template for an Auto Scaling group	Yes
Advanced Settings
Advanced details	Enter the User data as text in the following format and deploy the instance. The GigaVUE V Series Nodes uses this user data to generate config file (/etc/gigamon-cloud.conf) used to register with GigaVUE‑FM using Third Party Orchestration. Copy `#cloud-config write_files: - path: /etc/gigamon-cloud.conf owner: root:root permissions: '0644' content: \| Registration: groupName: <Monitoring Domain Name> subGroupName: <VPC Name> token: <Token> remoteIP: <IP address of the GigaVUE-FM> remotePort: 443`	Create a launch template using advanced settings	Yes

Create an Auto Scaling group using a Launch Template

Enter or select the following details to create an auto scaling group and launch the fabric components using the launch template in AWS.

Parameters	Description	Reference	Mandatory field
Configure group size and scaling policies
Group Size	Enter the Desired capacity as 0. Ensure that the Desired capacity value is less that the Maximum Capacity value. Note: Once the monitoring Domain and connection is configured, edit this value to the number of GigaVUE V Series Node that you need to deploy in this Monitoring Domain.	Creating an Auto Scaling group using a launch template	Yes
Automatic Scaling	Select Target tracking scaling policy and enter the following details to define a policy: Metric Type: 1000000000 (bytes) Instance warmup: 300 seconds	Create a target tracking scaling policy	Yes
Add tag	Provide a tag key and value for each tag. Tag key - GigamonNode Value - VSeriesNode	Tag Auto Scaling groups and instances	Yes

In the Instances page, you can view the GigaVUE V Series Node instance that the load balancer deployed.

Deploy Visibility Fabric with Network Load Balancer

You can deploy GigaVUE V Series Node across the AWS accounts with Network Load Balancer in GigaVUE‑FM.

To deploy,

Go to Inventory > VIRTUAL > AWS , and select Monitoring Domain.
On the Monitoring Domain page, select New. The Monitoring Domain Configuration page appears.
Select Check Permissions and validate whether you have the required permissions.
In the Monitoring Domain field, enter an alias used to identify the Monitoring Domain.
In the Traffic Acquisition Method drop-down list, select VPC Traffic Mirroring or Customer Orchestrated Source as the Traffic Acquisition method. For details, refer to Create a Monitoring Domain.
Enter the Monitoring Domain name and the Connection name as mentioned in the user data provided during the template launch in AWS. For details, refer to Configure Network Load Balancer in AWS.
For the Use Load Balancer field, select Yes.
For the Use FM to Launch Fabric option, select No. This allows you to deploy the fabric components using Third Party Orchestration.
Select Save. The Monitoring Domain is created successfully.
In the AWS Fabric Launch Configuration page, perform the following for the load balancer.
- Select the VPC from the drop down list.
- Select the Load Balancer configured in AWS.
- Select the Auto Scaling Group configured in AWS.
Select Save to save the configuration.

Once the Monitoring Domain is successfully configured, edit the Desired capacity value for the Auto Scaling Group in AWS. For details, refer to the Create an Auto Scaling group using a launch template section in AWS.

Configure and Deploy Monitoring Session

In GigaVUE-FM, you must do the following to configure and deploy the Monitoring Session. Refer to Configure Monitoring Session section for more details.

Access the Monitoring Session Page:

In GigaVUE-FM, go to Traffic > Virtual > Orchestrated Flows > AWS.

After creating a new Monitoring Session or on an existing Monitoring Session, navigate to the TRAFFIC PROCESSING tab. The GigaVUE-FM Monitoring Session canvas page appears.

Add components to the canvas:

Drag and drop the required components to the canvas.

From the Applications expand menu, drag and drop the required applications to the graphical workspace.

Deploy the Monitoring Session:

From the Actions menu, select Deploy.

After successful deployment on all the V Series Nodes, the status appears as Success on the Monitoring Sessions Sources tab.

What to do Next

You can view the detailed statistics of an individual traffic processing element in the TRAFFIC PROCESSING tab. For more details, refer to View Monitoring Session Statistics (AWS).