Prerequisites

Refer to the following topics for details:

AWS Security Credentials

When you first connect GigaVUE-FM with AWS, you need the security credentials for AWS to verify your identity and check if you have permission to access the resources that you are requesting. AWS uses the security credentials to authenticate and authorize your requests.

You need one of the following security credentials:

  • Identity and Access Management (IAM) role—If GigaVUE-FM is running inside AWS, it is highly recommended to use an IAM role because it can securely make API requests from the instances. Create an IAM role and ensure that the permissions and policies listed in AMI and Permissions are associated to the role.
  • Access Keys—If GigaVUE-FM is configured in the enterprise data center, then you need to use the access keys or basic credentials to connect to the VPC. Basic credentials allow full access to all the resources in your AWS account.An access key consists of an access key ID and a secret access key. For detailed instructions on creating access keys, refer to the AWS documentation on Managing Access Keys for Your AWS Account.

    Note:  To obtain the IAM role or access keys, contact your AWS administrator.

You cannot launch the GigaVUE-FM instance from the EC2 dashboard without having one of these security credentials. If you are launching the GigaVUE-FM instance from the AWS Marketplace, you need to have only the IAM roles.

IMPORTANT:

  • Always run GigaVUE-FM inside AWS to manage your AWS workloads.
  • Always attach an IAM role to the instance running GigaVUE-FM in AWS to connect it to your AWS account.
  • Do NOT use access keys and secret keys to connect GigaVUE-FM to AWS. This requires GigaVUE-FM to store these keys and is NOT recommended.
  • Well architected guidelines highly recommend the use of IAM roles.

Note:  Running GigaVUE-FM outside of AWS requires the credentials to be stored internally. Although GigaVUE-FM encrypts access keys and secret access keys within its database, it is not recommended to connect to AWS from a GigaVUE-FM instance outside of AWS.

Amazon VPC

You must have a Amazon Virtual Private Cloud (VPC) to launch GigaVUE components into your virtual network.

Note:  To create a VPC, refer to Create a VPC topic in the AWS Documentation.

Your VPC must have the following elements to configure the GigaVUE Cloud Suite for AWS components:

Subnet for VPC

To create a subnet for your VPC, refer to Create a subnet in your VPC topic in the AWS Documentation.

Internet Gateway

To create and attach an internet gateway to your VPC, refer to Create and attach an internet gateway topic in the AWS Documentation.

Route Table

To create a route table for your VPC, refer to Create a custom route table topic in the AWS Documentation.

Security Group

A security group defines the virtual firewall rules for your instance to control inbound and outbound traffic. When you launch GigaVUE‑FM, GigaVUE V Series Controllers, GigaVUE V Series nodes, and G-vTAP Controllers in your project, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.

To create a security group, refer to Create a security group topic in the AWS Documentation.

It is recommended to create a separate security group for each component using the rules and port numbers listed in the following table.

Direction

Type

Protocol

Port Range

Source and

CIDR, IP, or Security Group

Purpose

GigaVUE-FM Inside AWS

Inbound

HTTPS

TCP(6)

443

Anywhere

Any IP

Allows G-vTAP Controllers, GigaVUE V Series Controllers, and GigaVUE-FM administrators to communicate with GigaVUE-FM

G-vTAP Controller

Inbound

Custom TCP Rule

TCP

9900

Custom

GigaVUE-FM IP

Allows GigaVUE-FM to communicate with G-vTAP Controllers

 

 

 

G-vTAP Agent

Inbound

Custom TCP Rule

TCP

9901

Custom

G-vTAP Controller IP

Allows G-vTAP Controllers to communicate with G-vTAP Agents

GigaVUE V Series Controller

Inbound

Custom TCP Rule

TCP

9902

Custom

GigaVUE-FM IP

Allows GigaVUE-FM  to communicate with GigaVUE V Series Controllers

GigaVUE V Series 1 node

Inbound

Custom TCP Rule

TCP

9903

Custom

GigaVUE V Series Controller IP

Allows GigaVUE V Series Controllers to communicate with GigaVUE V Series nodes

VXLAN Traffic

Inbound

Custom UDP Rule

VXLAN

4789

 

Allows mirrored traffic from G-vTAP Agents to be sent to GigaVUE V Series nodes using VXLAN tunnel

Allows monitored traffic to be sent from GigaVUE V Series nodes to the tools using VXLAN tunnel

Key Pair

A key pair consists of a public key and a private key. You must create a key pair and specify the name of this key pair when you define the specifications for the G-vTAP Controllers, GigaVUE V Series nodes, and GigaVUE V Series Controllers in your VPC.

To create a key pair, refer to Create a key pair using Amazon EC2 topic in the AWS Documentation.

You can download the private key (.pem) file for reference.

ENI for Amazon EC2

For G-vTAP Agents to mirror the traffic from the instances, you must configure one or more Elastic Network Interfaces (ENIs) on the Amazon EC2 instances.

  • Single ENI—If there is only one interface configured on the EC2 instance with the G-vTAP Agent, the G-vTAP Agent sends the mirrored traffic out using the same interface.
  • Multiple ENIs—If there are two or more interfaces configured on the EC2 instance with the G-vTAP Agent, the G-vTAP Agent monitors any number of interfaces but has an option to send the mirrored traffic out using any one of the interfaces or using a separate, non-monitored interface.

Refer to Elastic network interfaces and Create a network interface topics in the AWS Documentation for detailed information.