Prerequisites
To enable the flow of traffic between the components and the monitoring tools, your must create the following requirements:
Resource Group |
Virtual Network |
Subnets for VNet |
Network Interfaces (NICs) for VMs |
Network Security Groups |
Resource Group
The resource group is a container that holds all the resources for a solution.
To create a resource group in Azure, refer to Create a resource group topic in the Azure Documentation.
Virtual Network
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks.
To create a virtual network in Azure, refer to Create a virtual network topic in the Azure Documentation.
Subnets for VNet
The following table lists the two recommended subnets that your VNet must have to configure the GigaVUE Cloud components in Azure.
You can add subnets when creating a VNet or add subnets on an existing VNet. Refer to Add a subnet topic in the Azure Documentation for detailed information.
Subnet |
Description |
||||||
Management Subnet |
Subnet that the GigaVUE-FM uses to communicate with the GigaVUE V Series nodes and controllers. |
||||||
Data Subnet |
A data subnet can accept incoming mirrored traffic from agents to the GigaVUE V Series nodes or be used to egress traffic to a tool from the GigaVUE V Series nodes.
Note: If you are using a single subnet, then the Management subnet will also be used as a Data Subnet. |
Network Interfaces (NICs) for VMs
For G-vTAP Agents to mirror the traffic from the VMs, you must configure one or more Network Interfaces (NICs) on the VMs.
Single NIC—If there is only one interface configured on the VM with the G-vTAP Agent, the G-vTAP Agent sends the mirrored traffic out using the same interface. |
Multiple NICs—If there are two or more interfaces configured on the VM with the G-vTAP Agent, the G-vTAP Agent monitors any number of interfaces but has an option to send the mirrored traffic out using any one of the interfaces or using a separate, non-monitored interface. |
Network Security Groups
A network security group defines the virtual firewall rules for your VM to control inbound and outbound traffic. When you launch GigaVUE-FM, GigaVUE V Series Controllers, GigaVUE V Series nodes, and G-vTAP Controllers in your VNet, you add rules that control the inbound traffic to VMs, and a separate set of rules that control the outbound traffic.
To create a network security group and add in Azure, refer to Create a network security group topic in the Azure Documentation.
It is recommended to create a separate security group for each component using the rules and port numbers.
In your Azure portal, select a network security group from the list. In the Settings section select the Inbound and Outbound security rules to the following rules.
Network Security Groups for V Series 2 Node
Following are the Network Firewall Requirements for V Series 2 configuration.
Direction |
Type |
Protocol |
Port |
Source/Destination |
Purpose |
||||||||||||
GigaVUE‑FM |
|||||||||||||||||
Inbound |
|
TCP |
|
Administrator Subnet |
Management connection to GigaVUE‑FM |
||||||||||||
Outbound |
|
TCP(6) |
9900 |
GigaVUE‑FM IP |
Allows G-vTAP Controller to communicate with GigaVUE‑FM |
||||||||||||
Outbound (optional) |
Custom TCP Rule |
TCP |
8890 |
V Series Proxy IP |
Allows GigaVUE‑FM to communicate with V Series Proxy |
||||||||||||
Outbound (configuration without V Series Proxy) |
Custom TCP Rule |
TCP |
8889 |
V Series 2 Node IP |
Allows GigaVUE‑FM to communicate with V Series node |
||||||||||||
G-vTAP Controller |
|||||||||||||||||
Inbound |
Custom TCP Rule |
TCP(6) |
9900 |
GigaVUE‑FM IP |
Allows G-vTAP Controller to communicate with GigaVUE‑FM |
||||||||||||
Outbound |
Custom TCP Rule |
TCP(6) |
9901 |
G-vTAP Controller IP |
Allows G-vTAP Controller to communicate with G-vTAP Agents |
||||||||||||
G-vTAP Agent |
|||||||||||||||||
Inbound |
Custom TCP Rule |
TCP(6) |
9901 |
G-vTAP Controller IP |
Allows G-vTAP Agents to communicate with G-vTAP Controller |
||||||||||||
Outbound |
UDP |
UDP (VXLAN) |
VXLAN (default 4789) |
G-vTAP Agent or Subnet IP |
Allows G-vTAP Agents to VXLAN tunnel traffic to V Series nodes |
||||||||||||
V Series Proxy (optional) |
|||||||||||||||||
Inbound |
Custom TCP Rule |
TCP |
8890 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate with V Series Proxy |
||||||||||||
Outbound |
Custom TCP Rule |
TCP |
8889 |
V Series 2 node IP |
Allows V Series Proxy to communicate with V Series node |
||||||||||||
V Series 2 node |
|||||||||||||||||
Inbound |
Custom TCP Rule |
TCP |
8889 |
|
Allows V Series Proxy or GigaVUE-FM to communicate with V Series node |
||||||||||||
Inbound |
UDP |
UDP (VXLAN) |
VXLAN (default 4789) |
G-vTAP Agent or Subnet IP |
Allows G-vTAP Agents to (VXLAN) tunnel traffic to V Series nodes |
||||||||||||
Outbound |
Custom UDP Rule |
UDP (VXLAN) |
VXLAN (default 4789) |
Tool IP |
Allows V Series node to communicate and tunnel traffic to the Tool |
||||||||||||
Outbound (optional) |
ICMP |
ICMP |
|
Tool IP |
Allows V Series node to health check tunnel destination traffic |
Network Security Groups for V Series 1 Node
Following are the Network Firewall Requirements for V Series 1 configuration.
Direction |
Protocol |
Port Range |
Source and CIDR, IP, or Security Group |
Purpose |
|
GigaVUE-FM Inside Azure |
|||||
Inbound |
HTTPS |
TCP(6) |
443 |
Anywhere Any IP |
Allows G-vTAP Controllers, GigaVUE V Series Controllers, and GigaVUE-FM administrators to communicate with GigaVUE-FM |
G-vTAP Controller |
|||||
Inbound |
Custom TCP Rule |
TCP |
9900 |
Custom GigaVUE-FM IP |
Allows GigaVUE-FM to communicate with G-vTAP Controllers
|
G-vTAP Agent |
|||||
Inbound |
Custom TCP Rule |
TCP |
9901 |
Custom G-vTAP Controller IP |
Allows G-vTAP Controllers to communicate with G-vTAP Agents |
GigaVUE V Series Controller |
|||||
Inbound |
Custom TCP Rule |
TCP |
9902 |
Custom GigaVUE-FM IP |
Allows GigaVUE-FM to communicate with GigaVUE V Series Controllers |
GigaVUE V Series 1 node |
|||||
Inbound |
Custom TCP Rule |
TCP |
9903 |
Custom GigaVUE V Series Controller IP |
Allows GigaVUE V Series Controllers to communicate with GigaVUE V Series nodes |
VXLAN Traffic |
|||||
Inbound |
Custom UDP Rule |
VXLAN |
4789 |
|
Allows mirrored traffic from G-vTAP Agents to be sent to GigaVUE V Series nodes using VXLAN tunnel Allows monitored traffic to be sent from GigaVUE V Series nodes to the tools using VXLAN tunnel |
Access control (IAM)
You must have full resource access to the control the GigaVUE cloud components. Refer to Check access for a user topic in the Azure Documentation for more details.
To add a role assignment, refer to Steps to assign an Azure role.