Prerequisites

To enable the flow of traffic between the components and the monitoring tools, your must create the following requirements:

■   Resource Group
■   Virtual Network
■   Subnets for VNet
■   Network Interfaces (NICs) for VMs
■   Network Security Groups

Resource Group

The resource group is a container that holds all the resources for a solution.

To create a resource group in Azure, refer to Create a resource group topic in the Azure Documentation.

Virtual Network

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks.

To create a virtual network in Azure, refer to Create a virtual network topic in the Azure Documentation.

Subnets for VNet

The following table lists the two recommended subnets that your VNet must have to configure the GigaVUE Cloud components in Azure.

You can add subnets when creating a VNet or add subnets on an existing VNet. Refer to Add a subnet topic in the Azure Documentation for detailed information.

Subnet

Description

Management Subnet

Subnet that the GigaVUE-FM uses to communicate with the GigaVUE V Series nodes and controllers.

Data Subnet

A data subnet can accept incoming mirrored traffic from agents to the GigaVUE V Series nodes or be used to egress traffic to a tool from the GigaVUE V Series nodes.

■   Ingress is VXLAN from agents
■   Egress is either VXLAN tunnel to tools or to GigaVUE H Series tunnel port, or raw packets through a NAT when using NetFlow.

Note:  If you are using a single subnet, then the Management subnet will also be used as a Data Subnet.

Network Interfaces (NICs) for VMs

For G-vTAP Agents to mirror the traffic from the VMs, you must configure one or more Network Interfaces (NICs) on the VMs.

■   Single NIC—If there is only one interface configured on the VM with the G-vTAP Agent, the G-vTAP Agent sends the mirrored traffic out using the same interface.
■   Multiple NICs—If there are two or more interfaces configured on the VM with the G-vTAP Agent, the G-vTAP Agent monitors any number of interfaces but has an option to send the mirrored traffic out using any one of the interfaces or using a separate, non-monitored interface.

Network Security Groups

A network security group defines the virtual firewall rules for your VM to control inbound and outbound traffic. When you launch GigaVUE-FM, GigaVUE V Series Controllers, GigaVUE V Series nodes, and G-vTAP Controllers in your VNet, you add rules that control the inbound traffic to VMs, and a separate set of rules that control the outbound traffic.

To create a network security group and add in Azure, refer to Create a network security group topic in the Azure Documentation.

It is recommended to create a separate security group for each component using the rules and port numbers.

In your Azure portal, select a network security group from the list. In the Settings section select the Inbound and Outbound security rules to the following rules.

Network Security Groups for V Series 2 Node

Following are the Network Firewall Requirements for V Series 2 configuration.

Direction

Type

Protocol

Port

Source/Destination

Purpose

GigaVUE‑FM

Inbound

HTTPS
SSH

TCP

443
22

Administrator Subnet

Management connection to GigaVUE‑FM

Outbound

Custom TCP Rule
ICMP (optional)

TCP(6)

9900

GigaVUE‑FM IP

Allows G-vTAP Controller to communicate with GigaVUE‑FM

Outbound (optional)

Custom TCP Rule

TCP

8890

V Series Proxy IP

Allows GigaVUE‑FM to communicate with V Series Proxy

Outbound

(configuration without V Series Proxy)

Custom TCP Rule

TCP

8889

V Series 2 Node IP

Allows GigaVUE‑FM to communicate with V Series node

G-vTAP Controller

Inbound

Custom TCP Rule

TCP(6)

9900

GigaVUE‑FM IP

Allows G-vTAP Controller to communicate with GigaVUE‑FM

Outbound

Custom TCP Rule

TCP(6)

9901

G-vTAP Controller IP

Allows G-vTAP Controller to communicate with G-vTAP Agents

G-vTAP Agent

Inbound

Custom TCP Rule

TCP(6)

9901

G-vTAP Controller IP

Allows G-vTAP Agents to communicate with G-vTAP Controller

Outbound

UDP

UDP (VXLAN)

VXLAN (default 4789)

G-vTAP Agent or Subnet IP

Allows G-vTAP Agents to VXLAN tunnel traffic to V Series nodes

V Series Proxy (optional)

Inbound

Custom TCP Rule

TCP

8890

GigaVUE‑FM IP

Allows GigaVUE‑FM  to communicate with V Series Proxy

Outbound

Custom TCP Rule

TCP

8889

V Series 2 node IP

Allows V Series Proxy to communicate with V Series node

V Series 2 node

Inbound

Custom TCP Rule

TCP

8889

GigaVUE-FM IP
V Series Proxy IP

Allows V Series Proxy or GigaVUE-FM to communicate with V Series node

Inbound

UDP

UDP (VXLAN)

VXLAN (default 4789)

G-vTAP Agent or Subnet IP

Allows G-vTAP Agents to (VXLAN) tunnel traffic to V Series nodes

Outbound

Custom UDP Rule

UDP (VXLAN)

VXLAN (default 4789)

Tool IP

Allows V Series node to communicate and tunnel traffic to the Tool

Outbound (optional)

ICMP

ICMP

echo request
echo reply

Tool IP

Allows V Series node to health check tunnel destination traffic

Network Security Groups for V Series 1 Node

Following are the Network Firewall Requirements for V Series 1 configuration.

Direction

 

Protocol

Port Range

Source and

CIDR, IP, or Security Group

Purpose

GigaVUE-FM Inside Azure

Inbound

HTTPS

TCP(6)

443

Anywhere

Any IP

Allows G-vTAP Controllers, GigaVUE V Series Controllers, and GigaVUE-FM administrators to communicate with GigaVUE-FM

G-vTAP Controller

Inbound

Custom TCP Rule

TCP

9900

Custom

GigaVUE-FM IP

Allows GigaVUE-FM to communicate with G-vTAP Controllers

 

 

 

G-vTAP Agent

Inbound

Custom TCP Rule

TCP

9901

Custom

G-vTAP Controller IP

Allows G-vTAP Controllers to communicate with G-vTAP Agents

GigaVUE V Series Controller

Inbound

Custom TCP Rule

TCP

9902

Custom

GigaVUE-FM IP

Allows GigaVUE-FM  to communicate with GigaVUE V Series Controllers

GigaVUE V Series 1 node

Inbound

Custom TCP Rule

TCP

9903

Custom

GigaVUE V Series Controller IP

Allows GigaVUE V Series Controllers to communicate with GigaVUE V Series nodes

VXLAN Traffic

Inbound

Custom UDP Rule

VXLAN

4789

 

Allows mirrored traffic from G-vTAP Agents to be sent to GigaVUE V Series nodes using VXLAN tunnel

Allows monitored traffic to be sent from GigaVUE V Series nodes to the tools using VXLAN tunnel

Access control (IAM)

You must have full resource access to the control the GigaVUE cloud components. Refer to Check access for a user topic in the Azure Documentation for more details.

To add a role assignment, refer to Steps to assign an Azure role.