Prerequisites
Refer to the following topics for details:
AWS Security Credentials
When you first connect GigaVUE-FM with AWS, you need the security credentials for AWS to verify your identity and check if you have permission to access the resources that you are requesting. AWS uses the security credentials to authenticate and authorize your requests.
You need one of the following security credentials:
- Identity and Access Management (IAM) role—If GigaVUE-FM is running inside AWS, it is highly recommended to use an IAM role because it can securely make API requests from the instances. Create an IAM role and ensure that the permissions and policies listed in Permissions are associated to the role.
- Access Keys—If GigaVUE-FM is configured in the enterprise data center, then you need to use the access keys or basic credentials to connect to the VPC. Basic credentials allow full access to all the resources in your AWS account.An access key consists of an access key ID and a secret access key. For detailed instructions on creating access keys, refer to the AWS documentation on Managing Access Keys for Your AWS Account.
Note: To obtain the IAM role or access keys, contact your AWS administrator.
You cannot launch the GigaVUE-FM instance from the EC2 dashboard without having one of these security credentials. If you are launching the GigaVUE-FM instance from the AWS Marketplace, you need to have only the IAM roles.
IMPORTANT:
- Always run GigaVUE-FM inside AWS to manage your AWS workloads.
- Always attach an IAM role to the instance running GigaVUE-FM in AWS to connect it to your AWS account.
- Do NOT use access keys and secret keys to connect GigaVUE-FM to AWS. This requires GigaVUE-FM to store these keys and is NOT recommended.
- Well architected guidelines highly recommend the use of IAM roles.
Note: Running GigaVUE-FM outside of AWS requires the credentials to be stored internally. Although GigaVUE-FM encrypts access keys and secret access keys within its database, it is not recommended to connect to AWS from a GigaVUE-FM instance outside of AWS.
Amazon VPC
You must have a Amazon Virtual Private Cloud (VPC) to launch GigaVUE components into your virtual network.
Note: To create a VPC, refer to Create a VPC topic in the AWS Documentation.
Your VPC must have the following elements to configure the GigaVUE Cloud Suite for AWS components:
Subnet for VPC
To create a subnet for your VPC, refer to Create a subnet in your VPC topic in the AWS Documentation.
Internet Gateway
To create and attach an internet gateway to your VPC, refer to Create and attach an internet gateway topic in the AWS Documentation.
Route Table
To create a route table for your VPC, refer to Create a custom route table topic in the AWS Documentation.
Security Group
A security group defines the virtual firewall rules for your instance to control inbound and outbound traffic. When you launch GigaVUE‑FM, GigaVUE V Series Proxies, GigaVUE V Series nodes, and G-vTAP Controllers in your project, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
To create a security group, refer to Create a security group topic in the AWS Documentation.
It is recommended to create a separate security group for each component using the rules and port numbers listed in the following table.
Following is the Network Firewall Requirements for V Series 2 node deployment.
Direction |
Type |
Protocol |
Port |
CIDR |
Purpose |
||||||||||||||||||
GigaVUE‑FM |
|||||||||||||||||||||||
Inbound |
|
TCP |
|
Administrator Subnet |
Management connection to GigaVUE‑FM |
||||||||||||||||||
Outbound |
Custom TCP Rule |
TCP(6) |
9900 |
GigaVUE‑FM IP |
Allows G-vTAP Controller to communicate with GigaVUE‑FM |
||||||||||||||||||
Outbound (optional) |
Custom TCP Rule |
TCP |
8890 |
V Series Proxy IP |
Allows GigaVUE‑FM to communicate with V Series Proxy |
||||||||||||||||||
Outbound (configuration without V Series Proxy) |
Custom TCP Rule |
TCP |
8889 |
V Series 2 Node IP |
Allows GigaVUE‑FM to communicate with V Series node |
||||||||||||||||||
G-vTAP Controller |
|||||||||||||||||||||||
Inbound |
Custom TCP Rule |
TCP(6) |
9900 |
GigaVUE‑FM IP |
Allows G-vTAP Controller to communicate with GigaVUE‑FM |
||||||||||||||||||
Outbound |
Custom TCP Rule |
TCP(6) |
9901 |
G-vTAP Controller IP |
Allows G-vTAP Controller to communicate with G-vTAP Agents |
||||||||||||||||||
G-vTAP Agent |
|||||||||||||||||||||||
Inbound |
Custom TCP Rule |
TCP(6) |
9901 |
G-vTAP Controller IP |
Allows G-vTAP Agents to communicate with G-vTAP Controller |
||||||||||||||||||
Outbound |
|
|
VXLAN (default 4789) |
G-vTAP Agent or Subnet IP |
Allows G-vTAP Agents to (VXLAN/L2GRE) tunnel traffic to V Series nodes |
||||||||||||||||||
V Series Proxy (optional) |
|||||||||||||||||||||||
Inbound |
Custom TCP Rule |
TCP |
8890 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate with V Series Proxy |
||||||||||||||||||
Outbound |
Custom TCP Rule |
TCP |
8889 |
V Series 2 node IP |
Allows V Series Proxy to communicate with V Series node |
||||||||||||||||||
V Series 2 node |
|||||||||||||||||||||||
Inbound |
Custom TCP Rule |
TCP |
8889 |
|
Allows V Series Proxy or GigaVUE-FM to communicate with V Series node |
||||||||||||||||||
Inbound |
|
|
|
G-vTAP Agent or Subnet IP |
Allows G-vTAP Agents to (VXLAN/L2GRE) tunnel traffic to V Series nodes |
||||||||||||||||||
Inbound |
UDP |
UDPGRE |
4754 |
Ingress Tunnel |
Allows to UDPGRE Tunnel to communicate and tunnel traffic to V Series nodes |
||||||||||||||||||
Outbound |
Custom UDP Rule |
|
VXLAN (default 4789) |
Tool IP |
Allows V Series node to communicate and tunnel traffic to the Tool |
||||||||||||||||||
Outbound (optional) |
ICMP |
ICMP |
|
Tool IP |
Allows V Series node to health check tunnel destination traffic |
Key Pair
A key pair consists of a public key and a private key. You must create a key pair and specify the name of this key pair when you define the specifications for the G-vTAP Controllers, GigaVUE V Series nodes, and GigaVUE V Series Proxy in your VPC.
To create a key pair, refer to Create a key pair using Amazon EC2 topic in the AWS Documentation.
You can download the private key (.pem) file for reference.
ENI for Amazon EC2
For G-vTAP Agents to mirror the traffic from the instances, you must configure one or more Elastic Network Interfaces (ENIs) on the Amazon EC2 instances.
- Single ENI—If there is only one interface configured on the EC2 instance with the G-vTAP Agent, the G-vTAP Agent sends the mirrored traffic out using the same interface.
- Multiple ENIs—If there are two or more interfaces configured on the EC2 instance with the G-vTAP Agent, the G-vTAP Agent monitors any number of interfaces but has an option to send the mirrored traffic out using any one of the interfaces or using a separate, non-monitored interface.
Refer to Elastic network interfaces and Create a network interface topics in the AWS Documentation for detailed information.