Prerequisites

Refer to the following topics for details:

AWS Security Credentials

When you first connect GigaVUE-FM with AWS, you need the security credentials for AWS to verify your identity and check if you have permission to access the resources that you are requesting. AWS uses the security credentials to authenticate and authorize your requests.

You need one of the following security credentials:

  • Identity and Access Management (IAM) role—If GigaVUE-FM is running inside AWS, it is highly recommended to use an IAM role because it can securely make API requests from the instances. Create an IAM role and ensure that the permissions and policies listed in Permissions are associated to the role.
  • Access Keys—If GigaVUE-FM is configured in the enterprise data center, then you need to use the access keys or basic credentials to connect to the VPC. Basic credentials allow full access to all the resources in your AWS account.An access key consists of an access key ID and a secret access key. For detailed instructions on creating access keys, refer to the AWS documentation on Managing Access Keys for Your AWS Account.

    Note:  To obtain the IAM role or access keys, contact your AWS administrator.

You cannot launch the GigaVUE-FM instance from the EC2 dashboard without having one of these security credentials. If you are launching the GigaVUE-FM instance from the AWS Marketplace, you need to have only the IAM roles.

IMPORTANT:

  • Always run GigaVUE-FM inside AWS to manage your AWS workloads.
  • Always attach an IAM role to the instance running GigaVUE-FM in AWS to connect it to your AWS account.
  • Do NOT use access keys and secret keys to connect GigaVUE-FM to AWS. This requires GigaVUE-FM to store these keys and is NOT recommended.
  • Well architected guidelines highly recommend the use of IAM roles.

Note:  Running GigaVUE-FM outside of AWS requires the credentials to be stored internally. Although GigaVUE-FM encrypts access keys and secret access keys within its database, it is not recommended to connect to AWS from a GigaVUE-FM instance outside of AWS.

Amazon VPC

You must have a Amazon Virtual Private Cloud (VPC) to launch GigaVUE components into your virtual network.

Note:  To create a VPC, refer to Create a VPC topic in the AWS Documentation.

Your VPC must have the following elements to configure the GigaVUE Cloud Suite for AWS components:

Subnet for VPC

To create a subnet for your VPC, refer to Create a subnet in your VPC topic in the AWS Documentation.

Internet Gateway

To create and attach an internet gateway to your VPC, refer to Create and attach an internet gateway topic in the AWS Documentation.

Route Table

To create a route table for your VPC, refer to Create a custom route table topic in the AWS Documentation.

Security Group

A security group defines the virtual firewall rules for your instance to control inbound and outbound traffic. When you launch GigaVUE‑FM, GigaVUE V Series Proxies, GigaVUE V Series nodes, and G-vTAP Controllers in your project, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.

To create a security group, refer to Create a security group topic in the AWS Documentation.

It is recommended to create a separate security group for each component using the rules and port numbers listed in the following table.

Following is the Network Firewall Requirements for V Series 2 node deployment.

Direction

Type

Protocol

Port

CIDR

Purpose

GigaVUE‑FM

Inbound

HTTPS
SSH

TCP

443
22

Administrator Subnet

Management connection to GigaVUE‑FM

Outbound

Custom TCP Rule

TCP(6)

9900

GigaVUE‑FM IP

Allows G-vTAP Controller to communicate with GigaVUE‑FM

Outbound (optional)

Custom TCP Rule

TCP

8890

V Series Proxy IP

Allows GigaVUE‑FM to communicate with V Series Proxy

Outbound

(configuration without V Series Proxy)

Custom TCP Rule

TCP

8889

V Series 2 Node IP

Allows GigaVUE‑FM to communicate with V Series node

G-vTAP Controller

Inbound

Custom TCP Rule

TCP(6)

9900

GigaVUE‑FM IP

Allows G-vTAP Controller to communicate with GigaVUE‑FM

Outbound

Custom TCP Rule

TCP(6)

9901

G-vTAP Controller IP

Allows G-vTAP Controller to communicate with G-vTAP Agents

G-vTAP Agent

Inbound

Custom TCP Rule

TCP(6)

9901

G-vTAP Controller IP

Allows G-vTAP Agents to communicate with G-vTAP Controller

Outbound

UDP
IP
UDP (VXLAN)
IP Protocol (L2GRE)

VXLAN (default 4789)

G-vTAP Agent or Subnet IP

Allows G-vTAP Agents to (VXLAN/L2GRE) tunnel traffic to V Series nodes

V Series Proxy (optional)

Inbound

Custom TCP Rule

TCP

8890

GigaVUE‑FM IP

Allows GigaVUE‑FM  to communicate with V Series Proxy

Outbound

Custom TCP Rule

TCP

8889

V Series 2 node IP

Allows V Series Proxy to communicate with V Series node

V Series 2 node

Inbound

Custom TCP Rule

TCP

8889

GigaVUE-FM IP
V Series Proxy IP

Allows V Series Proxy or GigaVUE-FM to communicate with V Series node

Inbound

UDP
IP
UDP (VXLAN)
IP Protocol (L2GRE)
VXLAN (default 4789)
L2GRE

G-vTAP Agent or Subnet IP

Allows G-vTAP Agents to (VXLAN/L2GRE) tunnel traffic to V Series nodes

Inbound

UDP

UDPGRE

4754

Ingress Tunnel

Allows to UDPGRE Tunnel to communicate and tunnel traffic to V Series nodes

Outbound

Custom UDP Rule

UDP (VXLAN)
IP Protocol (L2GRE)

VXLAN (default 4789)

Tool IP

Allows V Series node to communicate and tunnel traffic to the Tool

Outbound (optional)

ICMP

ICMP

echo request
echo reply

Tool IP

Allows V Series node to health check tunnel destination traffic

Key Pair

A key pair consists of a public key and a private key. You must create a key pair and specify the name of this key pair when you define the specifications for the G-vTAP Controllers, GigaVUE V Series nodes, and GigaVUE V Series Proxy in your VPC.

To create a key pair, refer to Create a key pair using Amazon EC2 topic in the AWS Documentation.

You can download the private key (.pem) file for reference.

ENI for Amazon EC2

For G-vTAP Agents to mirror the traffic from the instances, you must configure one or more Elastic Network Interfaces (ENIs) on the Amazon EC2 instances.

  • Single ENI—If there is only one interface configured on the EC2 instance with the G-vTAP Agent, the G-vTAP Agent sends the mirrored traffic out using the same interface.
  • Multiple ENIs—If there are two or more interfaces configured on the EC2 instance with the G-vTAP Agent, the G-vTAP Agent monitors any number of interfaces but has an option to send the mirrored traffic out using any one of the interfaces or using a separate, non-monitored interface.

Refer to Elastic network interfaces and Create a network interface topics in the AWS Documentation for detailed information.