Prerequisites
Refer to the following topics for details:
AWS Security Credentials
To establish the initial connection between GigaVUE-FM and AWS, you will require the security credentials for AWS. These credentials are necessary to verify your identity and determine whether you have authorization to access the resources you are requesting. AWS employs these security credentials to authenticate and authorize your requests.
You need one of the following security credentials:
- Identity and Access Management (IAM) role— If GigaVUE-FM is running within AWS, it is recommended to use an IAM role. By using an IAM role, you can securely make API requests from the instances. Create an IAM role and ensure that the permissions and policies listed in Permissions and Privileges are associated to the role and also ensure that you are using Customer Managed Policies or Inline Policies.
- Access Keys—If GigaVUE-FM is configured in the enterprise data center, then you must use the access keys or basic credentials to connect to the VPC. Basic credentials allow full access to all the resources in your AWS account. An access key consists of an access key ID and a secret access key. For detailed instructions on creating access keys, refer to the AWS documentation on Managing Access Keys for Your AWS Account.
Note: To obtain the IAM role or access keys, contact your AWS administrator.
You cannot launch the GigaVUE-FM instance from the EC2 dashboard without having one of these security credentials. If you are launching the GigaVUE-FM instance from the AWS Marketplace, you need to have only the IAM roles.
IMPORTANT:
- It is recommended to deploy the GigaVUE-FM on the AWS to manage AWS workload.
- If the GigaVUE-FM is deployed outside of the AWS, then the GigaVUE-FM encrypts and stores the access key and the secret key in its database.
- Always attach an IAM role to the instance running GigaVUE-FM in AWS to connect it to your AWS account.
Amazon VPC
You must have a Amazon Virtual Private Cloud (VPC) to launch GigaVUE components into your virtual network.
Note: To create a VPC, refer to Create a VPC topic in the AWS Documentation.
Your VPC must have the following elements to configure the GigaVUE Cloud Suite for AWS components:
Subnet for VPC
Security Group
When you launch GigaVUE‑FM, GigaVUE V Series Proxies, GigaVUE V Series Nodes, and G-vTAP Controllers in your project, a security group can be utilized to define virtual firewall rules for your instance, which in turn regulates inbound and outbound traffic. You can add rules to manage inbound traffic to instances, and a distinct set of rules to control outbound traffic.
It is recommended to create a separate security group for each component using the rules and port numbers listed in the following table.
The following table lists the Network Firewall Requirements for GigaVUE V Series V Series 2 Node deployment.
Direction |
Type |
Protocol |
Port |
CIDR |
Purpose |
||||||||||||||||||
GigaVUE‑FM |
|||||||||||||||||||||||
Inbound |
|
TCP |
|
Administrator Subnet |
Management connection to GigaVUE‑FM |
||||||||||||||||||
Inbound |
Custom TCP Rule |
TCP |
5671 |
V Series 2 Node IP |
Allows GigaVUE V Series 2 Nodes to send traffic health updates to GigaVUE‑FM |
||||||||||||||||||
Outbound |
Custom TCP Rule |
TCP(6) |
9900 |
GigaVUE‑FM IP |
Allows G-vTAP Controller to communicate with GigaVUE‑FM |
||||||||||||||||||
Outbound (optional) |
Custom TCP Rule |
TCP |
8890 |
V Series Proxy IP |
Allows GigaVUE‑FM to communicate with V Series Proxy |
||||||||||||||||||
Outbound |
Custom TCP Rule |
TCP |
8889 |
V Series 2 Node IP |
Allows GigaVUE‑FM to communicate with GigaVUE V Series node |
||||||||||||||||||
G-vTAP Controller |
|||||||||||||||||||||||
Inbound |
Custom TCP Rule |
TCP(6) |
9900 |
GigaVUE‑FM IP |
Allows G-vTAP Controller to communicate with GigaVUE‑FM |
||||||||||||||||||
Inbound (This is the port used for Third Party Orchestration) |
Custom TCP Rule |
TCP(6) |
8891 |
G-vTAP Agent or Subnet IP |
Allows G-vTAP Controller to communicate the registration requests from G-vTAP Agent. |
||||||||||||||||||
Outbound (This is the port used for Third Party Orchestration) |
Custom TCP Rule |
TCP(6) |
443 |
GigaVUE‑FM IP |
Allows G-vTAP Controller to communicate the registration requests to GigaVUE-FM |
||||||||||||||||||
Outbound |
Custom TCP Rule |
TCP(6) |
9901 |
G-vTAP Controller IP |
Allows G-vTAP Controller to communicate with G-vTAP Agents |
||||||||||||||||||
G-vTAP Agent |
|||||||||||||||||||||||
Inbound |
Custom TCP Rule |
TCP(6) |
9901 |
G-vTAP Controller IP |
Allows G-vTAP Agents to communicate with G-vTAP Controller |
||||||||||||||||||
Outbound (This is the port used for Third Party Orchestration) |
Custom TCP Rule |
TCP(6) |
8891 |
G-vTAP Agent or Subnet IP |
Allows G-vTAP Agent to communicate with G-vTAP Controller for registration and Heartbeat |
||||||||||||||||||
Outbound |
|
|
VXLAN (default 4789) |
G-vTAP Agent or Subnet IP |
Allows G-vTAP Agents to (VXLAN/L2GRE) tunnel traffic to V Series nodes |
||||||||||||||||||
GigaVUE V Series V Series Proxy (optional) |
|||||||||||||||||||||||
Inbound |
Custom TCP Rule |
TCP |
8890 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate with V Series Proxy |
||||||||||||||||||
Outbound |
Custom TCP Rule |
TCP |
8889 |
V Series 2 node IP |
Allows V Series Proxy to communicate with V Series node |
||||||||||||||||||
GigaVUE V Series V Series 2 Node |
|||||||||||||||||||||||
Inbound |
Custom TCP Rule |
TCP |
8889 |
|
Allows V Series Proxy or GigaVUE-FM to communicate with V Series node |
||||||||||||||||||
Inbound |
|
|
|
G-vTAP Agent or Subnet IP |
Allows G-vTAP Agents to (VXLAN/L2GRE) tunnel traffic to V Series nodes |
||||||||||||||||||
Inbound |
UDP |
UDPGRE |
4754 |
Ingress Tunnel |
Allows to UDPGRE Tunnel to communicate and tunnel traffic to V Series nodes |
||||||||||||||||||
Outbound |
Custom TCP Rule |
TCP |
5671 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send traffic health updates to GigaVUE‑FM |
||||||||||||||||||
Outbound |
Custom UDP Rule |
|
VXLAN (default 4789) |
Tool IP |
Allows V Series node to communicate and tunnel traffic to the Tool |
||||||||||||||||||
Outbound (optional) |
ICMP |
ICMP |
|
Tool IP |
Allows V Series node to health check tunnel destination traffic |
Key Pair
A key pair consists of a public key and a private key. When you define the specifications for the G-vTAP Controllers, GigaVUE V Series nodes, and GigaVUE V Series Proxy in your VPC, you must create a key pair and specify the name of this key pair.
To create a key pair, refer to Create a key pair using Amazon EC2 topic in the AWS Documentation.
Default Login Credentials
You can login to the GigaVUE V Series Node, GigaVUE V Series proxy, and G-vTAP Controller by using the default credentials.
Product |
Login credentials |
GigaVUE V Series Node |
You can login to the GigaVUE V Series Node by using ssh. The default username and password is: Username: gigamon Password: Use the SSH key. |
GigaVUE V Series proxy |
You can login to the GigaVUE V Series proxy by using ssh. The default username and password is: Username: gigamon Password: Use the SSH key. |
G-VTAP Controller |
You can login to the GigaVUE V Series proxy by using ssh. The default username and password is: Username: ubuntu Password: Use the SSH key. |