Monitoring Domain
Your AWS cloud infrastructure may encompass numerous resources spread across multiple AWS accounts and Virtual Private Clouds (VPCs). When implementing GigaVUE Cloud Suite for AWS to monitor specific workloads, it's crucial to limit access to only the necessary parts of your cloud environment.
To clearly define the scope of GigaVUE Cloud Suite for AWS deployment, we introduce the concept of a Monitoring Domain. This domain establishes a boundary within your AWS cloud environment where the visibility solution will be implemented.
Monitoring Domain
A Monitoring Domain in AWS is typically defined by:
- AWS accounts
- Regions
- VPCs
GigaVUE Cloud Suite for AWS interacts only with resources within the specified accounts and VPCs listed in a Monitoring Domain.
Connection
To further refine access control, we introduce the concept of a Connection. This is associated with a set of credentials and permissions that precisely limit what GigaVUE Cloud Suite for AWS can access. By utilizing Connections, you can deploy GigaVUE Cloud Suite for AWS to the appropriate resources with minimal credentials and permissions, enhancing security and control.
These concepts of Monitoring Domain and Connection work together to provide a granular approach to deploying and managing GigaVUE Cloud Suite for AWS within your cloud infrastructure, ensuring that you maintain control over which parts of your environment are accessible to the monitoring solution.
The following diagram provides more details about the concepts of Monitoring Domain and Connection:
In the above diagram, you are defining Monitoring Domain A and associating it with a connection object to it to provide the necessary credentials and permissions to access VPC 1 in your account A. GigaVUE-FM uses this connection to access VPC 1 in order to discover the required resources, such as workload VMs, subnets, security groups, key pairs, and more. GigaVUE-FM helps you easily deploy and configure GigaVUE Fabric Components and platform features to acquire traffic from the VMs you select, process it using GigaVUE V Series Nodes, and forward it to your analysis tools.
The Monitoring Domain defines a clear boundary within which GigaVUE-FM operates. This ensures both security and performance goals are achieved. In this case, you do not want GigaVUE-FM to access any VPCs other than VPC 1, GigaVUE-FM complies with your intent by restricting its operations strictly to the boundary defined by the Monitoring Domain. Additionally, the actions of GigaVUE-FM are further restricted by the credentials and permissions you provide through the connection associated with the Monitoring Domain.
The Monitoring Domain is a logical concept. Its definition is based on concepts defined by the underlying cloud platform. In AWS, you can define any boundary using accounts and VPCs.
The following diagram illustrates a Monitoring Domain encompassing resources in VPCs in two different AWS accounts:
In the above diagram, Monitoring Domain B is created to monitor the resources in VPC 2 and VPC 3, which are from two different accounts. GigaVUE-FM uses Connection 1 to access the resources in VPC 2 and Connection 2 to access the resources in VPC 3. In this case, GigaVUE-FM will not have access to the resources in VPC 1 and VPC 4.
For more information on creating a Monitoring Domain, see Create a Monitoring Domain.
