Deploy Inline V Series Solution in Azure

Note:  Click the following prompt to generate a quick deployment checklist for this topic.

Create a comprehensive checklist based on the deployment steps outlined in the Deploy Inline V Series Solution in Azure topic.

This section outlines the work flow for acquiring traffic using Inline V Series Node and deploying GigaVUE Fabric Components using Third Party Orchestration. It provides instructions to configure traffic acquisition, processing, and forwarding to your desired destination.

Note: The work flow described in this section is based on the topology shown below. The approach for acquiring traffic depends on your specific requirements. Additionally, you can decide whether to route traffic through public load balancer based on your topology.

Refer to the following topics to deploy Inline V Series in Azure:

• Create a Resource Group
• Create Virtual Networks
• Create a Virtual Network Peering
• Create a Network Security Group
• Create a Load Balancer
• Install GigaVUE‑FM on Azure
• Enable System Assigned Managed Identity
• Create Gigamon Custom Role
• Assign Role to Resource Group
• Assign Role to GigaVUE‑FM Instance
• Create a GigaVUE‑FM Token
• Modify Virtual Machine Scale Set (VMSS) Cloud Initialization Template
• Create a Virtual Machine Scale Set for Inline GigaVUE V Series Node (Tier 1)
• Assign VMSS to GWLB Backend Pools
• Create Monitoring Domain
• Deploy GigaVUE V Series Nodes for Inline V Series Solution
• (Optional) Create a Virtual Machine Scale Set for Out-of-Band GigaVUE V Series Node (Tier 2)
• Configure Monitoring session

Create a Resource Group

The resource group is a container that holds all the resources for a solution. Select an existing resource group or create a new resource group. For navigation steps and detailed instructions, refer to Create a resource group topic in the Azure Documentation.

Note:  We recommend creating a dedicated Resource Group for GigaVUE Visibility Fabric components such as GigaVUE‑FM, V Series Nodes, Gateway Load Balancer, and others.

Create Virtual Networks

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. You can choose to:

Note:  We recommend setting up two separate virtual networks to support the GigaVUE Visibility Fabric. The first VNet (Viz_VNet) will host the GigaVUE visibility components such as GigaVUE‑FM and V Series Nodes. The second VNet (App_VNet) will contain the virtual machines responsible for generating traffic.

Create a Virtual Network Peering

When workload virtual machines are distributed across multiple virtual networks, you must enable Virtual Network Peering between each workload VNet and the VNet hosting the GigaVUE V Series Node. This peering setup allows seamless communication between VNets within Azure.

To set up peering between the two VNets you created, refer to Manage a virtual network peering topic in Azure documentation.

Create a Network Security Group

Network Security Groups (NSGs) filter inbound and outbound traffic to subnets and network interfaces using security rules. You should configure the Network Security Group to allow GigaVUE‑FM to communicate with the rest of the components. Select an existing network security group or create a new network security group. For navigation steps and detailed instructions, refer to Create a network security group topic in the Azure Documentation.

Create a Load Balancer

Gigamon deploys its solution as a Network Virtual Appliance positioned behind a Gateway Load Balancer. To ensure traffic flows through the V Series, it must be routed to the GWLB. You can achieve this routing either via a Standard Load Balancer or directly from a virtual machine’s public interface. Microsoft recommends using a Standard Load Balancer for optimal integration.

Refer to the following sections for information on creating a Gateway Load Balancer and Standard Load Balancer:

Create a Gateway Load Balancer

Set up a Gateway Load Balancer (GWLB), which will later forward traffic to the Tier 1 V Series Node. Once deployed, the Tier 1 V Series Node will mirror packets from the workload virtual machines, enabling traffic visibility.

The following table lists the specific options you must select when creating a Gateway Load Balancer for an inline V Series deployment. For navigation steps and detailed instructions, refer to Create a Gateway Load Balancer topic in Azure documentation.

(Optional) Create a Standard Load Balancer

Note:  Routing traffic through a public load balancer is optional and applies only to the topology shown at the beginning of this document. Alternatively, you can route traffic to the Gateway Load Balancer from a VM that has an interface with a public IP.

The following table lists the specific options you must select when creating a Standard Load Balancer for an inline V Series deployment. For navigation steps and detailed instructions, refer to Create a Public Gateway Load Balancer topic in Azure documentation.

For details regarding traffic flow from Gateway Load Balancer to Standard Load Balancer, refer to Gateway Load Balancer topic in Azure documentation.

Install GigaVUE‑FM on Azure

To install GigaVUE‑FM using the Azure Marketplace:

1. Go to Azure Marketplace and search for Gigamon. The latest version of Gigamon GigaVUE Cloud Suite for Azure appears. Click Get it Now.

2. In the pop-up window, select the GigaVUE-FM (Fabric Manager) vX.XX - BYOL option and click Continue.

3. Select the "Want to deploy programmatically? Get started" link.

4. Review the terms of service and the subscription name, and then select Enable. Click Save.

5. Verify the selected Subscription and Plan, then click Create.

6. Configure the GigaVUE‑FM VM details. Most fields are pre-populated, but some require manual input. Enter the details as mentioned in Table 1: GigaVUE-FM Installation Steps. For detailed instructions, refer to Create a Linux virtual machine in the Azure in Azure Documentation.

   Table 1: GigaVUE-FM Installation Steps

   Field	Description
   Basics
   Subscription	Select your subscription.
   Resource Group	Select the Inline V Series Resource Group that you created.
   System-assigned managed identity	Use a system-assigned managed identity when a resource needs to authenticate to other services, and you want the identity to be created and deleted with the resource. Note: If you update any role it would take more than an hour to reflect in GigaVUE‑FM, however, if you use APP registration it would take between 5-10 minutes to update in GigaVUE‑FM.
   Virtual machine name	Enter a name for the VM.
   Region	Select a region for Azure VM.
   Availability Zone	Choose your availability zone
   Security Type	To enable UEFI secure boot, select Trusted launch virtual machines from the drop-down list. Click Configure security features and ensure that the Enable secure boot check box is enabled.
   Image	Select the latest GigaVUE‑FM images. Note:  You cannot select multiple images for a VM.
   Size	Select the recommended instance type: GigaVUE‑FM - Standard_D4s_v3
   Authentication Type	We support only SSH public key authentication type ● SSH public key o Enter the administrator username for the VM. o Enter the SSH public key pair name. ● Password o Enter the administrator username for the VM. o Enter the administrator password. Note:  The username "gigamon" is reserved for internal usage. Do not create a user with the name "gigamon"
   Disks
   Disk Size	The required disk size for GigaVUE‑FM is 2 x 40GB.
   Networking
   Virtual Network	Select the virtual network that you created.
   Configure network security group	Select the network security group that you created.

Note:  Verify the summary before proceeding to create. It will take several minutes for the VM to initialize. After the initialization is completed, you can verify the VM through the Web interface.

After the deployment, navigate to the VM overview page, copy the Public IP address, and paste it in a new web browser tab.

If GigaVUE‑FM is deployed in Azure, use admin123A!! as the password for the admin user to login to GigaVUE‑FM. You must change the default password after logging in to GigaVUE‑FM.

Enable System Assigned Managed Identity

Managed Identity (MSI) is a feature of Azure Active Directory. When you enable MSI on an Azure service, Azure automatically creates an identity for the service VM in the Azure AD tenant used by your Azure subscription.

To enable MSI on the VM running in GigaVUE‑FM using the Azure portal, refer to Configure managed identities using the Azure portal in the Azure documentation.

Create Gigamon Custom Role

When you first connect GigaVUE-FM to Azure, you need the appropriate authentication for Azure to verify your identity and check if you have permission to access the resources that you are requesting. This is used for GigaVUE-FM to integrate with Azure APIs and to automate the fabric deployment and management.

IMPORTANT: "Microsoft.Authorization/roleAssignments/read" permission is required for validating the required permissions. Ensure to include "Microsoft.Authorization/roleAssignments/read" permission in your IAM policy.

The ‘built-in’ roles provided by Microsoft are open to all resources. Refer to Create or update Azure custom roles topic in the Azure documentation to update the policy with the relevant IAM service.

After completing the configuration in the Basics, Permissions, and Assignable Scopes sections, copy the permissions listed below and paste them into the JSON code to create a custom role.

Note:  Ensure to assign the roles for the permissions listed below at the subscription level.

{
   "Name":"CustomRoleForInline",
   "description":"Minimum requirements for FM in inline tapping",
   "assignableScopes":[
      "/subscriptions/<Subscription ID>"
   ],
   "permissions":[
      {
         "actions":[
            "Microsoft.Resources/subscriptions/read",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
            "Microsoft.Network/virtualNetworks/read",
            "Microsoft.Network/loadBalancers/read",
            "Microsoft.Network/loadBalancers/backendAddressPools/read",
            "Microsoft.Network/loadBalancers/backendAddressPools/backendPoolAddresses/read",
            "Microsoft.Compute/virtualMachineScaleSets/read",
            "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
            "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
            "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read",
            "Microsoft.Compute/virtualMachines/read"
         ],
         "notActions":[],
         "dataActions":[],
         "notDataActions":[]
      }
   ]
}

Note:  Ensure you maintain the exact indentation and order shown in the code snippet when copying and pasting it. Any changes in formatting or order may cause errors or prevent the code from working correctly.

Assign Role to Resource Group

You can specify where the custom role is available for assignment such as a management group, subscription, or resource group and assign the created role to the resource group you created. In Azure, locate your newly created Role by navigating to “Management Groups” and selecting your subscription Id.

For further navigation and instructions to assign a role to your resource group, refer to the steps listed in Update a custom role and Assignable scopes sections of the Create or update Azure custom roles topic in the Azure documentation.

Assign Role to GigaVUE‑FM Instance

You can assign the custom role you have created to GigaVUE‑FM instance in Azure. For navigation path and detailed instructions, follow the steps listed in Open the Add role assignment page, Select the appropriate role, and Select who needs access sections of the Assign Azure roles using the Azure portal topic in the Azure documentation.

Create a GigaVUE‑FM Token

GigaVUE‑FM allows you to generate a token only if you are an authenticated user and based on your privileges in accessing the GigaVUE‑FM. You can create multiple tokens if required.

To create a token in GigaVUE‑FM, follow these steps:

1.

Go to , select Authentication > GigaVUE‑FM User Management. The User Management page appears.

Note:  If you are a user with write access, then you can view a drop- down list under Tokens. Select Current User Tokens to create a token.

Note:  You cannot view the generated token. You can only copy and paste the generated token.

Modify Virtual Machine Scale Set (VMSS) Cloud Initialization Template

The script given below will be essential for creating the VMSS, which uses this data to deploy the V Series node. This information is also required when configuring the Monitoring Domain in GigaVUE‑FM.

Ensure you save these values in a secure location for reference in the upcoming steps. You can modify only the following parameters in the template:

Custom Template:

Note:  Ensure you maintain the exact indentation and order shown in the code snippet when copying and pasting it. Any changes in formatting or order may cause errors or prevent the code from working correctly.

#cloud-config
write_files:
  - path: /etc/gigamon-cloud.conf
    owner: root:root
    permissions: '0644'
    content: |
      Registration:
        groupName: <Monitoring Domain Name>
        subGroupName: <Connection Name>
        remoteIP: <IP address of the GigaVUE-FM>
        remotePort: 443
        token: <token>

  - path: /etc/vseries-inline.conf
    owner: root:root
    permissions: '0644'
    content: ""

Create a Virtual Machine Scale Set for Inline GigaVUE V Series Node (Tier 1)

V Series Nodes are created as part of a Virtual Machine Scale Set (VMSS) to allow scaling based on demand. This setup enables you to scale out or scale in the number of V Series Nodes as needed for each tier. Therefore, each tier will have a dedicated VMSS. The inline V Series solution does not support standalone V Series Nodes that are not part of a scale set.

The following table lists the specific options you must select when creating a Virtual Machine Scale Set for an inline V Series deployment. For navigation steps and detailed instructions, refer to Create a Virtual Machine Scale Set topic in Azure documentation.

#cloud-config
write_files:
  - path: /etc/gigamon-cloud.conf
    owner: root:root
    permissions: '0644'
    content: |
      Registration:
        groupName: <Monitoring Domain Name>
        subGroupName: <Connection Name>
        remoteIP: <IP address of the GigaVUE-FM>
        remotePort: 443
        token: <token>

  - path: /etc/vseries-inline.conf
    owner: root:root
    permissions: '0644'
    content: ""

#cloud-config
write_files:
  - path: /etc/gigamon-cloud.conf
    owner: root:root
    permissions: '0644'
    content: |
      Registration:
        groupName: <Monitoring Domain Name>
        subGroupName: <Connection Name>
        remoteIP: <IP address of the GigaVUE-FM>
        remotePort: 443
        token: <token>

  - path: /etc/vseries-inline.conf
    owner: root:root
    permissions: '0644'
    content: |
      tunnel: vxlan
      external_port : <Enter the port value>
      external_vni  : <Enter the port value>
      internal_port : <Enter the port value>
      internal_vni  : <Enter the port value>

Assign VMSS to GWLB Backend Pools

Identify the Gateway Load Balancer you created in Create a Load Balancer step. To attach the Data NIC of the VMSS to the Gateway Load Balancer:

Create Monitoring Domain

Azure Load Balancer launches and manages GigaVUE V Series Node that is registered with GigaVUE‑FM.

To deploy GigaVUE V Series Node with Gateway Load Balancing in GigaVUE‑FM:

1. Go to Inventory > VIRTUAL > Azure .
2. Select Monitoring Domain.
3. On the Monitoring Domain page, select New.
4. On the Monitoring Domain Configuration page, select Inline as the Traffic Acquisition method.
5. Enter the Monitoring Domain Name and the Connection Name as mentioned in the user data provided during the template launch in Azure. Refer to Advanced section in Create a Virtual Machine Scale Set for Inline GigaVUE V Series Node (Tier 1).
6. (Optional) Turn on the Use FM to launch Proxy toggle to launch the GigaVUE V Series Proxy using GigaVUE‑FM.

   Note:  You can use GigaVUE V Series proxy if GigaVUE‑FM cannot directly reach the GigaVUE V Series Nodes (management interface) directly over the network. GigaVUE V Series Proxy is a optional component.
   
   

   1. From the Image drop-down list, select the required image.
   2. From the Size drop-down list, select the instance size.
   3. For Number of Instances, specify the required number of instances.
   4. For Management Subnet:
      1. Select the IP Address Type as Private or Public.
      2. From the Subnet drop-down list, select the management subnet.
      3. Select Add Subnet under Additional Subnets to add additional subnets.
   5. Select Add under Tags to assign tags for resource identification.
7. Select Save.

Deploy GigaVUE V Series Nodes for Inline V Series Solution

When the Monitoring Domain is created successfully you will be navigated to the Azure Fabric Launch Configuration page in GigaVUE‑FM automatically.

Note:

After configuring the Monitoring Domain and establishing the connection, update the Default Condition count in the following steps based on the number of GigaVUE V Series Nodes you want to deploy within the Monitoring Domain:

■

Create a Virtual Machine Scale Set for Inline GigaVUE V Series Node (Tier 1)

■

(Optional) Create a Virtual Machine Scale Set for Out-of-Band GigaVUE V Series Node (Tier 2)

Adjust the instance count in the scale set to match the required number of nodes for your deployment.

a.

In the Inline Node Group Name field, enter a name for the node group.

b.

From the Inline Auto Scaling Group drop-down list, select the auto scaling group where you deploy the Inline V Series Node.

a.

In the Node Group Name field, enter a name for the node group.

b.

From the Auto Scaling Group drop-down list, select the VMSS created in Azure.

Note:  You can configure a maximum of eight Node groups.

(Optional) Create a Virtual Machine Scale Set for Out-of-Band GigaVUE V Series Node (Tier 2)

The Tier 2 V Series Node (Out-of-Band) processes mirrored traffic using GigaSMART operations to enrich and optimize data before forwarding it to the tool set. If only filtering is required, the Tier 1 V Series Node can handle it and send the traffic directly to the tool—eliminating the need for a Tier 2 node.

The following table lists the specific options you must select when creating a Virtual Machine Scale Set for Out-of-Band for an inline V Series deployment. For navigation steps and detailed instructions, refer to refer to Create a Virtual Machine Scale Set topic in Azure documentation.

#cloud-config
write_files:
  - path: /etc/gigamon-cloud.conf
    owner: root:root
    permissions: '0644'
    content: |
      Registration:
        groupName: <Monitoring Domain Name>
        subGroupName: <Connection Name>
        remoteIP: <IP address of the GigaVUE-FM>
        remotePort: 443
        token: <token>

Configure Monitoring session

When the Traffic Acquisition Method is Inline, the UCT-I application is available on the canvas by default. You can configure up to three tiers in a Monitoring Session and define multiple Sub Policies. Each Sub Policy can have its own ingress and egress tunnels and traffic processing applications.

To configure the Monitoring Session for Inline V Series Solution:

Tier 1 Monitoring Session:

1. Perform one of the following options:

   • Create a new Monitoring Session. Refer to Create a Monitoring Session (Azure) for details.

   • On an existing Monitoring Session, navigate to the TRAFFIC PROCESSING tab.

   The GigaVUE‑FM Monitoring Session canvas page appears.

   When the Traffic Acquisition Method is Inline, the UCT-I application is available on the canvas by default.

2. Drag and drop the following items to the canvas as required for Tier 1 or Sub Policy 1:

   • Maps from the new map section. Refer to Create a New Map (Azure) for details.

   • Egress tunnels from the new tunnel section. When configuring Egress Tunnel, configure the Remote Tunnel IP if you intend to send the traffic directly from Tier 1 to the tool. Refer to Create Ingress and Egress Tunnels (Azure) for details.

     Note:  If sending traffic to Tier 2, Remote IP is optional. GigaVUE-FM will automatically add the remote IPs internally.

3. Now create a connection between the three tiles by dragging a line from the Inline-Source tile labeled “Out-Band” to the newly created Map and from Map to Egress tunnel.

Deploy Monitoring Session (Tier 1)

1. From the Actions drop-down list, select Deploy. The Deploy Monitoring Session pop-up appears.

2. Enter the following details:

   • In the Policy Name field, verify the auto-generated policy name or enter a custom name.

   • From the Node Group drop-down list, select the appropriate node group associated with this policy.

   • Under Interface Mapping, configure the interfaces:

     1. From the Ingress - <Tunnel> drop-down list, select the input interface.

     2. From the Egress - <Tunnel> drop-down list, select the output interface.

3. Select Deploy the Monitoring Session.

To view the GigaVUE V Series Node associated with each Sub Policy, navigate to the V SERIES NODES tab and select a policy from the Select a Sub policy drop-down menu.

Tier 2 Monitoring Session (Optional):

You can send the filtered traffic to a Tier 2 V Series node, where GigaVUE-FM enriches and optimizes the data further.

1. In the same Monitoring Session canvas, drag and drop the following items to the canvas as required for Tier 2 or Sub Policy 2:

   • Ingress tunnel (as a source) from the New section. Refer to Create Ingress and Egress Tunnels (Azure) for details.

   • Maps from the New Map section. Refer to Create a New Map (Azure) for details.

   • GigaSMART apps from the Applications section. Refer to Add Applications to Monitoring Session (Azure).

   • Egress tunnels from the new tunnel section. Enter the Remote Tunnel IP address.

2. Create a link from the Ingress Tunnel to the Map or Application, and then connect it to the Egress Tunnel.

3. Create a direct link between the Egress Tunnel of Tier 1 and the Ingress Tunnel of Tier 2. The Blue Dot serves as an identifier to differentiate between tiers.

4. Repeat the above steps to configure a third tier, if required.

Deploy Monitoring Session Tier 1 to Tier 2

1. From the Actions drop-down list, select Deploy.

   The Deploy Monitoring Session pop-up appears.

2. For each Policy (Tier) configured in the Monitoring Session, enter the following details:

   • In the Policy Name field, verify the auto-generated policy name or enter a custom name.

   • From the Node Group drop-down list, select the appropriate node group associated with this policy.

   • Under Interface Mapping, configure the interfaces:

     1. From the Ingress - <Tunnel> drop-down list, select the input interface.

     2. From the Egress - <Tunnel> drop-down list, select the output interface.

3. Select Deploy the Monitoring Session.

To view the GigaVUE V Series Node associated with each Sub Policy, navigate to the V SERIES NODES tab and select a policy from the Select a Sub policy drop-down menu.

What to do Next:

To view Monitoring Session Statistics and Dashboards for Inline V Series Solution, refer to: