Prerequisites
Refer to the following topics for details:
- Subscribe to GigaVUE Cloud Suite Components
- AWS Security Credentials
- Amazon VPC
- Connect GigaVUE-FM to AWS
- Default Login Credentials
Subscribe to GigaVUE Cloud Suite Components
To deploy the GigaVUE Cloud Suite for AWS from the AWS Marketplace, you can subscribe to the following GigaVUE Cloud Suite components.
-
GigaVUE V Series Node
-
GigaVUE V Series Proxy
-
GigaVUE V Series Controller
-
GigaVUE‑FM BYOL.
Note: You will not be charged for subscribing to the components.
To subscribe to the GigaVUE components, perform the following steps:
- Login to your AWS account.
- Go to https://aws.amazon.com/marketplace/.
- In the Search field, type Gigamon and click Search.
- Select the latest GigaVUE Cloud Suite version link from the list for Gigamon products.
- Click Continue to Subscribe.
AWS Security Credentials
To establish the initial connection between GigaVUE-FM and AWS, you will require the security credentials for AWS. These credentials are necessary to verify your identity and determine whether you have authorization to access the resources you are requesting. AWS employs these security credentials to authenticate and authorize your requests.
You need one of the following security credentials:
- Identity and Access Management (IAM) role— If GigaVUE-FM is running within AWS, it is recommended to use an IAM role. By using an IAM role, you can securely make API requests from the instances. Create an IAM role and ensure that the permissions and policies listed in Permissions are associated to the role and also ensure that you are using Customer Managed Policies or Inline Policies.
- Access Keys—If GigaVUE-FM is configured in the enterprise data center, then you must use the access keys or basic credentials to connect to the VPC. Basic credentials allow full access to all the resources in your AWS account. An access key consists of an access key ID and a secret access key. For detailed instructions on creating access keys, refer to the AWS documentation on Managing Access Keys for Your AWS Account.
Note: To obtain the IAM role or access keys, contact your AWS administrator.
Amazon VPC
You must have a Amazon Virtual Private Cloud (VPC) to launch GigaVUE components into your virtual network.
Note: To create a VPC, refer to Create a VPC topic in the AWS Documentation.
Your VPC must have the following elements to configure the GigaVUE Cloud Suite for AWS components:
Subnet for VPC
VPC must have a subnet to configure the GigaVUE Cloud Suite for AWS components. You can either have the components deployed in a single subnet or in multiple subnets.
- Management Subnet that the GigaVUE-FM uses to communicate with the GigaVUE V Series nodes and controllers and UCT-V Controllers.
- Data Subnet that can accept incoming mirrored traffic from agents or be used to egress traffic to a tool.
If a single subnet is used, then the Management subnet is also used as a Data Subnet
Security Group
When you launch GigaVUE‑FM, GigaVUE V Series Proxies, GigaVUE V Series Nodes, and UCT-V Controllers, a security group can be utilized to define virtual firewall rules for your instance, which in turn regulates inbound and outbound traffic. You can add rules to manage inbound traffic to instances, and a distinct set of rules to control outbound traffic.
It is recommended to create a separate security group for each component using the rules and port numbers listed in the following table.
The following table lists the Network Firewall / Security Group requirements for GigaVUE Cloud Suite.
Note: When using dual stack network, the below mentioned ports must be opened for both IPv4 and IPv6.
|
Direction |
Protocol |
Port |
CIDR |
Purpose |
||||||||||||
|
GigaVUE‑FM |
||||||||||||||||
|
Inbound |
TCP |
443 |
Administrator Subnet |
Allows GigaVUE-FM to create Management connection. |
||||||||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics. |
||||||||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
UCT-V Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-V Controller. |
||||||||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Node IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Node, when GigaVUE V Series Proxy is not used. |
||||||||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Proxy IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Proxy. |
||||||||||||
|
Inbound |
TCP |
5671 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive traffic health updates from GigaVUE V Series Nodes. |
||||||||||||
|
Inbound |
TCP |
5671 |
UCT-V or Subnet IP |
Allows GigaVUE‑FM to receive statistics from Next Generation UCT-V. |
||||||||||||
|
Inbound |
UDP |
2056 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive Application Intelligence and Application Visualization reports from GigaVUE V Series Node. |
||||||||||||
|
Outbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control plane and data plane traffic with UCT-V Controller |
||||||||||||
|
Outbound (optional) |
TCP |
8890 |
GigaVUE V Series Proxy IP |
Allows GigaVUE‑FM to communicate control plane and data plane traffic to GigaVUE V Series Proxy |
||||||||||||
|
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to communicate control plane and data plane traffic to GigaVUE V Series Node |
||||||||||||
|
Outbound |
TCP |
443 |
GigaVUE-FM IP Address |
Allows GigaVUE‑FM to reach the Public Cloud Platform APIs. |
||||||||||||
|
Outbound |
TCP |
8443 |
UCT-C Controller IP Address |
Allows GigaVUE‑FM to communicate with UCT-C Controller |
||||||||||||
|
UCT-V Controller |
||||||||||||||||
|
Inbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows UCT-V Controller to communicate with GigaVUE‑FM |
||||||||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive the registration requests from UCT-V. |
||||||||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE‑FM IP |
Allows UCT-V Controller to send the registration requests to GigaVUE-FM |
||||||||||||
|
Outbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V Controller to communicate with UCT-Vs. |
||||||||||||
|
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows UCT-V Controller to send traffic health updates to GigaVUE‑FM. |
||||||||||||
|
UCT-V |
||||||||||||||||
|
Inbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V to receive stateful communication from UCT-V Controller |
||||||||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V or Subnet IP |
Allows UCT-V to communicate with UCT-V Controller for registration and Heartbeat |
||||||||||||
|
Outbound |
|
VXLAN (default 4789) |
UCT-V or Subnet IP |
Allows UCT-V to (VXLAN/L2GRE) tunnel traffic to V Series nodes |
||||||||||||
|
Outbound |
TCP |
11443 |
UCT-V subnet |
Allows UCT-V to securely transfer the traffic to GigaVUE V Series Node |
||||||||||||
|
Outbound |
TCP |
9900 |
UCT-V Controller IP |
Allows UCT-V to send traffic health updates to UCT-V Controller. |
||||||||||||
|
GigaVUE V Series Proxy (optional) |
||||||||||||||||
|
Inbound |
TCP |
8890 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate with GigaVUE V Series Proxy |
||||||||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to receive registration requests and heartbeat messages from GigaVUE V Series Node. |
||||||||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||||||||
|
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Proxy to communicate the registration requests to GigaVUE-FM |
||||||||||||
|
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to communicate with GigaVUE V Series Node |
||||||||||||
|
GigaVUE V Series Node |
||||||||||||||||
|
Inbound |
TCP |
8889 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to communicate with GigaVUE-FM |
||||||||||||
|
Inbound |
TCP |
8889 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to communicate with GigaVUE V Series Proxy. |
||||||||||||
|
Inbound |
|
|
UCT-V or Subnet IP |
Allows GigaVUE V Series Node to (VXLAN/L2GRE) tunnel traffic to UCT-V. |
||||||||||||
|
Inbound |
UDPGRE |
4754 |
Ingress Tunnel |
Allows GigaVUE V Series Node to communicate and tunnel traffic from UDPGRE Tunnel |
||||||||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user initiated management and diagnostics, specifically when using third party orchestration. |
||||||||||||
|
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send traffic health updates to GigaVUE‑FM |
||||||||||||
|
Outbound |
|
VXLAN (default 4789) |
Tool IP |
Allows GigaVUE V Series Node to communicate and tunnel traffic to the tool |
||||||||||||
|
Outbound |
UDP |
2056 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send Application Intelligence, Application Visualization reports to GigaVUE-FM |
||||||||||||
|
Outbound |
UDP |
2055 |
Tool IP |
Allows GigaVUE V Series Node to send NetFlow traffic to external tool. |
||||||||||||
|
Outbound |
UDP |
514 |
Tool IP |
Allows GigaVUE V Series Node to send Application Metadata Intelligence log messages to external tool. |
||||||||||||
|
Outbound (optional) |
ICMP |
|
Tool IP |
Allows GigaVUE V Series Node to send health check tunnel destination traffic |
||||||||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE V Series Proxy when GigaVUE V Series Proxy is used. |
||||||||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE-FM IP Address |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE-FM when GigaVUE V Series Proxy is not used. |
||||||||||||
|
Bidirectional |
TCP |
11443 |
GigaVUE V Series Node subnet |
Allows to securely transfer the traffic in between GigaVUE V Series Nodes. |
||||||||||||
|
Universal Cloud Tap - Container deployed inside Kubernetes worker node |
||||||||||||||||
|
Outbound |
TCP |
42042 |
Any IP address |
Allows UCT-C to send statistics to UCT-C Controller. |
||||||||||||
|
UCT-C Controller deployed inside Kubernetes worker node |
||||||||||||||||
|
Inbound |
TCP |
8443 (configurable) |
Any IP address |
Allows UCT-C Controller to communicate with GigaVUE-FM |
||||||||||||
|
Outbound |
TCP |
5671 |
Any IP address |
Allows UCT-C controller to send statistics to GigaVUE-FM. |
||||||||||||
|
Outbound |
TCP |
VXLAN (default 4789) |
Any IP address |
Allows UCT-C Controller to communicate and tunnel traffic to the tool |
||||||||||||
|
Outbound |
TCP |
443 |
Any IP address |
Allows UCT-C Controller to communicate with GigaVUE-FM |
||||||||||||
Key Pair
A key pair consists of a public key and a private key. When you define the specifications for the UCT-V Controllers, GigaVUE V Series nodes, and GigaVUE V Series Proxy in your VPC, you must create a key pair and specify the name of this key pair.
To create a key pair, refer to Create a key pair using Amazon EC2 topic in the AWS Documentation.
Default Login Credentials
You can login to the GigaVUE V Series Node, GigaVUE V Series proxy, and UCT-V Controller by using the default credentials.
|
Product |
Login credentials |
|
GigaVUE V Series Node |
You can login to the GigaVUE V Series Node by using ssh. The default username and password is: Username: admin Password: Use the SSH key. |
|
GigaVUE V Series proxy |
You can login to the GigaVUE V Series proxy by using ssh. The default username and password is: Username: admin Password: Use the SSH key. |
|
UCT-V Controller |
You can login to the GigaVUE V Series proxy by using ssh. The default username and password is: Username: admin Password: Use the SSH key. |
