Prerequisites for GigaVUE Cloud Suite for Azure
To enable the flow of traffic between the components and the monitoring tools, you must create the following requirements:
| Resource Group |
| Virtual Network |
| Subnets for VNet |
| Network Interfaces (NICs) for VMs |
| Network Security Groups |
| Virtual Network Peering |
| Access control (IAM) |
| Default Login Credentials |
| Recommended Instance Types |
Resource Group
The resource group is a container that holds all the resources for a solution.
To create a resource group in Azure, refer to Create a resource group topic in the Azure Documentation.
Virtual Network
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks.
You can only configure the GigaVUE fabric components in a Centralized VNet only. In case of a shared VNet, you must select a VNet as your Centralized VNet for GigaVUE fabric configuration.
To create a virtual network in Azure, refer to Create a virtual network topic in the Azure Documentation.
Subnets for VNet
The following table lists the two recommended subnets that your VNet must have to configure the GigaVUE Cloud components in Azure.
You can add subnets when creating a VNet or add subnets on an existing VNet. Refer to Add a subnet topic in the Azure Documentation for detailed information.
|
Subnet |
Description |
||||||
|
Management Subnet |
Subnet that the GigaVUE-FM uses to communicate with the GigaVUE V Series Nodes and Proxy. |
||||||
|
Data Subnet |
A data subnet can accept incoming mirrored traffic from agents to the GigaVUE V Series Nodes or be used to egress traffic to a tool from the GigaVUE V Series Nodes. There can be multiple data subnets.
Note: If you are using a single subnet, then the Management subnet will also be used as a Data Subnet. |
||||||
|
Tool Subnet |
A tool subnet can accept egress traffic to a tool from the GigaVUE V Series Nodes. There can be only one tool subnet.
|
Network Interfaces (NICs) for VMs
When using UCT-V as the traffic acquisition method, for the UCT-Vs to mirror the traffic from the VMs, you must configure one or more Network Interfaces (NICs) on the VMs.
| Single NIC—If there is only one interface configured on the VM with the UCT-V, the UCT-V sends the mirrored traffic out using the same interface. |
| Multiple NICs—If there are two or more interfaces configured on the VM with the UCT-V, the UCT-V monitors any number of interfaces but has an option to send the mirrored traffic out using any one of the interfaces or using a separate, non-monitored interface. |
Network Security Groups
A network security group defines the virtual firewall rules for your VM to control inbound and outbound traffic. When you launch GigaVUE-FM, GigaVUE V Series Proxy, GigaVUE V Series Nodes, and UCT-V Controllers in your VNet, you add rules that control the inbound traffic to VMs, and a separate set of rules that control the outbound traffic.
To create a network security group and add in Azure, refer to Create a network security group topic in the Azure Documentation.
It is recommended to create a separate security group for each component using the rules and port numbers.
In your Azure portal, select a network security group from the list. In the Settings section select the Inbound and Outbound security rules to the following rules.
Following are the Network Firewall Requirements.
The following table lists the Network Firewall / Security Group requirements for GigaVUE Cloud Suite.
Note: When using dual stack network, the below mentioned ports must be opened for both IPv4 and IPv6.
|
Direction |
Protocol |
Port |
CIDR |
Purpose |
||||||
|
GigaVUE‑FM |
||||||||||
|
Inbound |
TCP |
443 |
Administrator Subnet |
Allows GigaVUE-FM to accept Management connection using REST API. Allows users to access GigaVUE-FM UI securely through HTTPS connection. |
||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access to user-initiated management and diagnostics. |
||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
UCT-V Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-V Controller using REST API. |
||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Node IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Node using REST API when GigaVUE V Series Proxy is not used. |
||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Proxy IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Proxy using REST API. |
||||||
|
Inbound |
TCP |
5671 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive traffic health updates from GigaVUE V Series Nodes. |
||||||
|
Inbound |
TCP |
5671 |
UCT-V or Subnet IP |
Allows GigaVUE‑FM to receive statistics from Next Generation UCT-V. |
||||||
|
Inbound |
UDP |
2056 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive Application Intelligence and Application Visualization reports from GigaVUE V Series Node. |
||||||
|
Outbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with UCT-V Controller |
||||||
|
Outbound (optional) |
TCP |
8890 |
GigaVUE V Series Proxy IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Proxy |
||||||
|
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Node |
||||||
|
Outbound |
TCP |
443 |
Any IP Address |
Allows GigaVUE‑FM to reach the Public Cloud Platform APIs. |
||||||
|
UCT-V Controller |
||||||||||
|
Inbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows UCT-V Controller to communicate control and management plane traffic with GigaVUE‑FM |
||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive the registration requests from UCT-V. |
||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE‑FM IP |
Allows UCT-V Controller to send the registration requests to GigaVUE-FM using REST API. |
||||||
|
Outbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs. |
||||||
|
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows UCT-V Controller to send traffic health updates to GigaVUE‑FM. |
||||||
|
UCT-V |
||||||||||
|
Inbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V to receive control and management plane traffic from UCT-V Controller |
||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V Subnet IP |
Allows UCT-V to communicate with UCT-V Controller for registration and Heartbeat |
||||||
|
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
UCT-V Subnet IP |
Allows UCT-V to tunnel VXLAN traffic to GigaVUE V Series Nodes |
||||||
|
Outbound |
IP Protocol (L2GRE) |
VXLAN (default 4789) |
UCT-V Subnet IP |
Allows UCT-V to tunnel L2GRE traffic to GigaVUE V Series Nodes |
||||||
|
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
UCT-V subnet |
Allows UCT-V to securely transfer the traffic to the GigaVUE V Series Node |
||||||
|
Outbound |
TCP |
9900 |
UCT-V Controller IP |
Allows UCT-V to send traffic health updates to UCT-V Controller. |
||||||
|
GigaVUE V Series Proxy (optional) |
||||||||||
|
Inbound |
TCP |
8890 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to receive registration requests and heartbeat messages from GigaVUE V Series Node. |
||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
|
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Proxy to communicate the registration requests to GigaVUE-FM |
||||||
|
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to communicate control and management plane traffic with GigaVUE V Series Node |
||||||
|
GigaVUE V Series Node |
||||||||||
|
Inbound |
TCP |
8889 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE-FM |
||||||
|
Inbound |
TCP |
8889 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
|
Inbound |
UDP (VXLAN) |
VXLAN (default 4789) |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive VXLAN tunnel traffic to UCT-V |
||||||
|
Inbound |
IP Protocol (L2GRE) |
L2GRE |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive L2GRE tunnel traffic to UCT-V |
||||||
|
Inbound |
UDPGRE |
4754 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from UDPGRE Tunnel |
||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
|
Inbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
UCT-V subnet |
Allows to securely transfer the traffic to GigaVUE V Series Nodes. |
||||||
|
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send traffic health updates to GigaVUE‑FM. |
||||||
|
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
|
Outbound |
IP Protocol (L2GRE) |
VXLAN (default 4789) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
|
Outbound |
UDP |
2056 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send Application Intelligence and Application Visualization reports to GigaVUE-FM. |
||||||
|
Outbound |
UDP |
2055 |
Tool IP |
Allows GigaVUE V Series Node to send NetFlow traffic to an external tool. |
||||||
|
Outbound |
UDP |
514 |
Tool IP |
Allows GigaVUE V Series Node to send Application Metadata Intelligence log messages to external tools. |
||||||
|
Bidirectional (optional) |
ICMP |
|
Tool IP |
Allows GigaVUE V Series Node to send health check tunnel destination traffic. |
||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE V Series Proxy when GigaVUE V Series Proxy is used. |
||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE-FM when GigaVUE V Series Proxy is not used. |
||||||
|
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
Tool IP |
Allows to securely transfer the traffic to an external tool. |
||||||
|
Universal Cloud Tap - Container deployed inside Kubernetes worker node |
||||||||||
|
Outbound |
TCP |
42042 |
Any IP address |
Allows UCT-C to send statistics information to UCT-C Controller. |
||||||
|
Outbound |
UDP |
VXLAN (default 4789) |
Any IP address |
Allows UCT-C to tunnel traffic to the GigaVUE V Series Node or other destination. |
||||||
|
UCT-C Controller deployed inside Kubernetes worker node |
||||||||||
|
Inbound |
TCP |
8443 (configurable) |
Load Balancer IP Address |
Allows GigaVUE-FM to communicate with UCT-C Controller. |
||||||
|
Outbound |
TCP |
5671 |
Any IP address |
Allows UCT-C Controller to send statistics to GigaVUE-FM. |
||||||
|
Outbound |
TCP |
443 |
GigaVUE-FM IP address |
Allows UCT-C Controller to communicate with GigaVUE-FM. |
||||||
Virtual Network Peering
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. Virtual Network Peering is only applicable when multiple Virtual Networks are used in a design. Refer to Virtual Network Peering topic in Azure documentation for more details.
Access control (IAM)
You must have full resource access to the control the GigaVUE cloud components. Refer to Check access for a user topic in the Azure documentation for more details.
Default Login Credentials
You can login to the GigaVUE V Series Node, GigaVUE V Series Proxy, and UCT-V Controller by using the default credentials.
|
Product |
Login credentials |
|
GigaVUE V Series Node |
You can login to the GigaVUE V Series Node by using ssh. The default username and password is not configured. |
|
GigaVUE V Series proxy |
You can login to the GigaVUE V Series Node by using ssh. The default username and password is not configured. |
|
UCT-V Controller |
You can login to the GigaVUE V Series Node by using ssh. The default username and password is not configured. |
Recommended Instance Types
Note: Additional instance types are also supported. Refer to Support, Sales, or Professional Services for deployment optimization.
|
Product |
Instance Type | vCPU | RAM |
|---|---|---|---|
|
GigaVUE V Series Node |
Standard_D4s_v4 |
4 vCPU |
16 GB |
|
Standard_D8S_V4 |
8 vCPU |
32 GB |
|
|
GigaVUE V Series Proxy |
Standard_B1s |
1 vCPU |
1 GB |
|
UCT-V Controller |
Standard_B1s |
1 vCPU |
1 GB |
