Prerequisites for Application Metadata Exporter

Prerequisites for AWS

Prerequisites to follow when creating a monitoring domain and deploying a GigaVUE V Series Node in AWS:

  • Select Traffic Acquisition Method as Customer Orchestrated Source. Refer Create a Monitoring Domain for more detailed information on how to create a monitoring domain.
  • Select Instance type with three or more NICs. Refer Configure GigaVUE Fabric Components in GigaVUE-FM for more detailed information on how to deploy a GigaVUE V Series Node.
  • When the Traffic Acquisition Method is selected as Customer Orchestrated Source, the Volume Size field appears on the AWS Fabric Launch Configuration page. Enter the Volume Size as 80GB.

Prerequisites for Azure

Prerequisites to follow when creating a monitoring domain and deploying GigaVUE V Series node in Azure:

  • Select Traffic Acquisition Method as Customer Orchestrated Source. Refer Create Monitoring Domain for more detailed information on how to create a monitoring domain.
  • Select Size with three or more NICs. Refer Configure GigaVUE Fabric Components in GigaVUE-FM for more detailed information on how to deploy a GigaVUE V Series Node.
  • When the Traffic Acquisition Method is selected as Customer Orchestrated Source, the Disk Size field appears on the Azure Fabric Launch Configuration page. Enter the Disk Size as 80GB.

Prerequisites for VMware

Prerequisites to follow when creating a monitoring domain and deploying GigaVUE V Series Node in VMware:

Prerequisites for Export of GigaVUE Enriched Metadata for Cloud Workloads

This section provides the detailed steps that need to be performed in each platform for exporting the enriched metadata from cloud workloads.

AWS:

The following section describes how to setup IAM roles with least privileges for exporting GigaVUE Enriched Metadata for Cloud Workloads:

  1. Create two IAM roles.
    • First one is for AMX instance that gets launched to let it access assume role (sts) service. (AMXEC2Role)
    • Second one is with ec2ReadOnlyAccess permission. (AMXToAssumeRole)

  2. Map the instance role to an assume role that has AmazonEC2ReadOnlyAccess permissions.

    1. Copy arn name of the AMXEC2Role.
    2. Click AMXToAssumeRole > Trust Relationships > Edit Trust Policy.
    3. Click Add a principal.
    4. Select IAM role as Principal Type. Paste the AMXEC2Role arn that was copied. This is the critical step of mapping two IAM roles.
    5. Click Add principal > Update Policy

  3. Add the arn of AMXToAssumeRole in AMX ingestion configuration options.

    1. Copy the arn and add as aws_assume_role_arn in AWS ingestion configuration.
    2. If aws_assume_role_arn is configured, there is no need to provide token and keys.
  4. (optional) Create an SQS queue. Refer to Create a queue using the Amazon SQS console in AWS documentation for more detailed information.
  5. (optional) Create an EventBridge Rule. In the Select Target field, select the SQS queue created in the previous step. Refer to Creating rules that react to events in Amazon EventBridge in AWS documentation for more detailed information.
  6. (optional) Add SQS URL in AMX ingestion configuration options.

    Copy the url and add as aws_sqs_url in AWS ingestion configuration.

Azure:

The following instructions need to be configured in Azure for exporting enriched metadata from Azure workloads:

  1. Create a Storage Account under the Resource Group. Refer to Create an Azure storage account in Azure documentation for more detailed information.
  2. Create a Storage Queue under the Storage Account. Refer to Quickstart: Create a queue and add a message with the Azure portal in Azure Documentation for more detailed information.
  3. Under the Storage Account > Access Control (IAM). Select “Storage Queue Data Contributor” and select your ID to add the IAM role. Refer to Assign Azure roles using the Azure portal for more detailed information on how to assign roles.
  4. (optional) Create an Event subscription. Refer to Create an event subscription section in Azure documentation.
  5. In the Storage queue, switch the Authentication method to Access key.

The following section describes how to setup IAM permissions in Azure for exporting GigaVUE Enriched Metadata for Cloud Workloads:

Register an application and assign a role to the application with the following set of minimum IAM permissions. Refer to Register an application with Microsoft Entra ID and create a service principal and Assign a role to the application in the Azure documentation for more detailed information.

Minimum IAM permission required:

Microsoft.Network/virtualNetworks/read
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/networkSecurityGroups/read
Microsoft.Compute/virtualMachineScaleSets/read
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/images/read
Microsoft.Network/networkInterfaces/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read

VMware:

The following are the prerequisites required:

  • URL - The URL of VMware vCenter.
  • Username - Username of the VMware vCenter
  • Password - vCenter password used to connect to the vCenter
  • Self Signed Certificate
    • True - When self signed certificate = true, use the default certificate.
    • False - When self signed certificate = false, a PKI certificate must be used. Refer to Replace the Default Certificate with a Custom Certificate Using the vSphere Client section in VMware documentation for more detailed information on how to replace the default certificate with a custom certificate.

      Note:  The default CA trust store is supported based on the Ubuntu version 22.04.4. The default trust store cannot be updated to include internal CA certificates.

  • Ensure that the VM tools are installed on the ESXi hosts that are being monitored to fetch the properties of the virtual machines.
  • The minimum role required for exporting GigaVUE Enriched Metadata from VMware is Read Only Role. Refer to vCenter Server System Roles section in VMware documentation for more detailed information.