Deploying Gigamon Cloud Suite for AWS Behind NLB to Gain Cross Account Visibility (5.14)

Introduction

Public clouds, especially AWS, is a popular choice among the enterprises migrating their products/solutions to cloud. Enterprises can extend their security posture to AWS by deploying Gigamon Cloud Suite that enables pervasive visibility. In a cloud environment, as the target VMs could be scaled in and out from various VPCs across multiple AWS accounts depending on the demand, it becomes critical to maintain consistency in visibility to ensure constant vigil. Enterprises can choose to deploy the target VMs behind a load balancer to seamlessly manage such situations. Gigamon visibility fabric can integrate with an external load balancer allowing it to deploy the V Series nodes to aggregate, filter, and forward traffic to the tool/s. This Gigamon Validated Design (GVD) illustrates deploying a load balancer that can work with the Gigamon visibility fabric in multiple VPCs across AWS accounts to monitor VMs that are scaled in and out.

NOTE: Please check with your Gigamon Sales contact or Gigamon Support for more information regarding the support for the cloud/virtualization platform that you are considering.

Design Topology



Design Overview

The design depicts deploying GigaVUE Cloud Suite fabric components in a centralized VPC where the target VMs from Web tier and App tier (in various VPCs) across mutiple AWS accounts are deployed behind an external AWS network load balancer. GigaVUE-FM creates VPC mirroring on the target VMs to mirror and forward the traffic to the load balancer. The load balancer deploys or deletes additional V Series 2.0 nodes and distributes the traffic among them to aggregate, filter, and forward the traffic to the tool/s over the VXLAN tunnel. The V Series node supports different tunnel encapsulations. Please refer to the AWS Configuration Guide for more details. In AWS, the Auto Scaling group monitors the load among all the V Series nodes and adds or removes them via RESTful API integration with the GigaVUE-FM when the traffic load crosses or drops below a pre-defined threshold.

This design presumes monitoring all the EC2 targets under consideration. Hence, the V Series nodes are configured to pass the IPv4 traffic. However, you can choose to monitor specific EC2 targets either by configuring filtering rules to match the IP address of the specific hosts/interfaces or by configuring the inclusion and exclusion maps (refer to the section - Deployment Steps). In addition, the V Series nodes can be configured to apply various traffic optimization techniques (GigaSMART apps). Please refer to the validated design in the Gigamon Community portal for the related use cases.

A typical AWS deployment to support the external load balancer requires the following components: 

  • GigaVUE-FM (Fabric Manager):It provides an unified interface to deploy, configure, and troubleshoot the Gigamon solution.

  • GigaVUE-V Series Node version 2.4.0 (aka V Series 2.0):The traffic aggregator for the EC2 targets that support VPC mirroring. It support various filtering and traffic optimization techniques to sanitize the traffic before forwarding to the tools.

  • AWS Network Load Balancer: Uniformly distributes traffic from AWS target VMs to GigaVUE- V Series Nodes.

To learn more about this solution, read complete details on the Gigamon Community: Deploying Gigamon Cloud Suite for AWS Behind NLB to Gain Cross Account Visibility 5.14.