Integrate ExtraHop with AWS CloudFormation

This guide explains how to integrate the ExtraHop system with Amazon Web Services (AWS) CloudFormation. This guide assumes you have completed the procedure to install an EH1000v, EH2000v, or ExtraHop Discovery Edition in AWS. You must have launched an ExtraHop AMI in the same region with the proper security groups configured to deploy a stack or monitor autoscaling groups.

Deploying a Stack

To deploy a stack in CloudFormation, complete the following steps:

  1. Go to aws.amazon.com, click My Account/Console, and select AWS Management Console.

  2. Sign in with your username and password.

  3. Go to http://aws.amazon.com/cloudformation/aws-cloudformation-templates/.

  4. Right-click the template you want to use and save it to your workstation.

  5. Open the template file in a text editor.

  6. Define the ExtraHop IP and port by pasting the code at the end of the “Parameters” section as shown in the following example:

    "EXTRAHOPIP" : {

    "DEFAULT" : "10.10.0.0",

    "DESCRIPTION" : "IP ADDRESS OF EXTRAHOP APPLIANCE",

    "TYPE" : "STRING"

    },

    "EXTRAHOPPORT" : {

    "DEFAULT" : "2003",

    "DESCRIPTION" : "PORT FOR EXTRAHOP FORWARDERS",

    "TYPE" : "STRING"

    }

    Some PDF viewers may add extra newlines when copying and pasting commands. Ensure the text has copied correctly before running the command.
  7. (Single stack) If you are deploying a single stack, format the user data script for CloudFormation by pasting the following code after "#!/bin/bash", "\n", in the “User Data” section:

    "curl --connect-timeout 10 --fail -k 'https://", { "Ref" : "ExtraHopIP" }, "/tools/install-rpcapd.sh' > install-rpcapd.sh" ,"\n",

    "sh install-rpcapd.sh ", { "Ref" : "ExtraHopIP" }, " ", { "Ref" : "ExtraHopPort" },"\n"

    If the template you are using does not contain a “User Data” or "#!/bin/bash", "\n", section, you must create the sections to run this command formatted as follows:

    "UserData" : {

    "Fn::Base64" : { "Fn::Join" : [ "", [

    "#!/bin/bash", "\n",

    "curl --connect-timeout 10 --fail -k 'https://", { "Ref" : "ExtraHopIP" }, "/tools/install-rpcapd.sh' > install-rpcapd.sh" ,"\n",

    "sh install-rpcapd.sh ", { "Ref" : "ExtraHopIP" }, " ", { "Ref" :

    "ExtraHopPort" },"\n"] ]

    }

    }

    Refer to the following example of the “Resources” attribute:

    "Resources" : {

    "Ec2Instance" : {

    "Type" : "AWS::EC2::Instance",

    "Properties" : {

    "SecurityGroups" : [ "security-group" ],

    "KeyName" : "key-name",

    "ImageId" : { "Ref" : "AMI" },

    "UserData" : {

    "Fn::Base64" : { "Fn::Join" : [ "", [

    "#!/bin/bash -v", "\n",

    "curl --connect-timeout 10 --fail -k 'https://", { "Ref" : "ExtraHopIP" }, "/tools/install-rpcapd.sh' > install-rpcapd.sh" ,"\n",

    "sh install-rpcapd.sh ", { "Ref" : "ExtraHopIP" }, " ", { "Ref" : "ExtraHopPort" },"\n"] ]

    }

    }

    }

    }

    }

    (Autoscaling groups) If you are monitoring autoscaling groups, format the user data script for CloudFormation by pasting the following code after "#!/bin/bash", "\n", in the “User Data” section:

    "curl --connect-timeout 10 --fail -k 'https://", { "Ref" : "ExtraHopIP" }, "/tools/install-rpcapd.sh' > install-rpcapd.sh" ,"\n",

    "sh install-rpcapd.sh ", { "Ref" : "ExtraHopIP" }, " ", { "Ref" : "ExtraHopPort" },"\n"

    If the template you are using does not contain a “User Data” or "#!/bin/bash", "\n", section, you must create the sections to run this command formatted as follows:

    "UserData" : {

    "Fn::Base64" : { "Fn::Join" : [ "", [

    "#!/bin/bash", "\n", "curl --connect-timeout 10 --fail -k 'https://", { "Ref" : "ExtraHopIP" }, "/tools/install-rpcapd.sh' > install-rpcapd.sh" ,"\n",

    "sh install-rpcapd.sh ", { "Ref" : "ExtraHopIP" }, " ", { "Ref" : "ExtraHopPort" },"\n"] ]

    }

    }

    Refer to the following example of the “LaunchConfig” attribute:

    "LaunchConfig": {

    "Type" : "AWS::AutoScaling::LaunchConfiguration",

    "Metadata" : {

    ...

    },

    "Properties": {

    ... "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [

    "#!/bin/bash -v\n",

    "curl --connect-timeout 10 -k 'https://[ExtraHopIP]/tools/install-rpcapd.sh' > install-rpcapd.sh","\n",

    "sh install-rpcapd.sh [ExtraHopIP] [Port]”]]

    }

    }

    }

    }

    Updating user data parameters will not change the packet forwarder settings on instances that have already been created. The user data field is processed only on instance initialization.
  8. Save the template file.

  9. Go to the CloudFormation Management Console at https://console.aws.amazon.com/cloudformation and click Create New Stack.

  10. In the Stack Name field, enter a name.

  11. Click the Upload a Template File radio button.

  12. Click Choose File and select the template file you saved earlier.

  13. Click Continue.

  14. On the Specify Parameters screen, enter the parameters defined in the template.

  15. In the ExtraHopIP field, enter your ExtraHop IP address.

  16. In the ExtraHopPort field, enter the port number, which is 2003 by default.

  17. Click Continue.

  18. (Optional) On the Add Tags screen, complete the Key and Value fields and click Continue.

  19. Review the stack information and click Continue.

  20. Click Close.

  21. After the browser redirects to the CloudFormation Management Console, view the status, CREATE_IN_PROGRESS. When the stack has been built, the status changes to CREATE_COMPLETE.

  22. Go to the EC2 management console.

  23. Click the stack you just created and find the private IP.

  24. Log in to the ExtraHop Web UI to analyze packet-forwarding traffic.

Analyzing Packet Forwarding Traffic in the ExtraHop Web UI

To find out how much forwarded traffic the ExtraHop system is receiving, complete the following steps.

  1. Log in to the ExtraHop Web UI (https://<extrahop_management_ip>/extrahop) and click the Settings button in the top right corner.

  2. Click System Health to get more information about the packet forwarding traffic. This page displays a Packets and Throughput graph for each packet forwarder connected to the ExtraHop system.

The RPCAP Packets and Throughput graphs contain four metrics:

  • Encapsulation: The total number of RPCAP encapsulation packets received by the ExtraHop system.

  • Tunnel Eligible: Total number of packets eligible to be forwarded to the ExtraHop system.

  • Tunnel Sent: Total number of RPCAP-tunneled packets forwarded to the ExtraHop system.

  • Tunnel Received: Total number of RPCAP-tunneled packets received by the ExtraHop system.

    The Tunnel Eligible, Tunnel Sent, and Tunnel Received values are equal if the ExtraHop system is receiving and processing all the packets sent by the server. If they are not, use the following reference for troubleshooting:

If Tunnel Sent is less than Tunnel Eligible, the server is not able to forward out all the traffic. This may indicate that packet forwarding requires more processing or outbound bandwidth resources on the instance. Consider separating the forwarding process onto a separate CPU or allocating a dedicated interface for forwarding traffic.

  • If Tunnel Received is less than Tunnel Sent, the ExtraHop system is not receiving all the traffic forwarded by the instance. This may be due to network congestion or insufficient resources on the ExtraHop system. If you suspect it is the latter, contact ExtraHop Support.

Published 2017-07-17 18:27