Deploy the ExtraHop Command Appliance in AWS

This guide explains how to launch the ExtraHop Command appliance (ECA) AMI to monitor your Amazon Web Services (AWS) environment. You must have administrative access to launch a third-party AMI and an ExtraHop product key to complete these procedures.

The following table is a guideline to achieve optimal performance with the ECA. These are minimum requirements that you may need to adjust depending on the size of your environment.

Scalability ExtraHop Nodes 1-4 5-16 17-64 65 or more
Provisioning Requirements CPU Cores 2 4 8 16
RAM 4 GB 8 GB 16 GB 24 GB
Disk Total 44 GB
Networking Requirements One 1 Gbps Ethernet network port accessible on port 443

Creating the ECA Instance in AWS

To create the ECA instance in AWS, complete the following steps:

  1. Go to, click My Account/Console, and select AWS Management Console.

  2. Sign in with your username and password.

  3. Click EC2.

  4. In the left navigation panel, under Images, click AMIs.

  5. Above the table of AMIs, change the Filter from Owned by Me to Public Images.

  6. In the Search AMIs… field, enter ExtraHop.

  7. Select the checkbox next to the ExtraHop Command Appliance AMI and click Launch.

  8. In the left navigation panel, click General Purpose and select m3.large.

  9. Click Next: Configure Instance Details.

  10. Click the Network drop-down list and select Launch into EC2-Classic or a VPC. Ensure that you launch the ECA in the same environment as its ExtraHop appliance node(s).

  11. Use the default shutdown behavior, Stop.

  12. Click the Protect against accidental termination checkbox.

  13. (Optional) Click the IAM role drop-down list and select an IAM role.

  14. (Optional) To use two interfaces for VPC, scroll down to the Network Interfaces section and click Add Device to associate another interface with your instance.

    The default number of network interfaces is one. Ensure the two interfaces are on two different subnets.
  15. Click Next: Add Storage.

  16. Accept the defaults and click Next: Tag Instance.

  17. In the Value field, enter a name for the instance.

  18. Click Next: Configure Security Group.

  19. On the Configure Security Group page, create a security group for the ExtraHop instance if one has not been created already. If so, select the security group and go to the next step.

    1. Select the Create a new Security Group radio button.

    2. Enter a Security group name and Description.

    3. Click the Protocol drop-down list and select a protocol. Type the port number in the Port Range text box and click the Add Rule button. Do this for each new port.

      The following ports and IP addresses need to be opened for the ExtraHop AWS instance:

      • TCP ports 22, 80, and 443 inbound to the ECA: These ports are used to download the installer and administer the ExtraHop system. If you cannot open port 80, you can copy the installer to each instance manually.

      • IP addresses of the ExtraHop systems (nodes) connected to the ECA: Once the ECA is launched, you must modify the security groups of the connected ExtraHop systems to allow the ECA traffic inbound to the ExtraHop systems.

  20. Click Review and Launch.

  21. Scroll down to review the AMI details, instance type, and security group information.

  22. Click Launch.

  23. In the pop-up window, click the first drop-down list and select Proceed without a key pair.

  24. Click the I acknowledge… checkbox and then click Launch Instance.

  25. Click View Instances to return to the AWS Management Console.

  26. When you return to the AWS Management Console, view your instance on the Initializing screen.

  27. Under the table, on the Description tab, find an IP or hostname that is accessible from your environment.

Licensing the ExtraHop System

  1. Once the instance has booted, browse to the Admin UI (https://<extrahop_management_ip>/admin).

  2. Review the license agreement, select I Agree, and click Submit.

  3. In the Login screen, enter setup for the username and the instance ID for the password. The instance ID consists of the string of characters that follow i-.

  4. Click Please apply license in Admin UI.

  5. Click Register to enter the product key.

  6. Enter the product key and then click Register. The ECA now contacts the license server and validates the product key. After the product key is validated, the license is downloaded.

  7. Click Done.

  8. To add ExtraHop appliances to the ECA, go to the Cluster Settings section and click Nodes. For more information about adding a node, refer to the ExtraHop Admin UI Help.

Published 2019-09-16 14:47