This guide explains how to launch the ExtraHop Command appliance AMI to monitor your Amazon Web Services (AWS) environment. You must have administrative access to AWS to launch a third-party AMI and an ExtraHop product key to complete these procedures.
Before you deploy the Command appliance, determine the optimal provisioning needs for your environment. For more information, see the Performance guidelines section.
|Important:||If you want to deploy more than one ExtraHop virtual appliance, create the new instance with the original deployment package or clone an existing instance that has never been started.|
Before you begin
The Amazon Machine Images (AMIs) of ExtraHop appliances are not publicly shared. Before you can start the deployment procedure, you must send your AWS account ID to firstname.lastname@example.org. Your account ID will be linked to the ExtraHop AMIs.
- In a browser, type aws.amazon.com, and click My Account/Console.
- Select AWS Management Console.
- Sign in with your username and password.
- Click EC2.
- In the left navigation panel, under Images, click AMIs.
- Above the table of AMIs, change the Filter from Owned by Me to Public Images.
- In the Search AMIs… field, type ExtraHop.
- Select the checkbox next to the ExtraHop Command appliance AMI, and click Launch.
- In the left navigation panel, click General Purpose and select m3.large.
- Click Next: Configure Instance Details.
From the Network drop-down list, select
Launch into EC2-Classic or select a
You must launch the Command appliance in the same environment as the ExtraHop Discover nodes.
- Select Stop as the default shutdown behavior.
- Click the Protect against accidental termination checkbox.
- Optional: Click the IAM role drop-down list, and select an IAM role.
If you want to configure two interfaces for VPC, scroll down to the
Network Interfaces section and click Add
Device to associate another interface with your instance.
The default number of network interfaces is one. The two interfaces must be on two different subnets.
- Click Next: Add Storage.
- Accept the defaults and click Next: Tag Instance.
- In the Value field, enter a name for the instance.
- Click Next: Configure Security Group.
On the Configure Security Group page, follow the procedure
below to create a new security group or add ports to an existing group. If you
already have a security group with the required ports for ExtraHop, you can skip
- Select either Create a new Security Group or Select an existing security group. If you choose to edit an existing group, select the group you want to edit. If you choose to create a new group, type a name for the Security group and type a Description.
- From the Type drop-down list, select a protocol. Type the port number in the Port Range field.
For each additional port, click the Add Rule
button. Then, from the Type drop-down list,
select a protocol, and type the port number in the Port
The following ports and IP addresses must be opened for the ExtraHop AWS instance:
- TCP ports 22, 80, and 443 inbound to the Command appliance
- These ports must be open to download the installer and administer the ExtraHop system. If you cannot open port 80, you can copy the installer to each instance manually.
- IP addresses of the ExtraHop Discover nodes that are connected to the Command cluster
- After the Command appliance is launched, you must modify the security groups of the connected Discover nodes to allow traffic in from the Command appliance.
- Click Review and Launch.
- Scroll down to review the AMI details, instance type, and security group information, and then click Launch.
- In the pop-up window, from the first drop-down list, select Proceed without a key pair.
- Click the I acknowledge… checkbox and then click Launch Instance.
Click View Instances to return to the AWS Management
When you return to the AWS Management Console, you can view your instance on the Initializing screen.
Complete the following steps to apply a product key supplied by ExtraHop Support in an AWS environment.
|Tip:||To verify that your environment can
resolve DNS entries for the ExtraHop licensing server, open a terminal application
on your Windows, Linux, or Mac OS client and run the following
nslookup -type=NS d.extrahop.com
If the name resolution is successful, output similar to the following appears:
Non-authoritative answer: d.extrahop.com nameserver = ns0.use.d.extrahop.com. d.extrahop.com nameserver = ns0.usw.d.extrahop.com.
- In your browser, type the IP address of the ExtraHop appliance (https://<extrahop_management_ip>/admin).
- Review the license agreement, select I Agree, and click Submit.
On the log in screen, type setup for the user name and
the instance ID for the password.
You can find the Instance ID on the Description tab of an instance selected on the Initializing screen. Type the string of characters that follow i- (but not i- itself), and then click Log In.
- Click Please apply license in Admin UI.
- Click Register.
- Enter the product key, and then click Register.
- Click Done.
The following table provides guidelines that can help you optimize the performance of the Command appliance. These guidelines are minimum requirements that you might need to adjust based on the size and needs of your environment.
|Scalability||Discover Appliances||1-4||5-16||17-64||65 or more|
|Provisioning Requirements||CPU Cores||2||4||8||16|
|RAM||4 GB||8 GB||16 GB||24 GB|
|Disk Total||44 GB|
|Networking Requirements||One 1 Gbps Ethernet network port accessible on port 443|