Set up ExtraHop Reveal(x) Cloud in AWS

This guide provides instructions for configuring a virtual tap that sends a mirrored copy of your network traffic from AWS to ExtraHop Reveal(x) Cloud. ExtraHop will work with your designated technical contact to provide specifications and next steps as needed.

Before you begin

  • You must have a privileged AWS account that enables you to make configuration changes.
  • You must have created a user account in Okta for Reveal(x) Cloud. Instructions are provided in an email from ExtraHop Networks.
  • Collect the following information from the email sent to you from cloud-provisioning@extrahop.com:
    • Your Reveal(x) Cloud AWS Account ID
    • The region and VPC ID for Reveal(x) Cloud
    • The destination subnet where you will mirror traffic
  • Collect the following information about your AWS account:
    • The AWS Account ID associated with the VPC of the network you want to mirror
    • The VPC ID of the network you want to mirror
    • The source subnet for the traffic you want to mirror

Establish a VPC peering connection

In the following procedures, you will connect your source VPC to the target ExtraHop Reveal(x) Cloud VPC and send a request for the connection to be approved.

Create a VPC peering connection

You must create a VPC peering connection before Reveal(x) Cloud can receive mirrored traffic from your VPC. For more information, see the following AWS documentation: What is VPC peering and Working with VPC peering.
  1. Sign into the AWS Management Console with your username and password.
  2. From the top menu, click Services.
  3. In the Networking & Content Delivery section, click VPC.
  4. In the left navigation panel, under Virtual Private Cloud, click Peering Connections.
  5. Click Create Peering Connection.
  6. Complete the following fields:

    Peering connection name tag: Type a descriptive name for the connection.

    VPC (requester) : From the drop-down list, select the VPC ID of the network you want to mirror.

    Account ID: Type or paste the Reveal(x) Cloud AWS Account ID that ExtraHop provided by email.

    Account: From the drop-down list, select Another account.

    Region: Select the Reveal(x) Cloud region that ExtraHop provided by email.

    VPC (Accepter) : Type or paste the VPC ID of Reveal(x) Cloud that ExtraHop provided by email.



  7. Click Create Peering Connection.
    A success message similar to the following figure should appear:

  8. Click OK. The new peering connection should display a status of Pending Acceptance.
  9. Note the ID listed in the Peering Connection column. It is required for the next procedure.


Request connection approval from ExtraHop

After you have created the peering connection, you must send an email to ExtraHop Cloud Provisioning with the ID of the peering connection you noted in the previous section. The ID will be similar to pcx-0286514c53cd3cb4a.

After ExtraHop accepts the VPC peering connection, your designated technical contact will be informed, and the connection status in your AWS console will update to Active.

Configure VPC resources for traffic mirroring

In the following procedures, you will configure your AWS resources to mirror traffic to Reveal(x) Cloud. Routing and security resources determine when and where the mirrored traffic is forwarded; filters determine which traffic is forwarded.

Accept the shared mirroring target from ExtraHop

You must accept the traffic mirror target created by ExtraHop as a shared resource for your designated AWS account.
  1. From the top menu, click Services.
  2. In the Securities, Identity, and Compliance section, click Resource Access Manager.
  3. In the Shared with me section, click Resource shares, and then click Traffic mirror target share.
  4. Click Accept resource share. You will receive access to a traffic mirror target ID similar to tmt-06d8e42a7638a3e89.
  5. Click the refresh icon to display the new resource share. The status should display Active.

Add mirroring route rules to the VPC

You must ensure that the mirrored traffic is routed through the VPC peering connection to the destination subnet that was provided by ExtraHop. If there is a specific route table associated with the subnet of the mirrored traffic, then that route table must also be updated.
  1. From the top menu, click Services.
  2. In the Networking and Content Delivery section, click VPC.
  3. In the left panel, under Virtual Private Cloud, click Route Tables.
  4. Locate the route tables associated with your VPC.
  5. Select the route table, click the Routes tab, and then click Edit routes.
  6. Click Add route, and then complete the following fields.

    Destination: Select the destination subnet provided to you by ExtraHop.

    Target: Select the ID of the peering connection you noted at the end of the Establish a VPC peering connection section.

  7. Click Save routes. A success message similar to the following figure should appear.
  8. Click Close.

Create and apply security group rules

You must create and apply a security group that allows all outbound traffic to be mirrored to the Reveal(x) Cloud destination subnet.

Create a security group

Note:If you have already created a security group that allows outbound traffic for all protocols and all CIDR ranges, you can skip this procedure, and continue to the Apply the security group section.
  1. From the top menu, click Services.
  2. In the Networking and Content Delivery section, click VPC.
  3. In the left panel, under Security, click Security Groups.
  4. Click Create security group, and then complete the following fields.

    Security group name: Type a descriptive name for this security group.

    Description: Type a description for this security group.

    VPC: Select the VPC ID of the network you want to mirror from the drop-down list, and then click Create.

  5. After the security group is created, click Close.
  6. Select the security group that you created, click the Outbound Rules tab, and then click Edit rules.
  7. Modify the existing rule or add a rule with the following specifications:

    Type: All traffic.

    Protocol: All.

    Port range: All

    Destination: Select Custom from the drop-down list, and then type the CIDR destination subnet that ExtraHop provided to you for the mirrored traffic.

  8. Click Save rules. A message similar to the following figure should appear:

Apply the security group

Apply the security group to the AWS instances that are configured as the source for the mirrored traffic.
  1. From the top menu, click Services.
  2. In the Compute section, click EC2.
  3. In the left panel, under Instances, click Instances.
  4. Select the instance that you want to mirror traffic from, and then click Actions > Networking > Change Security Groups.
  5. Verify that both the Instance ID and the Interface ID are correct for the source traffic that you want to mirror to Reveal(x) Cloud. If the instance has multiple interfaces attached, and the wrong interface is selected, you must navigate to the Network Interfaces UI to change the network interface for the security group. For more information, see the following AWS documentation: Changing the Security Group.
  6. Select the security group you created in the previous section, and then click Assign Security Groups.
  7. Repeat this procedure for each instance or ENI that you want to send mirrored traffic from.

Create a filter to specify the source traffic you want to mirror

Create filter criteria to determine which traffic is mirrored to Reveal(x) Cloud. We recommend that you mirror all traffic across all protocols to leverage the full analytical capabilities of Reveal(x) Cloud. For more information, see the following AWS documentation: AWS Traffic Mirroring Filters.
  1. From the top menu, click Services.
  2. In the Networking & Content Delivery section, click VPC.
  3. In the left panel, under Traffic Mirroring, click Mirror Filters.
  4. Click Create traffic mirror filter.
  5. Create a filter that forwards all traffic for all protocols and all CIDR ranges. The filter should look similar to the following figure.

Send mirrored traffic to Reveal(x) Cloud

In the following procedures, you will begin sending your mirrored traffic to Reveal(x) Cloud and verify that the connection is successful.

Create a traffic mirror session

Establish a connection between your traffic mirror source and target. For more information, see the following AWS documentation: AWS Mirror Sessions.
  1. From the top menu, click Services.
  2. In the Networking & Content Delivery section, click VPC.
  3. In the left panel, under Traffic Mirroring, click Mirroring Sessions.
  4. Click Create traffic mirror session.
  5. Complete the following fields:

    Name tag: (Optional) Type a descriptive name for the session.

    Description: (Optional) Type a description for the session

    Mirror source: Type the ENI of the mirrored traffic source. This ENI must be associated with the security group you created and applied in the previous sections.

    Mirror target : Type the traffic mirror target ID you received in the Accept the shared mirroring target from ExtraHop section.

    Session number: Type 1.

    VNI: Leave this field empty.

    Packet length: Leave this field empty.

    Filter: From the drop-down menu, select the ID for the traffic mirror filter you created in the Create a filter to specify the source traffic to mirror section.

  6. Verify your settings. The completed session should look similar to the following figure.
  7. Click Create. A success message similar to the following figure should appear.
  8. Repeat these steps for all sources of traffic you want to mirror to Reveal(x) Cloud.

Test and verify that traffic mirroring is successful

Verify that traffic is being mirrored to Reveal(x) Cloud from your AWS VPC.
  1. Navigate to the Reveal(x) Cloud URL provided in the email from ExtraHop Networks. The login screen will look similar to the following figure:
  2. Type the email address that you configured for Okta authentication, and then click Next.
  3. Type your Okta password.
  4. Click Log in with ExtraHop Okta. Do not enter a username and password.


    The Security Overview page appears.
  5. At the top of the page, click Dashboards.
  6. In the left pane, under System Dashboards, click Network. The charts should display data from the mirrored traffic.
    Note:It can take up to ten minutes after the traffic mirror session is created before data appears in the charts.

Learn more about Reveal(x) Cloud

After you have verified that the traffic is successfully mirrored, you can begin exploring Reveal(x) Cloud. Check out our documentation website, which includes general concepts, how-to guides, and walkthroughs. For example, you can learn how to create a dashboard or activity map, prioritize the devices on your network for advanced analysis, and investigate security detections.

Published 2019-10-11 14:53