Deploy Reveal(x) 360 sensors for AWS
This guide provides instructions for deploying ExtraHop-managed Reveal(x) 360 sensors and configuring your AWS resources (ENIs) to mirror traffic to Reveal(x) 360 sensors.
Before you begin
- Familiarize yourself with how traffic mirroring works in AWS.
- You must have an AWS user account that is capable of creating an IAM role and that is able to tag ENI resources.
- Identify the instances in your VPC and their attached network interfaces (source ENIs) from which you want to mirror traffic to Reveal(x) 360 sensors. Note that you can only select interfaces from one availability zone per sensor. For environments with interfaces in multiple availability zones, see Deploy Reveal(x) 360 sensors for AWS in advanced environments.
- You must have system and access administration privileges to configure Reveal(x) 360.
In the following procedures, you will deploy Reveal(x) 360 sensors and mirror traffic from a source ENI attached to your EC2 instances to a target ENI that is attached to the sensor.
Tip: | These procedures require you to configure settings in Reveal(x) 360 and in the AWS Management Console, so it is helpful to have each UI open side-by-side. |
Note: | For self-managed sensors, see Connect to Reveal(x) 360 from self-managed sensors. |
If your AWS workloads are in a single Availability Zone (AZ), you can mirror traffic from the subnets in that AZ to the ExtraHop sensor without incurring data transfer costs.
Elastic Network Interfaces (ENIs) are attached to EC2 instances. An ENI can be configured to mirror network traffic to a mirror target interface. The number of mirror target interfaces that you can connect to a single sensor is determined by the sensor package size.
Sensor Size | Number of Mirror Target Interfaces |
---|---|
Extra Small Premium or Ultra | 3 |
Small Premium or Ultra | 3 |
Medium Premium | 7 |
Retrieve your tenant ID
Your tenant ID is required to create an IAM role and to tag your ENI resources in AWS. Retrieve the ID from the Reveal(x) 360 Administration page by completing the following steps.
- Log in to the Reveal(x) 360 Console through the URL provided in your welcome email. You can also click the System Settings icon and then click All Administration.
- Click Mirror Targets.
- Copy the tenant ID.
Create a target network interface (ENI)
You must create an ENI for each subnet in your VPC that you want to monitor with Reveal(x) 360. A single Reveal(x) 360 sensor can only monitor ENIs from one availability zone.
Important: | You must create a security group with an inbound rule that allows the VXLAN-encapsulated traffic to be sent over UDP port 4789 from the traffic mirror source to the traffic mirror target. There must be no outbound rules. See AWS documentation about creating a security group. |
Create an IAM role in AWS
The IAM role enables you to grant ExtraHop access to the traffic mirror targets you created in AWS.
Add your AWS accounts
Add your AWS account information to the ExtraHop system to enable the discovery of mirror target interfaces.
- Return to the Reveal(x) 360 Administration page.
- Click AWS Accounts.
- Click Add Account.
- Type a name in the Name field to identify the account.
- Type your AWS account ID in the Account ID field.
- Click Save.
- Repeat the steps for each additional AWS account where you have mirror target interfaces.
Scan for mirror target interfaces
After tagging your target ENIs in AWS, you must scan for them in Reveal(x) 360 before they can be attached to your sensor.
Important: | The ExtraHop system searches for mirror target interfaces by scanning all of the supported AWS regions. It is not possible to configure the system to bypass the scanning of specific regions. If you restrict access to any of these regions in your environment, the scan process will fail. Contact ExtraHop support if you are unable to successfully scan for mirror target interfaces. |
Region Name | Region |
---|---|
US East (Ohio) | us-east-2 |
US East (N. Virginia) | us-east-1 |
US West (Oregon) | us-west-2 |
US West (N. California) | us-west-1 |
Asia Pacific (Mumbai) | ap-south-1 |
Asia Pacific (Seoul) | ap-northeast-2 |
Asia Pacific (Tokyo) | ap-northeast-1 |
Asia Pacific (Sydney) | ap-southeast-2 |
Asia Pacific (Singapore) | ap-southeast-1 |
Canada (Central) | ca-central-1 |
Europe (Frankfurt) | eu-central-1 |
Europe (Ireland) | eu-west-1 |
Europe (London) | eu-west-2 |
Europe (Paris) | eu-west-3 |
Europe (Stockholm) | eu-north-1 |
South America (São Paulo) | sa-east-1 |
Add sensors
You are now ready to add sensors from the Reveal(x) 360 Administration page.
Important: | Mirror target interfaces cannot be added or removed from the sensor after the sensor is deployed. If you want to change the ENI that the sensor is monitoring, terminate the sensor and deploy a new one with the ENIs you want. |
- On the Reveal(x) 360 Administration page, click Deploy Sensors.
- Type a unique name for the sensor in the Name field.
- Select a sensor package for your deployment.
- Select an availability zone ID from the drop-down list.
- From the Mirror Targets drop-down list, select the interfaces you want to attach to the new sensor. Only the ENIs that were tagged with your tenant ID and that are in the selected availability zone appear in the list.
- Click Save.
- (Optional): Select Enable session key forwarding on this sensor if you are configuring your Windows and Linux servers to forward session keys. For more information, see Forward session keys to ExtraHop-managed sensors
- Click Deploy Sensor.
Create a traffic mirror target
Complete these steps for each ENI you created.
- Return to the AWS Management Console.
- From the top menu, click Services.
- In the Networking & Content Delivery section, click VPC.
- In the left pane, under Traffic Mirroring, click Mirror Targets.
-
Click Create traffic mirror target and complete the
following fields:
Option Description Name tag (Optional) Type a descriptive name for the target. Description (Optional) Type a description for the target. Target type Select Network Interface. Target Select the ENI you previously created. - Click Create.
Create a traffic mirror filter
You must create a filter to allow or restrict traffic from your ENI traffic mirror sources to your ExtraHop system. We recommend the following filtering rules to help avoid mirroring duplicate frames from peer EC2 instances that are in a single VPC to the sensor.
- All outbound traffic is mirrored to the sensor, whether the traffic is sent from one peer device to another on the subnet or if the traffic is sent to a device outside of the subnet.
- Inbound traffic is only mirrored to the sensor when the traffic is from an external device. For example, this rule ensures that an app server request is not mirrored twice: once from the sending app server and once from the database that received the request.
- Rule numbers determine the order in which the filters are applied. Rules with lower numbers, such as 100, are applied first.
Important: | These filters should only be applied when mirroring all of the instances in a CIDR block. |
- In the AWS Management Console, in the left pane under Traffic Mirroring, click Mirror Filters.
-
Click Create traffic mirror filter and complete the following
fields:
Option Description Name tag Type a name for the filter. Description Type a description for the filter. Network services Select the amazon-dns checkbox. -
In the Inbound rules section, click Add
rule and then complete the following fields:
Option Description Number Type a number for the rule, such as 100. Rule action Select reject from the drop-down list. Protocol Select All protocols from the drop-down list. Source CIDR block Type the CIDR block for the subnet. Destination CIDR block Type the CIDR block for the subnet. Description (Optional) Type a description for the rule. -
In the Inbound rules section, click Add
rule again and then complete the following fields:
Option Description Number Type a number for the rule, such as 200. Rule action Select accept from the drop-down list. Protocol Select All protocols from the drop-down list. Source CIDR block Type 0.0.0.0/0. Destination CIDR block Type 0.0.0.0/0. Description (Optional) Type a description for the rule. -
In the Outbound rules section, click Add
rule and then complete the following fields:
Option Description Number Type a number for the rule, such as 100. Rule action Select accept from the drop-down list. Protocol Select All protocols from the drop-down list. Source CIDR block: Type 0.0.0.0/0. Destination CIDR block: Type 0.0.0.0/0. Description (Optional) Type a description for the rule. - Click Create.
Create a traffic mirror session
You must create a session for each AWS resource that you want to monitor. You can create a maximum of 500 traffic mirror sessions per sensor.
Important: | To prevent mirror packets from being truncated, set the traffic mirror source interface MTU value to 54 bytes less than the traffic mirror target MTU value for IPv4 and 74 bytes less than the traffic mirror target MTU value for IPv6. For more information about configuring the network MTU value, see the following AWS documentation: Network Maximum Transmission Unit (MTU) for Your EC2 Instance. |
- In the AWS Management Console, in the left pane, under Traffic Mirroring, click Mirror Session.
-
Click Create traffic mirror session and complete the following
fields:
Option Description Name tag (Optional) Type a descriptive name for the session. Description (Optional) Type a description for the session Mirror source Select the source ENI. The source ENI is typically attached to the EC2 instance that you want to monitor. Mirror target Select the traffic mirror target ID generated for the target ENI. Session number Type 1. VNI Leave this field empty. Packet length Leave this field empty. Filter From the drop-down menu, select the ID for the traffic mirror filter you created. - Click Create.
Thank you for your feedback. Can we contact you to ask follow up questions?