Deploy the ExtraHop packetstore in AWS
In this guide, you will learn how to launch the ExtraHop packetstore AMI in your Amazon Web Services (AWS) environment.
Your environment must meet the following requirements to deploy a virtual
packetstore in AWS:
- An AWS account
- Access to the Amazon Machine Image (AMI) of the ExtraHop Trace appliance
- An Extrahop packetstore product key
- An AWS instance type that most closely matches the packetstore VM size, as
follows:
Packetstore Supported Instance Types ETA 1150v m4.xlarge, m4.2xlarge Tip: You can resize your instance without redeploying the packetstore. See the AWS documentation for details.
Before you begin
The Amazon Machine Images (AMIs) of ExtraHop appliances are not publicly shared. Before you can start the deployment procedure, you must send your AWS account ID to support@extrahop.com. Your account ID will be linked to the ExtraHop AMI.Next steps
- Register your ExtraHop system
- Review the Trace Appliance Post-deployment Checklist.
- Connect the Command and Discover appliances to the Trace appliance.
- Configure remote packet capture (RPCAP) to forward traffic from remote devices to your virtual packetstore. For more information, see Configure RPCAP for an ExtraHop packetstore.
- (Recommended) Configure AWS traffic mirroring to copy network traffic from your EC2 instances to a RPCAP/ERSPAN/VXLAN/GENEVE interface on your packetstore.
Create a traffic mirror target
Complete these steps for each ENI you created.
- Return to the AWS Management Console.
- From the top menu, click Services.
- In the Networking & Content Delivery section, click VPC.
- In the left pane, under Traffic Mirroring, click Mirror Targets.
-
Click Create traffic mirror target and complete the
following fields:
Option Description Name tag (Optional) Type a descriptive name for the target. Description (Optional) Type a description for the target. Target type Select Network Interface. Target Select the ENI you previously created. - Click Create.
Note the Target ID for each ENI. You will need the ID when
you create a traffic mirror session.
Create a traffic mirror filter
You must create a filter to allow or restrict traffic from your ENI traffic mirror sources to your ExtraHop system. We recommend the following filtering rules to help avoid mirroring duplicate frames from peer EC2 instances that are in a single VPC to the sensor.
- All outbound traffic is mirrored to the sensor, whether the traffic is sent from one peer device to another on the subnet or if the traffic is sent to a device outside of the subnet.
- Inbound traffic is only mirrored to the sensor when the traffic is from an external device. For example, this rule ensures that an app server request is not mirrored twice: once from the sending app server and once from the database that received the request.
- Rule numbers determine the order in which the filters are applied. Rules with lower numbers, such as 100, are applied first.
Important: | These filters should only be applied when mirroring all of the instances in a CIDR block. |
- In the AWS Management Console, in the left pane under Traffic Mirroring, click Mirror Filters.
-
Click Create traffic mirror filter and complete the following
fields:
Option Description Name tag Type a name for the filter. Description Type a description for the filter. Network services Select the amazon-dns checkbox. -
In the Inbound rules section, click Add
rule and then complete the following fields:
Option Description Number Type a number for the rule, such as 100. Rule action Select reject from the drop-down list. Protocol Select All protocols from the drop-down list. Source CIDR block Type the CIDR block for the subnet. Destination CIDR block Type the CIDR block for the subnet. Description (Optional) Type a description for the rule. -
In the Inbound rules section, click Add
rule again and then complete the following fields:
Option Description Number Type a number for the rule, such as 200. Rule action Select accept from the drop-down list. Protocol Select All protocols from the drop-down list. Source CIDR block Type 0.0.0.0/0. Destination CIDR block Type 0.0.0.0/0. Description (Optional) Type a description for the rule. -
In the Outbound rules section, click Add
rule and then complete the following fields:
Option Description Number Type a number for the rule, such as 100. Rule action Select accept from the drop-down list. Protocol Select All protocols from the drop-down list. Source CIDR block: Type 0.0.0.0/0. Destination CIDR block: Type 0.0.0.0/0. Description (Optional) Type a description for the rule. - Click Create.
Create a traffic mirror session
You must create a session for each AWS resource that you want to monitor. You can create a maximum of 500 traffic mirror sessions per sensor.
Important: | To prevent mirror packets from being truncated, set the traffic mirror source interface MTU value to 54 bytes less than the traffic mirror target MTU value for IPv4 and 74 bytes less than the traffic mirror target MTU value for IPv6. For more information about configuring the network MTU value, see the following AWS documentation: Network Maximum Transmission Unit (MTU) for Your EC2 Instance. |
- In the AWS Management Console, in the left pane, under Traffic Mirroring, click Mirror Session.
-
Click Create traffic mirror session and complete the following
fields:
Option Description Name tag (Optional) Type a descriptive name for the session. Description (Optional) Type a description for the session Mirror source Select the source ENI. The source ENI is typically attached to the EC2 instance that you want to monitor. Mirror target Select the traffic mirror target ID generated for the target ENI. Session number Type 1. VNI Leave this field empty. Packet length Leave this field empty. Filter From the drop-down menu, select the ID for the traffic mirror filter you created. - Click Create.
Thank you for your feedback. Can we contact you to ask follow up questions?