Deploy an ExtraHop sensor in AWS
The following procedure guides you through the deployment process of the sensor AMI to monitor your Amazon Web Services (AWS) environment.
After you deploy the sensor in AWS, configure AWS traffic mirroring or remote packet capture (RPCAP) to forward traffic from remote devices to your sensor. AWS traffic mirroring is configurable for all instance sizes and is the preferred method of sending AWS traffic to the EDA 6100v and 8200v sensors.
Important: | To ensure the best performance for initial device synchronization, connect all sensors to the console and then configure network traffic forwarding to the sensors. |
System requirements
Your environment must meet the following requirements to deploy a virtual ExtraHop sensor in AWS:
- An AWS account
- Access to the Amazon Machine Image (AMI) of the ExtraHop sensor
- The sensor product key
- An AWS instance type that most closely matches the virtual ExtraHop sensor size, as
follows:
Sensors Recommended Instance Type EDA 1000v m5.large (2 vCPU and 8 GB RAM) Reveal(x) EDA 1100v c5.xlarge (4 vCPU and 8 GB RAM) EDA 2000v c5.2xlarge (8 vCPU and 16 GB RAM) EDA 6100v m5.4xlarge (16 vCPU and 64 GB RAM) c5.9xlarge (36 vCPU and 72 GB RAM)*
Reveal(x) EDA 8200v c5n.9xlarge (36 vCPU and 96 GB RAM) Note: Whenever possible, locate the sensor within the same cluster placement group as the devices that are forwarding traffic. This best practice optimizes the quality of feed that the sensor receives. *Recommended when the EDA 6100v cannot be deployed in the same cluster placement group as the monitored traffic. The c5.9xlarge instance has a higher cost, but is more resilient in environments where data feed fidelity is critical.
Important: AWS enforces a session limit of 10 sessions for VPC traffic mirroring; however, the session limit can be increased for sensors running on a c5 dedicated host. We recommend the c5 dedicated host for EDA 8200v and EDA 6100v instances that require a larger session limit. Contact AWS support to request the session limit increase. - (Optional) A storage disk for deployments that include precision packet capture. Refer to
the AWS documentation for instructions to add a disk.
- For the EDA 1000v, 1100v, and 2000v add a disk with up to 250 GB capacity.
- For the EDA 6100v and 8200v, add a disk with up to 500 GB capacity.
Create the ExtraHop instance in AWS
Before you begin
The Amazon Machine Images (AMIs) of ExtraHop sensor are not publicly shared. Before you can start the deployment procedure, you must send your AWS account ID to your ExtraHop representative. Your account ID will be linked to the ExtraHop AMIs.Next steps
- (Recommended) Configure AWS traffic mirroring to copy network
traffic from your EC2 instances to a high-performance ERSPAN/VXLAN/GENEVE
interface on your sensor.
Tip: If your deployment requires more than 15 Gbps of throughput, divide your traffic mirroring sources across two high-performance ERSPAN/VXLAN/GENEVE interfaces on the EDA 8200v. - (Optional) Forward GENEVE-encapsulated traffic from an AWS Gateway Load Balancer.
- Review the Sensor and console post-deployment checklist.
Create a traffic mirror target
Complete these steps for each ENI you created.
Create a traffic mirror filter
You must create a filter to allow or restrict traffic from your ENI traffic mirror sources to your ExtraHop system. We recommend the following filtering rules to help avoid mirroring duplicate frames from peer EC2 instances that are in a single VPC to the sensor.
- All outbound traffic is mirrored to the sensor, whether the traffic is sent from one peer device to another on the subnet or if the traffic is sent to a device outside of the subnet.
- Inbound traffic is only mirrored to the sensor when the traffic is from an external device. For example, this rule ensures that an app server request is not mirrored twice: once from the sending app server and once from the database that received the request.
- Rule numbers determine the order in which the filters are applied. Rules with lower numbers, such as 100, are applied first.
Important: | These filters should only be applied when mirroring all of the instances in a CIDR block. |
Create a traffic mirror session
You must create a session for each AWS resource that you want to monitor. You can create a maximum of 500 traffic mirror sessions per sensor.
Important: | To prevent mirror packets from being truncated, set the traffic mirror source interface MTU value to 54 bytes less than the traffic mirror target MTU value for IPv4 and 74 bytes less than the traffic mirror target MTU value for IPv6. For more information about configuring the network MTU value, see the following AWS documentation: Network Maximum Transmission Unit (MTU) for Your EC2 Instance. |
Thank you for your feedback. Can we contact you to ask follow up questions?