Deploy an ExtraHop sensor on AWS
The following procedures explain how to deploy a virtual ExtraHop sensor in an Amazon Web Services (AWS) environment. You must have experience deploying virtual machines in AWS within your virtual network infrastructure.
An ExtraHop virtual sensor can help you to monitor the performance of your applications across internal networks, the public internet, or a virtual desktop interface (VDI), including database and storage tiers. The ExtraHop system can monitor application performance across geographically distributed environments, such as branch offices or virtualized environments through inter-VM traffic.
This installation enables you to run network performance monitoring, network detection and response, and intrusion detection on a single sensor.
Important: | The IDS module requires the NDR module. Before you can enable the IDS module on this sensor, you must upgrade the sensor firmware to version 9.6 or later. When the upgrade completes, you can apply the new license to the sensor. |
Note: | If you have enabled the IDS module on this sensor, and your ExtraHop system does not have direct access to the Internet and access to ExtraHop Cloud Services, you will need to upload IDS rules manually. For more information, see Upload IDS rules to the ExtraHop system through the REST API. |
After you deploy the sensor in AWS, configure AWS traffic mirroring or remote packet capture (RPCAP) to forward traffic from remote devices to your sensor. AWS traffic mirroring is configurable for all instance sizes and is the preferred method of sending AWS traffic to the EDA 6100v and 8200v sensor.
Important: | To ensure the best performance for initial device synchronization, connect all sensors to the console and then configure network traffic forwarding to the sensors. |
System requirements
Your environment must meet the following requirements to deploy a virtual ExtraHop sensor in AWS:
- You must have an AWS account.
- You must have access to the Amazon Machine Image (AMI) of the ExtraHop sensor.
- You must have an ExtraHop sensor product key.
- You can optionally configure a storage disk for deployments that include precision
packet capture. Refer to the AWS documentation for instructions to add a
disk.
- For the EDA 1100v add a disk with up to 250 GB capacity.
- For the EDA 6100v and 8200v, add a disk with up to 500 GB capacity.
Virtual machine requirements
You must provision an AWS instance type that most closely matches your virtual ExtraHop sensor size and meets the following module requirements.
Sensor | Modules | Recommended Instance Type | Disk Size |
---|---|---|---|
EDA 1100v | NDR, NPM | c5.xlarge (4 vCPUs and 8 GB RAM) | 61 GB |
EDA 6100v | NDR, NPM | m5.4xlarge (16 vCPUs and 64 GB RAM) c5.9xlarge (36 vCPUs and 72 GB RAM) |
1000 GB |
EDA 6320v | NDR, NPM, IDS | m5.8xlarge (32 vCPUs, 128 GB RAM) | 1400 GB |
EDA 8200v | NDR, NPM | c5n.9xlarge (36 vCPUs and 96 GB RAM) | 2000 GB |
Note: | Throughput might be affected when more than one module is enabled on the sensor. |
Important: | AWS enforces a limit of 10 sessions for Virtual Private Cloud (VPC) traffic mirroring; however, the session limit can be increased for sensors running on a c5 dedicated host. We recommend the c5 dedicated host for EDA 8200v and EDA 6100v instances that require a larger session limit. Contact AWS support to request the session limit increase. |
Port requirements
The following ports must be open for ExtraHop AWS instances.
Port | Description |
---|---|
TCP ports 22, 80, and 443 inbound to the ExtraHop system | These ports are required to administer the ExtraHop system. |
TCP port 443 outbound to ExtraHop Cloud Services | Add the current ExtraHop Cloud Services IP address. For more information, see Configure your firewall rules. |
UDP port 53 outbound to your DNS server | UDP port 53 must be open so the sensor can connect to the ExtraHop licensing server. |
(Optional) TCP/UDP ports 2003-2034 inbound to the ExtraHop system from the AWS VPC | If you are not configuring AWS traffic mirroring, you must open a port (or a range of ports) for the packet forwarder to forward RPCAP traffic from your AWS VPC resources. For more information, see Packet Forwarding with RPCAP. |
Create the ExtraHop instance in AWS
Next steps
- Register your ExtraHop system.
- (Recommended) Configure AWS traffic mirroring to copy network
traffic from your EC2 instances to a high-performance ERSPAN/VXLAN/GENEVE
interface on your sensor.
Tip: If your deployment requires more than 15 Gbps of throughput, divide your traffic mirroring sources across two high-performance ERSPAN/VXLAN/GENEVE interfaces on the EDA 8200v. - (Optional) Forward GENEVE-encapsulated traffic from an AWS Gateway Load Balancer.
- Configure the sensor.
- Review the Sensor and console post-deployment checklist.
Create a traffic mirror target
Complete these steps for each Elastic network interface (ENI) you created.
- In the AWS Management Console, in the top menu, click Services.
- Click .
- In the left pane, under Traffic Mirroring, click Mirror Targets.
- Click Create traffic mirror target.
- (Optional): In the Name tag field, type a descriptive name for the target.
- (Optional): In the Description field, type a description for the target.
- From the Target type drop-down list, select Network Interface.
- From the Target drop-down list, select the ENI you previously created.
- Click Create.
Create a traffic mirror filter
You must create a filter to allow or restrict traffic from your ENI traffic mirror sources to your ExtraHop system.
- All outbound traffic is mirrored to the sensor, whether the traffic is sent from one peer device to another on the subnet or if the traffic is sent to a device outside of the subnet.
- Inbound traffic is only mirrored to the sensor when the traffic is from an external device. For example, this rule ensures that an app server request is not mirrored twice: once from the sending app server and once from the database that received the request.
- Rule numbers determine the order in which the filters are applied. Rules with lower numbers, such as 100, are applied first.
Important: | These filters should only be applied when mirroring all of the instances in a CIDR block. |
- In the AWS Management Console, in the left pane under Traffic Mirroring, click Mirror Filters.
- Click Create traffic mirror filter.
- In the Name tag field, type a name for the filter.
- In the Description field, type a description for the filter.
- Under Network services, select the amazon-dns checkbox.
- In the Inbound rules section, click Add rule.
-
Configure an inbound rule:
- In the Number field, type a number for the rule, such as 100.
- From the Rule action drop-down list, select reject.
- From the Protocol drop-down list, select All protocols.
- In the Source CIDR block field, type the CIDR block for the subnet.
- In the Destination CIDR block field, type the CIDR block for the subnet.
- In the Description field, type a description for the rule.
- In the Inbound rules sections, click Add rule.
-
Configure an additional inbound rule:
- In the Number field, type a number for the rule, such as 200.
- From the Rule action drop-down list, select accept.
- From the Protocol drop-down list, select All protocols.
- In the Source CIDR block field, type 0.0.0.0/0.
- In the Destination CIDR block field, type 0.0.0.0/0.
- In the Description field, type a description for the rule.
- In the Outbound rules section, click Add rule.
-
Configure an outbound rule:
- In the Number field, type a number for the rule, such as 100.
- From the Rule action drop-down list, select accept.
- From the Protocol drop-down list, select All protocols.
- In the Source CIDR block field, type 0.0.0.0/0.
- In the Destination CIDR block field, type 0.0.0.0/0.
- In the Description field, type a description for the rule.
- Click Create.
Create a traffic mirror session
You must create a session for each AWS resource that you want to monitor. You can create a maximum of 500 traffic mirror sessions per sensor.
Important: | To prevent mirror packets from being truncated, set the traffic mirror source interface MTU value to 54 bytes less than the traffic mirror target MTU value for IPv4 and 74 bytes less than the traffic mirror target MTU value for IPv6. For more information about configuring the network MTU value, see the following AWS documentation: Network Maximum Transmission Unit (MTU) for Your EC2 Instance. |
Configure the sensor
Next steps
After the system is licensed, and you have verified that traffic is detected, complete the recommended procedures in the post-deployment checklist.
Thank you for your feedback. Can we contact you to ask follow up questions?