Deploy Reveal(x) 360 sensors for AWS
This guide provides instructions for deploying ExtraHop-managed Reveal(x) 360 sensors and configuring your AWS resources (ENIs) to mirror traffic to Reveal(x) 360 sensors.
Before you begin
- Familiarize yourself with how traffic mirroring works in AWS.
- You must have an AWS user account that is capable of creating an IAM role and that is able to tag ENI resources.
- Identify the instances in your VPC and their attached network interfaces (source ENIs) from which you want to mirror traffic to Reveal(x) 360 sensors. Note that you can only select interfaces from one availability zone per sensor. For environments with interfaces in multiple availability zones, see Deploy Reveal(x) 360 sensors for AWS in advanced environments.
- You must have an ExtraHop Okta user account with OktaAdmin or ApplianceAdmin privileges to configure Reveal(x) 360.
In the following procedures, you will deploy Reveal(x) 360 sensors and mirror traffic from a source ENI attached to your EC2 instances to a target ENI that is attached to the sensor.
Tip: | These procedures require you to configure settings in Reveal(x) 360 and in the AWS Management Console, so it is helpful to have each UI open side-by-side. |
Note: | For self-managed sensors, see Connect to Reveal(x) 360 from self-managed sensors. |
If your AWS workloads are in a single Availability Zone (AZ), you can mirror traffic from the subnets in that AZ to the ExtraHop sensor without incurring data transfer costs.
Elastic Network Interfaces (ENIs) are attached to EC2 instances. An ENI can be configured to mirror network traffic to a mirror target interface. The number of mirror target interfaces that you can connect to a single sensor is determined by the sensor package size.
Sensor Size | Number of Mirror Target Interfaces |
---|---|
Extra Small Premium or Ultra | 3 |
Small Premium or Ultra | 3 |
Medium Premium | 7 |

Retrieve your tenant ID
Your tenant ID is required to create an IAM role and to tag your ENI resources in AWS. Retrieve the ID from the Reveal(x) 360 Administration page by completing the following steps.
-
Log in to the Reveal(x) 360 Console through the URL provided in your welcome
email. You can also click the System Settings icon
and then click All Administration.
- Click Mirror Targets.
- Copy the tenant ID.
Create a target network interface (ENI)
You must create an ENI for each subnet in your VPC that you want to monitor with Reveal(x) 360. A single Reveal(x) 360 sensor can only monitor ENIs from one availability zone.
Important: | You must create a security group with an inbound rule that allows the VXLAN-encapsulated traffic to be sent over UDP port 4789 from the traffic mirror source to the traffic mirror target. There must be no outbound rules. See AWS documentation about creating a security group. |
Create an IAM role in AWS
The IAM role enables you to grant ExtraHop access to the traffic mirror targets you created in AWS.
Add your AWS accounts
Add your AWS account information to the ExtraHop system to enable the discovery of mirror target interfaces.
- Return to the Reveal(x) 360 Administration page.
- Click AWS Accounts.
- Click Add Account.
- Type a name in the Name field to identify the account.
- Type your AWS account ID in the Account ID field.
- Click Save.
- Repeat the steps for each additional AWS account where you have mirror target interfaces.
Scan for mirror target interfaces
After tagging your target ENIs in AWS, you must scan for them in Reveal(x) 360 before they can be attached to your sensor.
Important: | The ExtraHop system searches for mirror target interfaces by scanning all of the supported AWS regions. It is not possible to configure the system to bypass the scanning of specific regions. If you restrict access to any of these regions in your environment, the scan process will fail. Contact ExtraHop support if you are unable to successfully scan for mirror target interfaces. |
Region Name | Region |
---|---|
US East (Ohio) | us-east-2 |
US East (N. Virginia) | us-east-1 |
US West (Oregon) | us-west-2 |
US West (N. California) | us-west-1 |
Asia Pacific (Mumbai) | ap-south-1 |
Asia Pacific (Seoul) | ap-northeast-2 |
Asia Pacific (Tokyo) | ap-northeast-1 |
Asia Pacific (Sydney) | ap-southeast-2 |
Asia Pacific (Singapore) | ap-southeast-1 |
Canada (Central) | ca-central-1 |
Europe (Frankfurt) | eu-central-1 |
Europe (Ireland) | eu-west-1 |
Europe (London) | eu-west-2 |
Europe (Paris) | eu-west-3 |
Europe (Stockholm) | eu-north-1 |
South America (São Paulo) | sa-east-1 |
Add sensors
You are now ready to add sensors from the Reveal(x) 360 Administration page.
Important: | Mirror target interfaces cannot be added or removed from the sensor after the sensor is deployed. If you want to change the ENI that the sensor is monitoring, terminate the sensor and deploy a new one with the ENIs you want. |
- On the Reveal(x) 360 Administration page, click Deploy Sensors.
- Type a unique name for the sensor in the Name field.
- Select a sensor package for your deployment.
- Select an availability zone ID from the drop-down list.
- From the Mirror Targets drop-down list, select the interfaces you want to attach to the new sensor. Only the ENIs that were tagged with your tenant ID and that are in the selected availability zone appear in the list.
- Click Save.
- (Optional): Select Enable session key forwarding on this sensor if you are configuring your Windows and Linux servers to forward session keys. For more information, see Forward session keys to ExtraHop-managed sensors
- Click Deploy Sensor.
Create a traffic mirror target
Complete these steps for each ENI you created.
Create a traffic mirror filter
You must create a filter to allow or restrict traffic from your ENI traffic mirror sources to your ExtraHop system. We recommend the following filtering rules to help avoid mirroring duplicate frames from peer EC2 instances that are in a single VPC to the sensor.
- All outbound traffic is mirrored to the sensor, whether the traffic is sent from one peer device to another on the subnet or if the traffic is sent to a device outside of the subnet.
- Inbound traffic is only mirrored to the sensor when the traffic is from an external device. For example, this rule ensures that an app server request is not mirrored twice: once from the sending app server and once from the database that received the request.
- Rule numbers determine the order in which the filters are applied. Rules with lower numbers, such as 100, are applied first.
Important: | These filters should only be applied when mirroring all of the instances in a CIDR block. |
Create a traffic mirror session
You must create a session for each AWS resource that you want to monitor. You can create a maximum of 500 traffic mirror sessions per sensor.
Important: | To prevent mirror packets from being truncated, set the traffic mirror source interface MTU value to 54 bytes less than the traffic mirror target MTU value for IPv4 and 74 bytes less than the traffic mirror target MTU value for IPv6. For more information about configuring the network MTU value, see the following AWS documentation: Network Maximum Transmission Unit (MTU) for Your EC2 Instance. |
Thank you for your feedback. Can we contact you to ask follow up questions?