Start Demo

Deploy Reveal(x) 360 sensors for AWS

This guide provides instructions for deploying ExtraHop-managed Reveal(x) 360 sensors and configuring your AWS resources (ENIs) to mirror traffic to Reveal(x) 360 sensors. Note that you can only select interfaces from one availability zone per sensor.

Before you begin

  • Familiarize yourself with how traffic mirroring works in AWS.
  • Identify the instances in your VPC and their attached network interfaces (source ENIs) from which you want to mirror traffic to Reveal(x) 360 sensors.
  • You must have an AWS user account that is capable of creating an IAM role and that is able to tag ENI resources.

In the following procedures, you will deploy Reveal(x) 360 sensors and mirror traffic from a source ENI to a target ENI that is attached to the sensor.

Tip:These procedures require you to configure settings in Reveal(x) 360 and in the AWS Management Console, so it is helpful to have each UI open side-by-side.
Note:For self-managed sensors, see Connect to Reveal(x) 360 from self-managed sensors.

Retrieve your tenant ID

Your tenant ID is required to create an IAM role and to tag your ENI resources in AWS. Retrieve the ID from the Reveal(x) 360 Console by completing the following steps.

  1. Log in to the Reveal(x) 360 Console through the URL provided in your welcome email.
  2. Click Available Mirror Targets.
  3. Copy the Tenant ID.

Create a target network interface (ENI)

You must create an ENI for each subnet in your VPC that you want to monitor with Reveal(x) 360. A single Reveal(x) 360 sensor can only monitor ENIs from one availability zone.

For more information, see the following AWS documentation: Creating a network interface.
Important:You must create a security group with an inbound rule that allows the VXLAN-encapsulated traffic to be sent over UDP port 4789 from the traffic mirror source to the traffic mirror target. There must be no outbound rules. See AWS documentation about creating a security group.
  1. Log in to the Amazon EC2 management console through https://console.aws.amazon.com/ec2/.
  2. In the left pane, under Network & Security, click Network Interfaces.
  3. Click Create Network Interface and complete the following fields:

    Description: Type a description. The description text appears in the Description field on the Mirror Target Interfaces page.

    Subnet: Select a subnet from the drop-down list.

    IPv4 Private IP: Select Auto-assign. Alternatively, select Custom and then type the primary private IPv4 address in the IPv4 address field. If the subnet has an associated IPv6 CIDR block, you can optionally specify an IPv6 address.

    Elastic Fabric Adapter: Do not select the Elastic Fabric Adapter checkbox.

    Security groups: Select the security group you created earlier to allow VXLAN traffic into the ENI.

  4. Click Add Tag.
  5. Type extrahop-tenant in the Key field and type your tenant ID in the Value field.
  6. Click Create.

Create an IAM role in AWS

The IAM role enables you to grant ExtraHop access to the traffic mirror targets you created in AWS.

  1. Return to the AWS Management Console.
  2. In the Security, Identity, & Compliance section, click IAM.
  3. In the left pane, click Roles.
  4. Click Create role.
  5. Click Another AWS account.
  6. In the Specify accounts that can use this role section, type 895242732570 in the Account ID field.
  7. Select the Require external ID checkbox and type your tenant ID in the External ID field.
  8. Click Next: Permissions.
  9. Click Create policy. The Create policy page opens in a new browser window or tab.
  10. Click the JSON tab and paste the following JSON text into the field, replacing all existing text. 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterfacePermission"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/extrahop-tenant": "<tenant-id>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeNetworkInterfaces"
            ],
            "Resource": "*"
        }
    ]
}
    Note:The CreateNetworkInterfacePermission parameter enables you to attach your ENI to the Reveal(x) 360 sensor.
  11. Replace <tenant-id> with your ExtraHop tenant ID.
  12. Click Review policy.
  13. Type a name in the Policy field. This name can be any string.
  14. Click Create policy.
  15. After the policy is created, close the Policies tab and return to the Create role page.
  16. Click the Refresh icon . (Do not refresh the browser page.)
  17. In the Filter policies field, type the name of the policy you created.
  18. Select the checkbox next to the policy name.
  19. Click Next: Tags. No tags need to be entered.
  20. Click Next: Review.
  21. In the Role name field, type ExtraHop-Trust-<tenant-id>, where <tenant-id> is your ExtraHop tenant ID. For example, if your tenant ID is 12345abcd, type ExtraHop-Trust-12345abcd.
  22. Click Create role.

Scan for mirror target interfaces

After tagging your target ENIs in AWS, you must scan for them in Reveal(x) 360 before they can be attached to your sensor.

  1. Return to the Reveal(x) 360 Console page.
  2. Click Available Mirror Targets.
  3. On the Mirror Target Interfaces page, click Scan.
    All interfaces that you tagged in AWS appear in the table.

Add sensors

You are now ready to add sensors from the Reveal(x) 360 Console.

Important:ENIs cannot be added or removed from the sensor after the sensor is deployed. If you want to change the ENI that the sensor is monitoring, terminate the sensor and deploy a new one with the ENIs you want.
  1. On the Reveal(x) 360 Console page, click Deploy Reveal(x) 360 Sensor for AWS.
  2. Type a unique name for the sensor in the Name field.
  3. Select a sensor package for your deployment.
  4. Select an availability zone ID from the drop-down list.
  5. From the Mirror Targets drop-down list, select the interfaces you want to attach to the new sensor. Only the ENIs that were tagged with your tenant ID and that are in the selected availability zone appear in the list.
  6. Click Save.
  7. (Optional): Select Enable session key forwarding on this sensor if you are configuring your Windows and Linux servers to forward session keys. For more information, see Forward session keys to ExtraHop-managed sensors
  8. Click Deploy Sensor.
When the sensor status changes from Pending to Attached, you can view metrics, detections, and records for your AWS traffic in Reveal(x) 360 by clicking Open Reveal(x) on the main console page.

Create a traffic mirror target

Complete these steps for each ENI you created.

For more information, see the following AWS documentation: Getting started with Traffic Mirroring.
  1. Return to the AWS Management Console.
  2. From the top menu, click Services.
  3. In the Networking & Content Delivery section, click VPC.
  4. In the left pane, under Traffic Mirroring, click Mirror Targets.
  5. Click Create traffic mirror target and complete the following fields:

    Name tag: (Optional) Type a descriptive name for the target.

    Description: (Optional) Type a description for the target

    Target type: Select Network Interface.

    Target: Select the ENI you previously created.

  6. Click Create.
Note the Target ID for each ENI. You will need the ID when you create a traffic mirror session.

Create a traffic mirror filter

You must create a filter to allow or restrict traffic from your ENI traffic mirror sources to Reveal(x) 360. The following example filter allows all traffic inbound and outbound with Reveal(x) 360.

For more information, see the following AWS documentation: Getting started with Traffic Mirroring.
Tip:Add a traffic mirror filter to exclude network traffic that is already mirrored. For example, if you are mirroring all ENIs within the subnet 10.1/16, add an inbound filter with a reject rule action and a source CIDR block of 10.1/16.
  1. In the AWS Management Console, in the left pane under Traffic Mirroring, click Mirror Filters.
  2. Click Create traffic mirror filter and complete the following fields:

    Name tag: Type a name for the filter.

    Description: Type a description for the filter.

    Network services: Select the amazon-dns checkbox.

  3. In the Inbound rules section, click Add rule and then complete the following fields:

    Number: Type a number for the rule.

    Rule action: Select accept from the drop-down list.

    Protocol: Select All protocols from the drop-down list.

    Source CIDR block: Type 0.0.0.0/0.

    Destination CIDR block: Type 0.0.0.0/0.

    Description: (Optional) Type a description for the rule.

  4. In the Outbound rules section, click Add rule and then complete the following fields:

    Number: Type a number for the rule.

    Rule action: Select accept from the drop-down list.

    Protocol: Select All protocols from the drop-down list.

    Source CIDR block:: Type 0.0.0.0/0.

    Destination CIDR block:: Type 0.0.0.0/0.

    Description: (Optional) Type a description for the rule.

  5. Click Create.

Create a traffic mirror session

You must create a session for each AWS resource that you want to monitor with Reveal(x) 360.

For more information, see the following AWS documentation: Getting started with Traffic Mirroring.
  1. In the AWS Management Console, in the left pane, under Traffic Mirroring, click Mirror Session.
  2. Click Create traffic mirror session and complete the following fields:

    Name tag: (Optional) Type a descriptive name for the session.

    Description: (Optional) Type a description for the session

    Mirror source: Select the source ENI. The source ENI is typically attached to the EC2 instance that you want to monitor.

    Mirror target: Select the traffic mirror target ID generated for the target ENI.

    Session number: Type 1.

    VNI: Leave this field empty.

    Packet length: Leave this field empty.

    Filter: From the drop-down menu, select the ID for the traffic mirror filter you created.

  3. Click Create.

View sensor status

  1. Return to the Reveal(x) 360 Console.
  2. Click Reveal(x) 360 Sensors for AWS in the upper right corner.
  3. Find your sensor in the table and view the sensor status.
    When the sensor status changes from Pending to Attached, you can view metrics, detections, and records for your AWS traffic in Reveal(x) 360 by clicking Open Reveal(x) from the main console page.
It can take a few minutes for your traffic to appear in the system.

Published 2021-01-19 18:01