Deploy Reveal(x) 360 sensors for AWS
This guide provides instructions for deploying ExtraHop-managed Reveal(x) 360 sensors and configuring your AWS resources (ENIs) to mirror traffic to Reveal(x) 360 sensors. Note that you can only select interfaces from one availability zone per sensor.
Before you begin
- Familiarize yourself with how traffic mirroring works in AWS.
- Identify the instances in your VPC and their attached network interfaces (source ENIs) from which you want to mirror traffic to Reveal(x) 360 sensors.
- You must have an AWS user account that is capable of creating an IAM role and that is able to tag ENI resources.
In the following procedures, you will deploy Reveal(x) 360 sensors and mirror traffic from a source ENI to a target ENI that is attached to the sensor.
Tip: | These procedures require you to configure settings in Reveal(x) 360 and in the AWS Management Console, so it is helpful to have each UI open side-by-side. |
Note: | For self-managed sensors, see Connect to Reveal(x) 360 from self-managed sensors. |
Retrieve your tenant ID
Your tenant ID is required to create an IAM role and to tag your ENI resources in AWS. Retrieve the ID from the Reveal(x) 360 Console by completing the following steps.
- Log in to the Reveal(x) 360 Console through the URL provided in your welcome email.
- Click Available Mirror Targets.
- Copy the Tenant ID.
Create a target network interface (ENI)
You must create an ENI for each subnet in your VPC that you want to monitor with Reveal(x) 360. A single Reveal(x) 360 sensor can only monitor ENIs from one availability zone.
Important: | You must create a security group with an inbound rule that allows the VXLAN-encapsulated traffic to be sent over UDP port 4789 from the traffic mirror source to the traffic mirror target. There must be no outbound rules. See AWS documentation about creating a security group. |
Create an IAM role in AWS
The IAM role enables you to grant ExtraHop access to the traffic mirror targets you created in AWS.
Scan for mirror target interfaces
After tagging your target ENIs in AWS, you must scan for them in Reveal(x) 360 before they can be attached to your sensor.
Add sensors
You are now ready to add sensors from the Reveal(x) 360 Console.
Important: | ENIs cannot be added or removed from the sensor after the sensor is deployed. If you want to change the ENI that the sensor is monitoring, terminate the sensor and deploy a new one with the ENIs you want. |
- On the Reveal(x) 360 Console page, click Deploy Reveal(x) 360 Sensor for AWS.
- Type a unique name for the sensor in the Name field.
- Select a sensor package for your deployment.
- Select an availability zone ID from the drop-down list.
- From the Mirror Targets drop-down list, select the interfaces you want to attach to the new sensor. Only the ENIs that were tagged with your tenant ID and that are in the selected availability zone appear in the list.
- Click Save.
- (Optional): Select Enable session key forwarding on this sensor if you are configuring your Windows and Linux servers to forward session keys. For more information, see Forward session keys to ExtraHop-managed sensors
- Click Deploy Sensor.
Create a traffic mirror target
Complete these steps for each ENI you created.
Create a traffic mirror filter
You must create a filter to allow or restrict traffic from your ENI traffic mirror sources to Reveal(x) 360. The following example filter allows all traffic inbound and outbound with Reveal(x) 360.
Tip: | Add a traffic mirror filter to exclude network traffic that is already mirrored. For example, if you are mirroring all ENIs within the subnet 10.1/16, add an inbound filter with a reject rule action and a source CIDR block of 10.1/16. |
Create a traffic mirror session
You must create a session for each AWS resource that you want to monitor with Reveal(x) 360.
Thank you for your feedback. Can we contact you to ask follow up questions?