getting started with netscout application performance ... · netscout smart data solutions provide...
TRANSCRIPT
NETSCOUT SYSTEMS, INC.Westford, MA 01886Telephone: 978.614.4000Fax: 978.614.4004
Web: http://www.netscout.com
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services733-1355 Rev. A
Contents
Use of this product is subject to the End User License Agreement available at http://www.netscout.com/legal/terms-and-conditions/or which accompanies the product at the time of shipment or, if applicable, the legal agreement executed by and between NETSCOUT SYSTEMS, INC., and the purchaser of this product (“Agreement”).
Government Use and Notice of Restricted Rights: In U.S. government ("Government") contracts or subcontracts, Customer will provide that the Products and Documentation, including any technical data (collectively "Materials"), sold or delivered pursuant to this Agreement for Government use are commercial as defined in Federal Acquisition Regulation ("FAR") 2.101 and any supplement and further is provided with RESTRICTED RIGHTS. All Materials were fully developed at private expense. Use, duplication, release, modification, transfer, or disclosure ("Use") of the Materials is restricted by the terms of this Agreement and further restricted in accordance with FAR 52.227-14 for civilian Government agency purposes and 252.227-7015 of the Defense Federal Acquisition Regulations Supplement ("DFARS") for military Government agency purposes, or the similar acquisition regulations of other applicable Government organizations, as applicable and amended. The Use of Materials is restricted by the terms of this Agreement, and, in accordance with DFARS Section 227.7202 and FAR Section 12.212, is further restricted in accordance with the terms of NETSCOUT's commercial End User License Agreement. All other Use is prohibited, except as described herein.
This Product may contain third-party technology. NETSCOUT may license such third-party technology and documentation ("Third-Party Materials") for use with the Product only. In the event the Product contains Third-Party Materials, or in the event you have the option to use the Product in conjunction with Third-Party Materials (as identified by NETSCOUT in the applicable Documentation), then such third-party materials are provided or accessible subject to the applicable third-party terms and conditions contained in the “Read Me” or “About” file located on the Application CD for this Product. To the extent the Product includes Third-Party Materials licensed to NETSCOUT by third parties, those third parties are third-party beneficiaries of, and may enforce, the applicable provisions of such third-party terms and conditions.
Open-Source Software Acknowledgment: This product may incorporate open-source components that are governed by the GNU General Public License ("GPL") or licenses that are compatible with the GPL license ("GPL Compatible License"). In accordance with the terms of the GPL or the applicable GPL Compatible License, NETSCOUT will make available a complete, machine-readable copy of the source code components of this product covered by the GPL or applicable GPL Compatible License, if any, upon receipt of a written request. Please identify the product and send a request to:
NETSCOUT SYSTEMS, INC.GPL Source Code Request310 Littleton RoadWestford, MA 01886Attn: Legal Department
ii
Trademark and copyright notices:
© 2020 NETSCOUT SYSTEMS, INC. All rights reserved. NETSCOUT, the NETSCOUT logo, Guardians of the Connected World, InfiniStream, nGenius, nGeniusONE, Psytechnics, Simena, and Sniffer are registered trademarks; ASI, Fox Replay, Hyperlock, the Psytechnics logo, and TestStream are trademarks; and MasterCare and ServiceONE are a service mark of NETSCOUT SYSTEMS, INC. and/or its affiliates in the United States and/or other countries (“NETSCOUT”).
All other brands and product names and registered and unregistered trademarks are the sole property of their respective owners. Dell, the DELL logo, and PowerEdge are trademarks of Dell Inc.
Microsoft, Windows, Windows Server, and MS-DOS are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.
Red Hat and Enterprise Linux are registered trademarks of Red Hat, Inc. in the United States and other countries.
VMware and vSphere are registered trademarks or trademarks (the “Marks”) of VMware, Inc. in the United States and/or other jurisdictions.
Citrix and XenServer are trademarks of Citrix Systems, Inc. and/or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.
Sun and Solaris are trademarks of Sun Microsystems, Inc. or its subsidiaries in the United States and other countries.
NETSCOUT SYSTEMS, INC. disclaims any proprietary interest in trademarks and trade names other than its own.
NETSCOUT reserves the right, at its sole discretion, to make changes at any time in its technical information, specifications, service, and support programs.
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services733-1355 Rev. ACopyright 2020 NETSCOUT SYSTEMS, INC. All rights reserved.
iii
Contacting NETSCOUT SYSTEMS, INC.Customer SupportThe best way to contact Customer Support is to submit a Support Request:https://my.netscout.com/mcp/Pages/Landing.aspx
Telephone: In the US, call 888-357-7667; outside the US, call 001 978-614-4000. Phone support hours are 8 a.m. to 8 p.m. Eastern Standard Time (EST).
E-mail: [email protected]
When you contact Customer Support, the following information can be helpful in diagnosing and solving problems: — Type of network platform — Software, operating system, and kernel versions — EC2 instance type, AWS Region, and AWS Availability Zone — License type (BYOL or PAYG), license number, and your organization’s name — The text of any error messages — Supporting screen images, logs, and error files, as appropriate — A detailed description of the problem
SalesCall 800-357-7666 for the sales office nearest your location.
Education and TrainingEducation and training resources including course listings, product certification, webinars, and case studies are available at:http://www.netscout.com/education/overview/
iv
ContentsIntroducing NETSCOUT Smart Data Solutions for Hybrid Cloud Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Detailed Deployment Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
System Requirements – Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Skills and Specialized Knowledge Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Licensing Models – BYOL and PAYG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
About BYOL Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Licensing for Legacy vSCOUT and vSTREAM-EMB Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
About Pricing and Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Deployment Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Obtaining BYOL Licensing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Launching NETSCOUT Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Assign a Public IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Template Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Security Group Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Instance Type Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Connecting to Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Deploying vSTREAM Agent from Virtual nGeniusONE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30AWS Traffic Acquisition – Ingress Routing and Traffic Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configuring AWS VPC Traffic Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Virtual nGeniusONE Deployment Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Operational Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Maintaining Visibility on System Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Using the Server Health Summary in nGeniusONE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Using the Instrumentation Health Summary in nGeniusONE . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Using the Notification Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Snapshot and Backup Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Backing Up nGeniusONE and vSTREAM Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Backing Up vSTREAM Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Snapshot Examples by Target RPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Routine Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Security Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Disaster Recovery: Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Sample Disaster Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Availability Zone Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Region Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Activating MasterCare Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
v
vi
Getting Started with Application PerformanceManagement for AWS
This document describes how to get started using nGeniusONE® Service Assurance platform with Amazon Web Services (AWS). See the following sections for details:
• "Introducing NETSCOUT Smart Data Solutions for Hybrid Cloud Monitoring" on page 8
• "System Requirements – Amazon Web Services" on page 11
• "Deployment Summary" on page 15
• "Obtaining BYOL Licensing Information" on page 16
• "Launching NETSCOUT Templates" on page 16
• "Deploying vSTREAM Agent from Virtual nGeniusONE" on page 30
• "AWS Traffic Acquisition – Ingress Routing and Traffic Mirroring" on page 30
• "Virtual nGeniusONE Deployment Notes" on page 38
• "Operational Guidance" on page 39
• "Security Notes" on page 43
• "Disaster Recovery" on page 44
Additional Resources
NETSCOUT® Systems strongly recommends that you read this document in its entirety, as well as the most recent versions of the following additional documentation available online at My.NETSCOUT:
• vSTREAM Installation Guide
• Virtual nGeniusONE Installation Guide
• Agent Administrator Guide for CDM/ASI
• nGeniusONE documentation and Online Help
Note: For the most current and comprehensive information, visit the NETSCOUT Technical Support knowledge base at the following URL: https://my.netscout.com/pages/mcplanding.aspx. This site contains related documents, tips, FAQs, and suggested workarounds. You can also download updated copies of product documentation from this site.
7
Introducing NETSCOUT Smart Data Solutions for Hybrid Cloud Monitoring
NETSCOUT smart data solutions provide end-to-end visibility on application workloads and their dependencies on compute, network, and storage infrastructure in hybrid cloud environments.
nGeniusONE provides application performance management for AWS and allows you to:
• Migrate application workloads to AWS cloud with confidence.
• Assure the performance of the application in AWS cloud and hybrid environments.
• Deliver a consistent and high quality user experience before, during and after cloud migration.
Figure 1 illustrates a sample hybrid deployment with a physical nGeniusONE server operating as a Distributed Global Manager in the data center. The nGeniusONE server manages a Virtual nGeniusONE server deployed in the public cloud together with its associated vSTREAM Agents and vSTREAM virtual appliances, minimizing public cloud throughput charges.
Figure 1 Application Performance Management for AWS
8 Introducing NETSCOUT Smart Data Solutions for
Solution ComponentsThe NETSCOUT Application Performance Management solution for AWS consists of the Virtual nGeniusONE console, vSTREAM virtual appliances, and vSTREAM agents, working together to deliver an overarching view into the performance of all infrastructure and application components across geographically dispersed data centers and cloud (Figure 2).
Figure 2 Detailed View of NETSCOUT Components
The table below summarizes the role of each of these components:
vSTREAM Agent• Installers for Linux and Windows bundled with Virtual nGeniusONE AMI.• Install vSTREAM agent on same AMI as target monitored applications in the cloud.• The data source for AWS cloud visibility in the NETSCOUT Application Performance
Management solution for AWS:• Reports on key performance indicators• Provides access to packet-level data by forwarding packets to vSTREAM.
• Optimized for ASI visibility with minimal footprint.• Manage with Virtual nGeniusONE.
vSTREAM Virtual Appliance• Deploy as a virtual appliance in AWS EC2 using NETSCOUT’s configurable Cloud
Formation Templates and ready-made AMI.• Scalable provisioning depending on Instance Type selected during deployment.• Receives traffic forwarded from multiple vSTREAMs for full ASI analysis and packet
decodes.• Manage and visualize received data with vSTREAM.
Virtual nGeniusONE• Delivers overarching view into the performance of all infrastructure and application
components associated with delivering IP-based services.• Deploys as a virtual appliance using NETSCOUT’s configurable Cloud Formation
Template and ready-made AMI.• Provides seamless management of vSTREAM agent, vSTREAM virtual appliance, and
InfiniStream appliances.• Integrate with Distributed Global Manager in data center (for example, over
Amazon's Direct Connect service) for end-to-end visibility.
9
Detailed Deployment ArchitectureFigure 3 illustrates a sample of a multi-VPC, load-balanced deployment, including an auto-scaling application with multi-AZ databases. Note the following:
• nGeniusONE and vSTREAM virtual appliances reside in a separate VPC from the monitored Application deployment. Although this example shows both VPCs in the same AWS Region, they can also be in separate regions. Management traffic is shown in blue in the figure.
• NETSCOUT’s CloudFormation templates in the AWS Marketplace are used to perform the deployment of nGeniusONE and vSTREAM virtual appliance instances.
• vSTREAM Agents are installed on each Web, Application, and Database server targeted for monitoring. Monitored traffic is forwarded to vSTREAM virtual appliances in GRE/UDP tunnels shown in green in the figure below.
You can either install vSTREAM Agents manually using the instructions in "Deploying vSTREAM Agent from Virtual nGeniusONE" on page 30 or you can use the NETSCOUT-provided Ansible Playbook (vstream_agent_playbook.yml) to automate deployment of vSTREAM Agent software to multiple hosts with a single command. Refer to “Installing vSTREAM as an Agent Using Ansible Playbook,” in the vSTREAM Installation Guide for details on using the NETSCOUT Ansible Playbook.
• NETSCOUT recommends that you use a unique identifier of the monitored Web, Application, and Database servers as the serial number (nsprobeid) for the corresponding vSTREAM Agent used to monitor its traffic. This makes it easier to associate a vSTREAM Agent data source with its monitored server in nGeniusONE. Refer to the vSTREAM Installation Guide for details on configuring serial numbers for vSTREAM data sources.
Figure 3 Detailed Deployment Diagram
vSTREAM Agent
10 Introducing NETSCOUT Smart Data Solutions for
System Requirements – Amazon Web ServicesTable 1 summarizes the necessary requirements to deploy the NETSCOUT Smart Data solution for AWS:
Table 1 Deployment Requirements
Component Description
Amazon Web Services Account You must have an active Amazon Web Services account with access to the EC2 Management Console to deploy in an AWS environment.
Amazon Web Services Permissions
The Amazon Web Services account used to deploy NETSCOUT Smart Data solutions must have appropriate permissions granted. The simplest way to do this is to grant the AdministratorAccess policy. However, if granting administrator access is not acceptable in your environment, assign the following policies to the account used to deploy NETSCOUT components:
• Assign the built-in AmazonEC2FullAccess policy.• Create a custom policy with a permission for Full access to the
CloudFormation service and assign it.It’s easiest to grant these permissions in the AWS Organizations visual editor. Note that granting these permissions complies with the “principle of least privilege” – these are the minimum permissions required to deploy the solution.
Refer to "Security Notes" on page 43 for more information on best practices for the security of NETSCOUT Smart Data solutions.
Static Private IP Address & License Information
Bring Your Own License (BYOL) DeploymentsIf you are deploying NETSCOUT Smart Data solutions using the BYOL model, you will need a static private IP address for Virtual nGeniusONE. You use this IP address to complete the product registration procedure and obtain the Serial Number and Password to be entered in the CloudFormation templates and deploy the BYOL AMIs from the AWS Marketplace. Refer to "Obtaining BYOL Licensing Information" on page 16 for details.
Note: A static IP address is only needed for BYOL deployments. If you are deploying using the Pay As You Go model (PAYG), you do not need a static IP address.
Existing AWS VPC An existing AWS VPC with subnets for both Management and Monitoring.
Route Tables/Security Groups Appropriate Route Tables and Security Groups for communication between nGeniusONE and vSTREAMs.
NTP Server Access Access to an NTP Server for accurate timestamps in NETSCOUT analysis. NETSCOUT recommend using Amazon Time Sync Services.
Access to Marketplace Images You must have access to the NETSCOUT Application Performance Management AMI images in the AWS Marketplace in the AWS region you are using.
SSH Key Pair You must have a key pair for SSH access to deployed AMIs. You can create or import the key pair in AWS using these instructions.
Note: SSH key pairs are created in AWS:
• Public keys are stored in AWS, are not confidential and are protected at the account level.
• Private keys are stored by the user and are their responsibility to protect.
11
Skills and Specialized Knowledge RecommendationsTable 2 summarizes recommended skills and specialized knowledge for deployment of the NETSCOUT Smart Data solution for AWS:
Licensing Models – BYOL and PAYGNETSCOUT Smart Data solutions are available in the AWS Marketplace as both BYOL (Bring Your Own License) and PAYG (Pay As You Go) deployments for both Commercial and GovCloud environments:
• BYOL – In the BYOL model, you purchase an instance license for Virtual nGeniusONE from NETSCOUT systems in addition to sufficient vCPU license blocks to cover managed vSTREAMs. This is the same model as solutions purchased directly from NETSCOUT systems. Refer to "About BYOL Licenses" on page 13 for details on BYOL licenses.
• PAYG – In the PAYG model, you pay AWS for usage of Virtual nGeniusONE on either an annual or hourly basis. Virtual nGeniusONE deployments using the PAYG model can manage vSTREAMs up to a specific vCPU limit specified by the selected CFT (8 in this release).
Note: If you require additional vSTREAM vCPUs, you can extend the Virtual nGeniusONE PAYG deployment’s capacity by applying additional BYOL vCPU block licenses.
Table 3 summarizes the available CFT templates for both BYOL and PAYG deployments:
Table 2 Skills and Specialized Knowledge Recommendations
AWS Component Description
AWS Core Services • Understanding of EC2 Core services, including Marketplace.• Understanding of EC2 backup, snapshot, and restore processes.• High level understanding of AWS networking services, including VPCs,
Subnets, Route Tables, Elastic/Public IP addresses, and Security Group.
AWS CloudFormation • Able to launch a Stack from a predefined CloudFormation Template.• Optional – Understanding of YAML.
AWS IAM • Able to attach AWS Managed IAM Policies to an IAM User running the deployment, either directly or via a Group.
Tools for AWS • Able to write scripts for regular maintenance of the EC2. There are multiple tools for scripting available, including AWS Command Line Tools and AWS SDKs. You can see a list of all supported Tools for Amazon Web Services here.
Table 3 Available CFT Templates by License Type
Deployment Type Description Available CFT Templates
Bring Your Own License
• Purchase vNG1 license from NETSCOUT based on static IP address. Install using license utility.
• Purchase 8-vCPU block licenses to cover all managed vSTREAM instances. Extend as necessary with additional vSTREAM licenses. Refer to "About BYOL Licenses" on page 13 for details.
• Virtual nGeniusONE and vSTREAM• vSTREAM Only• Virtual nGeniusONE Only
12 System Requirements – Amazon Web Services
About BYOL Licenses
This section describes licensing for deployments using the BYOL CFT templates:
• BYOL Virtual nGeniusONE provides support for fifty Type 1 monitoring interfaces.
• BYOL Virtual nGeniusONE must be licensed for the quantity of vSTREAM vCPUs you want to manage in blocks of 8. This is summarized in Table 4:
Pay As You Go • Select a PAYG CFT template authorized to manage a specific number of vSTREAM vCPUs on either an annual or hourly basis.
• Add vSTREAMs up to the specified vCPU limit.
• In the rare case you require additional vCPUs, purchase and apply additional BYOL vSTREAM vCPU licenses.
• Virtual nGeniusONE and vSTREAM (8 vCPU)• Virtual nGeniusONE Only (8 vCPU)
Table 4 vSTREAM vCPU Licenses in nGeniusONE (BYOL)
License Type Description
vCPU Licenses NETSCOUT uses licenses to control the maximum number of vCPUs provisioned across all vSTREAM instances managed by nGeniusONE.
You purchase and apply vSTREAM vCPU licenses in blocks of eight. Keep in mind the following:
• vCPU blocks can be subdivided. For example, an 8-vCPU block license could be shared by two separate vSTREAM instances, each of which was assigned four vCPUs.
• Once a pool of vCPU licenses is exhausted, no more vSTREAM instances can be added to the server.
• The pool of vSTREAM licenses is shared among all vSTREAM 6.2.1+ instances managed by nGeniusONE, regardless of whether they are installed as an agent, container, or virtual appliance.
• The license pool for vSTREAM 6.2.1+ devices is completely separate from the vCPU license pool for legacy vSCOUT and vSTREAM-EMB devices released prior to 6.2.1.
nGeniusONE will display an error message if you try to add a vSTREAM whose assigned vCPUs would exceed the licensed capacity.
Type 1 Interface Licenses Each 8-vCPU block license in use on the nGeniusONE server counts as one Type 1 interface against the nGeniusONE Server’s total capacity (50, by default, for a standalone server).
The Type 1 interface is debited from the local nGeniusONE server when the first vCPU in the block is consumed by a vSTREAM added to that nGeniusONE server. A second Type 1 interface is not debited until the initial 8-vCPU block is fully consumed and a vSTREAM is added to nGeniusONE that begins using a second 8-vCPU block.
Note: The PAYG Virtual nGeniusONE includes five Type-1 licenses, which is more than sufficient for the single 8-vCPU vSTREAM block license included in this release.
Table 3 Available CFT Templates by License Type
Deployment Type Description Available CFT Templates
13
Licensing for Legacy vSCOUT and vSTREAM-EMB Agents
Once you upgrade the nGeniusONE server to the 6.2.1 release or later, all legacy managed vSCOUT agents are treated as vSTREAM-EMB agents provisioned with one vCPU. That is, they debit an 8-vCPU vSTREAM-EMB license for a single vCPU.
Keep in mind that there is no 6.2.1 or 6.2.2 release for vSTREAM-EMB. Instead, you can install the new vSTREAM Agent in 6.2.1 and later. However, you can still manage legacy vSTREAM-EMB agents from nGeniusONE 6.2.2. The separate vCPU license pool for vSTREAM-EMB agents remains intact.
About Pricing and CostsThe NETSCOUT site on the AWS Marketplace provides helpful tools that let you estimate the costs of using NETSCOUT Smart Data solutions with different configuration choices. After navigating to the NETSCOUT site on the AWS Marketplace, click on the Pricing tab and fill out the fields to estimate your costs. Keep in mind that your usage and costs may vary from the estimate depending on actual usage.
Figure 4 Estimating Costs for NETSCOUT Application Performance Management Solutions
In addition, Support is included as part of the pricing on the page referenced above.
14 System Requirements – Amazon Web Services
Deployment SummaryDeploying NETSCOUT Smart Data solutions consists of the following major steps:
1 If you are using one of the BYOL templates, work with your NETSCOUT Sales Representative to obtain the necessary licensing information for both Virtual nGeniusONE and vSTREAM. You will need to have a static private IP address for Virtual nGeniusONE in order to obtain the Serial Number and Password from the NETSCOUT registration site to enter in the CloudFormation Templates as part of the deployment for both products.
2 Install NETSCOUT Smart Data solution components in the following order:
a Virtual nGeniusONE and vSTREAM Virtual Appliance (the components deploy together using the same CloudFormation Template).
b vSTREAM Virtual Appliance. Depending on the number of vSTREAM agents from which you expect to forward traffic (and the quantity of traffic each agent will send), you may want to install multiple vSTREAM virtual appliances.
Note: There is a separate BYOL CFT for a vSTREAM virtual appliance-only installation. You can deploy additional vSTREAM virtual appliances either by using the vSTREAM virtual appliance-only template or by cloning the vSTREAM virtual appliance deployed in Step a using the combined Virtual nGeniusONE/vSTREAM Virtual Appliance deployment.Note: A PAYG Virtual nGeniusONE can manage vSTREAMs deployed using the BYOL template so long as the total number of managed vSTREAM vCPUs does not exceed the maximum authorized by the Virtual nGeniusONE PAYG CFT (8 in this release).
c vSTREAM Agent. The installers for vSTREAM Agent are bundled with the Virtual nGeniusONE AMI. You can copy them to a target AMI from Virtual nGeniusONE and install them using the standard installation procedure described in "Deploying vSTREAM Agent from Virtual nGeniusONE" on page 30.
3 Optional: If you want to connect to deployed instances over the public internet (instead of a VPN, for example), assign a public IP address to Virtual nGeniusONE.
4 Ensure that both vSTREAM virtual appliance and vSTREAM agent instances are communicating properly with nGeniusONE:
• When you deploy vSTREAM virtual appliance in AWS, you enter the private IP address of the managing Virtual nGeniusONE server in the CloudFormation template. This lets vSTREAM virtual appliance add itself to nGeniusONE automatically immediately upon boot up.
• When you install vSTREAM agent on a target AMI, you can either configure the private IP address of the managing Virtual nGeniusONE server prior to installation or add the vSTREAM agent manually after installation (both approaches are described in the vSTREAM Installation Guide).
If for some reason an instance is not communicating properly with Virtual nGeniusONE, log in to the command line of the vSTREAM, run the Agent Configuration utility, and make sure that the Virtual nGeniusONE private IP address is specified under [4] Change Config Server Address.
15
5 Configure Traffic Forwarding from vSTREAM agent sources to vSTREAM virtual appliance destinations using Device Configuration in Virtual nGeniusONE. Refer to the vSTREAM Installation Guide and the Virtual nGeniusONE online help for details.
Obtaining BYOL Licensing InformationUse the following procedure to obtain the Serial Numbers and Passwords from the NETSCOUT registration site to enter in the BYOL CloudFormation Templates as part of the deployment for both Virtual nGeniusONE and vSTREAM.
Note: This procedure only applies to BYOL deployments; PAYG deployments are authorized directly through the Marketplace.
1 When you purchase Virtual nGeniusONE or vSTREAM from NETSCOUT, you receive a registration form that includes a registration key. Locate this form.
2 Open a web browser and navigate to https://my.netscout.com/mcp/Pages/default.aspx.
3 Navigate to Licensing & Downloads and follow the instructions there to enter your registration key. You will also enter an IP address:
• If you are licensing Virtual nGeniusONE, you enter the static, private IP address to be used for Virtual nGeniusONE in the AWS public cloud.
• If you are licensing vSTREAM, you enter the IP address of its managing Virtual nGeniusONE server.
4 When you complete the registration procedure, you receive both a serial number and a password (license key). Print the screen that contains this information. You will enter these values in the CloudFormation templates when you deploy the Virtual nGeniusONE and vSTREAM AMIs.
Launching NETSCOUT TemplatesThis section describes how to deploy the NETSCOUT Smart Data solution using the CloudFormation templates and AMIs available in the NETSCOUT site on the AWS Marketplace:
1 Search the Amazon Marketplace for NETSCOUT.
The Amazon MarketPlace shows the entry for the NETSCOUT Application Management Solution for AWS.
2 Click the button for the NETSCOUT Application Management Solution for AWS.
3 Accept the Terms and Conditions for the NETSCOUT Application Management Solution for AWS.
4 Click the Continue to Configuration button.
5 Select the type of deployment you want to perform by choosing from the following Fulfillment Options/CloudFormation templates (Figure 5):
Note: vSTREAM agents provide the data gathering engine for the NETSCOUT Smart Data solution. However, in their default configuration, they do not provide all of the functionality that vSTREAM virtual appliances do. Unless you’ve enabled a packet store on your vSTREAM agents, you may want to forward traffic from vSTREAM agent sources to vSTREAM virtual appliances for in-depth packet-level analysis.
16 Obtaining BYOL Licensing Information
• NETSCOUT Application Performance Management Solution for AWS (BYOL) (installs both Virtual nGeniusONE and vSTREAM virtual appliance)
• NETSCOUT vSTREAM for AWS (BYOL)
• NETSCOUT Virtual nGeniusONE for AWS (BYOL)
• NETSCOUT Application Performance Management for AWS (PAYG) (installs both Virtual nGeniusONE and vSTREAM virtual appliance)
• NETSCOUT Virtual nGeniusONE for AWS (PAYG)
Figure 5 Selecting the CloudFormation Template for the Deployment
6 Use the Software Version dropdown to select the version of the selected CFT to deploy.
7 Use the Region dropdown to specify the Availability Zone where the software should be deployed.
8 Click Continue to Launch to continue.
9 Review the configuration details in the Launch page and click Launch when ready to continue.
17
The Create stack wizard appears with the Select Template screen prepopulated with the selected CloudFormation template. For example, Figure 6 shows the Create stack wizard prepopulated with the Virtual nGeniusONE and vSTREAM BYOL CloudFormation template.
Figure 6 Create Stack Wizard with CFT for Virtual nGeniusONE and vSTREAM Selected
10 Click Next to continue.
11 The Specify Details screen appears. Supply a Stack name and fill out the Parameters for the CloudFormation template using the information in "Template Parameters" on page 21. Figure 7 shows an example of the combined Virtual nGeniusONE/vSTREAM CFT.
Note: You configure different parameters depending on the selected template. "Template Parameters" on page 21 describes all of the available parameters.
18 Launching NETSCOUT Templates
Figure 7 Supplying Values for the CloudFormation Template
12 When you have finished configuring the CloudFormation parameters, click Next to continue.
13 The Options page appears, allowing you to configure the standard CloudFormation Stack settings listed below. These are all optional; none are required. Use the links below to learn more about these AWS options.
• Tags (key-value pairs)
• Permissions
• Rollback Triggers
• Advanced
When you have finished setting Options, click Next to continue.
14 The Create Stack Wizard displays a summary of the settings for the new stack. Review the settings and use the Previous button to correct if necessary. When you are satisfied with your settings, click Create stack to launch the new instance(s).
19
The Stack Wizard begins to create the requested resources (Figure 8) and eventually launches the instance.
Figure 8 Stack Creation in Progress
15 After a few minutes, you can see the instance(s) in the EC2 Management Console’s Instances list. (Figure 9).
Figure 9 Newly Created Instances
20 Launching NETSCOUT Templates
Assign a Public IP AddressBy default, the NETSCOUT CFT templates do not assign a public IP address to deployed instances. If you want to be able to connect to Virtual nGeniusONE and/or vSTREAM virtual appliances from the public internet, make sure you allocate an elastic IP address to the instance after deployment.
Once you’ve assigned a public IP address to an instance, you can connect to it from the Internet. Open a web browser and connect to the public IP address for the Virtual nGeniusONE server and see that its associated vSTREAM virtual appliance virtual appliance was automatically added in Device Configuration and is available for analysis (Figure 9). For example:
https://<Public IP Address>:8443/console/
The default credentials for Virtual nGeniusONE are administrator/netscout1.
Figure 10 Virtual nGeniusONE Deployed in AWS with vSTREAM Virtual Appliance Automatically Added
Refer to "Connecting to Instances" on page 29 for information on opening an SSH connection to the operating system of the new instances.
Template ParametersTable 5 lists and describes the parameters you must supply as part of the deployment of the NETSCOUT Smart Data solution CloudFormation templates. The table lists the parameters from the combined Virtual nGeniusONE and vSTREAM virtual appliance template. If you are using one of the templates for an individual Virtual nGeniusONE or vSTREAM virtual appliance, the parameters you supply will be a subset of those in Table 5. Similarly, certain parameters only apply to the BYOL or PAYG templates; these are called out in the table as such.
Note: A public IP is automatically assigned by AWS if the subnet to which you are adding Virtual nGeniusONE has the Enable auto-assign public IPv4 address option enabled.
Note: Security Group settings for Virtual nGeniusONE require that you use HTTPS instead of HTTP.
Table 5 Configuration Parameters for CloudFormation Templates
Parameter Description
Stack name Provide a unique name for this stack.
General Configuration
21
AvailabilityZone Select an AWS Availability Zone to be used for the deployment from the dropdown list. The list includes the Availability Zones accessible from your account
KeyName Select an existing keypair from the dropdown to be used for access to the instance(s). You can review your existing keypairs in Network & Security > Key Pairs from the EC2 Dashboard.
Virtual nGeniusONE Configuration
vnG1InstanceType Choose an Instance Type for the Virtual nGeniusONE deployment from the dropdown list.
Each Instance Type provides a different combination of computing resources (CPU, memory, storage, and networking). You can select from the following Instance Types for Virtual nGeniusONE:
• m5.2xlarge• m5.4xlarge
Refer to "Choosing an Instance Type for Virtual nGeniusONE" on page 28 for guidance on selecting an Instance Type appropriate for your needs.
NOTE: Instance Types are priced differently in the AWS Public Cloud based on the amount of resources provisioned. Refer to https://aws.amazon.com/ec2/instance-types for details.
vnG1ServerIP Supply a static, private IP address in an existing subnet belonging to the target VPC.
Note: For BYOL deployments, this should match the IP address you used to register Virtual nGeniusONE on the NETSCOUT MasterCare Portal.
Note: The CloudFormation template only supports IPv4 addresses in this release. Contact NETSCOUT for assistance if you require IPV6 support.
vnG1dbONEVolumeSize Specify the size of the Virtual nGeniusONE database in GB. The default value is 1000 MB (1GB).
vnG1dbONEVolumeEncrypt Use the dropdown to specify whether the Virtual nGeniusONE storage database (dbONE) should be encrypted. By default, it is not.
vSTREAM Configuration
vSTREAMInstanceType Choose an Instance Type for the vSTREAM virtual appliance deployment from the dropdown list.
Each Instance Type provides a different combination of computing resources (CPU, memory, storage, and networking). You can select from the following Instance Types for vSTREAM virtual appliance:
• m5.2xlarge (BYOL and PAYG)• m5.4xlarge (BYOL only; this instance type uses 16 vCPUs and
exceeds the PAYG Virtual nGeniusONE’s maximum capacity for vSTREAM vCPUs of 8 in this release).
Refer to "Choosing an Instance Type for vSTREAM Virtual Appliance" on page 28 for guidance on selecting an Instance Type appropriate for your needs.
NOTE: Instance Types are priced differently in the AWS Public Cloud based on the amount of resources provisioned. Refer to https://aws.amazon.com/ec2/instance-types for details.
Table 5 Configuration Parameters for CloudFormation Templates
Parameter Description
22 Launching NETSCOUT Templates
vSTREAMVolumeSize Specify the size of the vSTREAM virtual appliance storage volume. Acceptable values range from 100-16,000 GB (16TB). The default is 100 GB.
The size of your storage volume corresponds directly to your ability to store packet and ASI data on the monitoring vSTREAM virtual appliance agent. Contact your Sales Representative for assistance in choosing a volume size that balances expenses with your need to preserve data based on expected traffic types and load.
vSTREAMVolumeEncrypt Use the dropdown to specify whether the vSTREAM virtual appliance storage volume should be encrypted. By default, it is not.
Network
VpcId Use the dropdown to select an existing VPC for the deployment. If you are deploying Virtual nGeniusONE and vSTREAM virtual appliance together, both AMIs will be deployed in the same VPC.
If you have many VPCs associated with your account, you can type an entry in the field to narrow the results to matching IDs or name tag values.
MgmtSubnet Use the dropdown list to select an existing subnet for Management traffic between Virtual nGeniusONE and managed vSTREAM devices. The dropdown lists the subnets already provisioned for your account.
If you are deploying Virtual nGeniusONE and vSTREAM virtual appliance together, the subnet selected here is used for the Management port on both instances.
Note that the Capture and Management subnets must both be in the same AWS Availability Zone (the Availability Zone selected for the Virtual nGeniusONE deployment, above).
If you have many subnets associated with your account, you can type an entry in the field to narrow the results to matching IDs or name tag values.
CaptureSubnet Use the dropdown lists to select an existing subnet for the vSTREAM virtual appliance monitoring interface. The dropdown lists the subnets already provisioned for your account.
You can either select the same subnet you are using for Management traffic or choose a different one. Note that the Capture and Management subnets must both be in the same AWS Availability Zone (the Availability Zone selected for the Virtual nGeniusONE deployment, above).
In general, it’s a good practice to keep management traffic separate from the capture subnet. This way, you aren’t adding additional traffic to the monitored subnet and you also have a means of contacting a managed vSTREAM if its capture subnet goes down.
If you have many subnets associated with your account, you can type an entry in the field to narrow the results to matching IDs or name tag values.
Table 5 Configuration Parameters for CloudFormation Templates
Parameter Description
23
AccessLocation Use this field to limit the range of IP addresses from which the deployed instance(s) will accept SSH connections. This field is mandatory. However, if you want to allow SSH connections from any location, you can enter a value of 0.0.0.0/0.
If you are deploying Virtual nGeniusONE and vSTREAM virtual appliance together, the range specified here is used for SSH connections to the Management port on both instances.
You can edit the Security Group settings later on to change the IP addresses for which access is allowed. Refer to Working with Security Groups in the AWS documentation for details.
Security GroupsUse these fields to assign Virtual nGeniusONE and vSTREAM interfaces to AWS Security Groups.
• If you leave these options set to CREATE (the default), the template automatically assigns the corresponding interface to a Security Group with the necessary permissions and open ports to allow communications with other NETSCOUT Smart Data solutions. Ports are opened in accordance with the principle of least privilege – only the ports required for successful communications are opened.
• You can also supply the name of an existing Security Group. If you use an existing Security Group, you must open the necessary ports manually using the information in "Security Group Details" on page 25.
Refer to "Security Group Details" on page 25 for details on which ports are opened for which Security Groups.
vnG1MgmtSecurityGroupID Use this field to assign the Virtual nGeniusONE’s Mgmt interface (eth0) to a Security Group.
Refer to "About the Virtual nGeniusONE Mgmt Security Group" on page 26 for details on the ports opened for this group.
vSTREAMMgmtSecurityGroupID Use this field to assign the vSTREAM virtual appliance’s Mgmt interface (eth0) to a Security Group.
Refer to "About the vSTREAM Mgmt Security Group" on page 26 for details on the ports opened for this group.
vSTREAMMonSecurityGroupID Use this field to assign the vSTREAM virtual appliance’s monitoring interface (eth1) to a Security Group.
Refer to "About the vSTREAM Mon Security Group" on page 26 for details on the ports opened for this group.
vSTREAMAgentSecurityGroupID Use this field to create a Security Group for use with vSTREAM Agent interfaces.
Because vSTREAM Agents are installed on a third-party virtual machine targeted for monitoring, this group is a container to which you can assign desired interfaces on virtual machines with vSTREAM Agent installed. Interfaces in this group will be able to perform necessary communications with other interfaces in the Virtual nGeniusONE and vSTREAM Security Groups.
Refer to "About the vSTREAM Agent Security Group" on page 27 for details on the ports opened for this group.
License – BYOL Deployments Only
vSTREAMSerialNumber For BYOL deployments, supply the Serial Number and Password you received from the MasterCare Portal when you registered your software in "Obtaining BYOL Licensing Information" on page 16. vSTREAMPassword
Table 5 Configuration Parameters for CloudFormation Templates
Parameter Description
24 Launching NETSCOUT Templates
Security Group Details
As described in Table 5, the NETSCOUT CFT templates provide the options of creating AWS Security Groups for Virtual nGeniusONE, vSTREAM virtual appliance, and vSTREAM Agent interfaces. This section describes the ports opened by each of these Security Groups.
The default settings for NETSCOUT Security Groups ensure that the necessary communications between NETSCOUT components in these different groups can take place successfully (for example, interfaces in the vSTREAM Monitoring Security Group can receive traffic forwarded from interfaces in the vSTREAM Agent Security Group).
If you did not create Security Groups as part of the CFT templates, you can also use the information in these sections to open the necessary ports for NETSCOUT communications in your own Security Groups:
• "About the Virtual nGeniusONE Mgmt Security Group" on page 26
• "About the vSTREAM Mgmt Security Group" on page 26
• "About the vSTREAM Mon Security Group" on page 26
• "About the vSTREAM Agent Security Group" on page 27
Table 6 lists the default Security Groups created by the NETSCOUT CFT templates. Following the table, Figure 9 illustrates sample creation of these groups.
Figure 11 NETSCOUT Security Groups
vnG1 SerialNumber For BYOL deployments, supply the Serial Number and Password you received from the MasterCare Portal when you registered your software in "Obtaining BYOL Licensing Information" on page 16.
Make sure the IP address you used to obtain the Serial Number and Password is the same as the one specified for the Virtual nGeniusONE IP address in the template, above.
vnG1Password
Table 6 NETSCOUT Smart Data Solutions Security Groups
Name Group Name Instance Interface
sg-vnG1-mgmt vnG1MgmtSecurityGroup Virtual nGeniusONE eth0 eth0
sg-vSTREAM-mgmt vStreamMgmtSecurityGroup vSTREAM Virtual Appliance Mgmt Port
eth0
sg-vSTREAM-mon vStreamMonSecurityGroup vSTREAM Virtual Appliance Monitoring Port
eth1
sg-vSTREAM Agent vStreamAgentSecurityGroup vSTREAM Agents User assigned
Table 5 Configuration Parameters for CloudFormation Templates
Parameter Description
25
About the Virtual nGeniusONE Mgmt Security Group
The Virtual nGeniusONE Security Group allows packets and selected ports from interfaces in the sg-vSTREAM-mgmt and sg-vSTREAM Agent groups as summarized in Table 7.
About the vSTREAM Mgmt Security Group
The vSTREAM Mgmt Security Group allows packets and selected ports from interfaces in the sg-vnG1-mgmt and sg-vSTREAM Agent groups as summarized in Table 8.
About the vSTREAM Mon Security Group
The vSTREAM Mon Security Group accepts GRE and UDP from interfaces in the vSTREAM Agent Security Group, allowing monitoring interfaces to accept traffic tunneled from vSTREAM Agents, as summarized in Table 9.
Table 7 Traffic Allowed by Virtual nGeniusONE Mgmt Security Group
Description Protocol Port Range
HTTP from interfaces in vSTREAM Mgmt and vSTREAM Agent Security Groups.
TCP 8080
HTTPS from interfaces in vSTREAM Mgmt and vSTREAM Agent Security Groups.
TCP 8443
SSH, as configured by AccessLocation parameter in CTP Template SSH 22
NETSCOUT SNMP Traps from interfaces in vSTREAM Mgmt and vSTREAM Agent Security Groups.
UDP 395
TFTP, remote upgrades from interfaces in vSTREAM Mgmt Security Group.
UDP 69
All ICMP-IPv4 (PING) from interfaces in vSTREAM Mgmt and vSTREAM Agent Security Groups.
All N/A
Table 8 Traffic Allowed by vSTREAM Mgmt Security Group
Description Protocol Port Range
HTTP from interfaces in Virtual nGeniusONE Mgmt Security Group. TCP 8080
HTTPS from interfaces in Virtual nGeniusONE Mgmt Security Groups. TCP 8443
SSH, as configured by AccessLocation parameter in CTP Template TCP 22
All ICMP-IPv4 (PING) from interfaces in vSTREAM Mgmt and vSTREAM Agent Security Groups.
All N/A
Table 9 Traffic Allowed by vSTREAM Mon Security Group
Description Protocol Port Range
GRE from interfaces in vSTREAM Agent Security Group. GRE (47) All
UDP from interfaces in vSTREAM Agent Security Group. UDP 50100
26 Launching NETSCOUT Templates
About the vSTREAM Agent Security Group
The vSTREAM Agent Security Group allows packets and selected ports from interfaces in the sg-vnG1-mgmt and sg-vSTREAM-mgmt groups as summarized in Table 10.
Note: Because vSTREAM Agents are installed on third-party virtual machines targeted for monitoring (for example, a web server), you must assign vSTREAM Agent interfaces manually to the vSTREAM Agent Security Group (or open the ports listed in Table 10 for whatever group the vSTREAM Agent’s interface already belongs to).
Instance Type Recommendations
The CloudFormation templates for the NETSCOUT Application Performance Management solution let you select an Instance Type for both the Virtual nGeniusONE and vSTREAM virtual appliance virtual machines. Each Instance Type provides a different combination of computing resources (CPU, memory, storage, and networking; refer to Table 11) and is priced differently based on the amount of resources provisioned.
Refer to the sections below for guidance on selecting an Instance Type for both Virtual nGeniusONE and vSTREAM virtual appliance:
• "Choosing an Instance Type for Virtual nGeniusONE" on page 28
• "Choosing an Instance Type for vSTREAM Virtual Appliance" on page 28
Note: I Refer to https://aws.amazon.com/ec2/instance-types for details on instance types.
Table 10 Traffic Allowed by vSTREAM Agent Security Group
Description Protocol Port Range
HTTP from interfaces in Virtual nGeniusONE Mgmt Security Group. TCP 8080
HTTPS from interfaces in Virtual nGeniusONE Mgmt Security Groups. TCP 8443
SSH, as configured by AccessLocation parameter in CTP Template TCP 22
All ICMP-IPv4 (PING) from interfaces in Virtual nGeniusONE Mgmt and vSTREAM Mgmt Security Groups.
All N/A
Table 11 Summary of Instance Types for NETSCOUT Smart Data Solutions
Instance Type vCPUs Memory StorageDedicated EBS
Bandwidth (Mbps)Network
Performance
m5.2xlarge 8 32 GB EBS-only Up to 3,500 Up to 10 Gbps
m5.4xlarge 16 64 GB EBS-only 3,500 Up to 10 Gbps
27
Choosing an Instance Type for Virtual nGeniusONE
Table 12 provides guidance on selecting an instance type for Virtual nGeniusONE.
Choosing an Instance Type for vSTREAM Virtual Appliance
Table 13 provides guidance on selecting an instance type for vSTREAM.
Note that only the m5.2xlarge instance type is available for PAYG vSTREAM deployments. This is because the m5.4xlarge instance type uses 16 vCPUs which exceeds the PAYG Virtual nGeniusONE’s maximum capacity for vSTREAM vCPUs in this release (8).
Table 12 Instance Type Recommendations per Managed Interfaces and System Load
Instance Type vCPUs Memory Managed Interfaces
ASI Flows/5-Minute
Polling ReportsConcurrent
Users
m5.2xlargeRecommended for general-purpose deployments.
8 32 GB 20 Type 1 interfaces/ 1 million 50 10
m5.4xlargeRecommended for high usage environments.
16 64 GB 40 Type 1 interfaces1
1. To support the full allotment of 50 Type 1 interfaces included with a full license, provision Virtual nGeniusONE with a minimum of48 GB of RAM (64 GB recommended) and 24 vCPUs.
1.5 million 50 10
Table 13 System Requirements per vSTREAM
Scenario vCPUs MemorySystem Drive Storage Drive
Monitoring Interfaces
m5.2xlargeRecommended for general-purpose deployments.
8 32 GB 50 GB 100 GB – 16 TB
Configure the volume size to balance your packet retention needs with costs. Larger drives cost more but keep packets longer.
Up to four vNICsNote: NETSCOUT recommends choosing one of the .4xlarge Instance Types for any vSTREAM virtual appliance provisioned with 4 vNICs.
m5.4xlarge (BYOL Only)Recommended if the Subscriber Table is enabled for integration with nGenius Business Intelligence or when using the URL discovery option.
16 64 GB 50 GB
28 Launching NETSCOUT Templates
Connecting to InstancesConnect to the operating system of NETSCOUT instances using the key pair you selected as part of the CloudFormation template as follows:
1 Click the Services dropdown in the AWS Management Console and select Compute > EC2.
2 Click the Instances entry in the left column.
3 Make sure the desired instance is selected.
4 Click the Connect button (Figure 12).
Figure 12 Connecting to the vSTREAM Instance
5 The Connect To Your Instance window provides guidance on using SSH to connect to the instance remotely, either using the Linux ssh command or a Windows client, such as PuTTY. Keep in mind the following:
• You will need access to your private key file. The Connect To Your Instance window reminds you of the name of the private key file you associated with the instance.
• Your private key file must not be publicly viewable for SSH to work. You can use chmod 400 <keyfile-name> to make your private key file not publicly viewable.
• The Connect To Your instance window shows you the IP address you should use to connect to your instance along with the correct SSH syntax. For example, in Figure 13, we can use the following SSH command to log in to the default centos account provided with NETSCOUT AMIs:
$ ssh -i "vstream-keys.pem" [email protected]
Figure 13 The Connect To Your Instance Window
6 Click Close on the Connect To Your Instance window.
29
7 Open a terminal window and use the ssh command to connect to the NETSCOUT instance:
$ ssh -i "<keyfile.pem>" centos@<NETSCOUT_IP>
8 Once logged in as the centos user, run the following to use the root account:
$ sudo su
Deploying vSTREAM Agent from Virtual nGeniusONEThe installation files for the vSTREAM agent are bundled with the Virtual nGeniusONE image and stored under /opt/vSTREAM_Agent once the instance has been deployed. There are separate installers depending on the target environment.
Refer to the vSTREAM Installation Guide on My.NETSCOUT for details on selecting the correct installer for your target environment and performing the installation. The general procedure is as follows:
1 Copy the installer for your operating system to the target instance.
2 If you are installing in Linux, you can preconfigure the address of the managing Virtual nGeniusONE server in a /tmp/nsagent_config.cfg configuration file. The values stored in this file are read in during installation and allow the newly installed vSTREAM agent to add itself to Virtual nGeniusONE automatically. Refer to the vSTREAM Installation Guide for details on how to do this.
3 Run the installer.
4 When installation is complete, open the Agent Configuration Utility (localconsole) and ensure that [4] Change Config Server Address is set to the address of the managing Virtual nGeniusONE server.
AWS Traffic Acquisition – Ingress Routing and Traffic Mirroring
In addition to forwarding packets from vSTREAM Agents to vSTREAM virtual appliances, AWS provides additional tools that help NETSCOUT Smart Data solutions provide visibility on cloud-based traffic:
• Amazon VPC ingress routing lets you define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances before it reaches the final destination. Traffic coming in or out of a VPC can be redirected to security or packet-shaping virtual applications, which in turn can be monitored through VPC traffic mirroring with vSTREAM for advanced service performance and security assurance.
• Amazon VPC traffic mirroring allows you to acquire packet data from multiple application workloads in an Amazon VPC and mirror it to a vSTREAM instance’s monitor port.
Figure 14 shows an example of using AWS VPC Ingress Routing together with Amazon VPC Traffic Mirroring to acquire traffic that traverses VPC boundaries and route it to vSTREAM appliances for real-time analysis for service and security assurance.
Note: If you are installing in Windows, the installation wizard prompts you to supply the IP address of the managing Virtual nGeniusONE server.
30 Deploying vSTREAM Agent from Virtual nGeniusONE
Refer to the following AWS blog article for one example of using VPC Ingress Routing to simplify the integration of third-party security appliances.
Figure 14 Hybrid AWS Deployment with NETSCOUT Smart Data Solutions
Note the following in Figure 14:
• Amazon VPC Ingress Routing is used to route all traffic in/out of the IGW to VPC1 to a vSTREAM virtual appliance in the NETSCOUT performance and management tier.
• Separate vSTREAM agents instrument different application workloads in VPC1 and forward packets to a vSTREAM virtual appliance in the NETSCOUT performance and management tier.
• Similarly, vSTREAM agents instrument application workloads in VPC2 and forward packets to a separate vSTREAM virtual appliance in the NETSCOUT performance and management tier.
Configuring AWS VPC Traffic MirroringAWS VPC Traffic Mirroring lets you send packets from a mirror source to a destination – a vSTREAM monitoring interface for our purposes. Traffic Mirroring sessions consist of the following main components:
• Mirror source. This is where the traffic will be mirrored from.
• Mirror destination. This is where mirrored traffic will be sent – a vSTREAM monitoring port in our case.
• Optional filter. This lets you limit which traffic is mirrored to just the packets of interest.
The Amazon AWS documentation describes how to set up VPC Traffic Mirroring. The following procedures provide an example specific to a NETSCOUT Smart Data Solution deployment.
Traffic Mirroring Prerequisites and Rules
Review the AWS prerequisites and rules for traffic mirroring. In general:
• Traffic mirror sources and destinations must either be in the same VPC or in VPCs that are reachable from one another.
31
• The traffic mirror target must have UDP Port 4789 open in order to receive traffic.
• The traffic mirror source must have a route table entry for the target.
• If mirrored traffic is not reaching the destination, check to see if there are any security group or access control list (ACL) rules that are preventing the traffic from arriving.
Creating a Traffic Mirror Target
1 Log in to the AWS Management Console and select the Services > Networking & Content Delivery > VPC option to launch the VPC Console.
2 Locate and select the Traffic Mirroring > Mirror Targets option in the navigation panel at the left of the console (Figure 15).
Figure 15 Creating a Mirror Target
The Traffic mirror targets page appears, listing the existing targets for traffic mirroring.
3 Click the Create traffic mirror target button to create a new target.
4 Use the options in the Create traffic mirror target page to define the new target (Table 14):
Table 14 New Traffic Mirror Target Fields
Field Description
Name tag An optional name used to identify the target in AWS displays.
Description An optional description to summarize the usage of the target.
Target type Set to Network Interface to use a vSTREAM monitoring interface as the target.
32 AWS Traffic Acquisition – Ingress Routing and Traffic
Target Use the dropdown to select a vSTREAM capture interface. If you have multiple vSTREAM capture interfaces, you may need to refer to the EC2 > Network Interface list to find the exact capture interface you want to use.
Tags Assign optional tags to help track this resource.
Table 14 New Traffic Mirror Target Fields
Field Description
33
Figure 16 shows an example of the Create traffic mirror target page with sample settings pointing to a vSTREAM monitoring interface.
Figure 16 Traffic Mirror Target Settings
5 Click the Create button to create the new traffic mirror target and add it to the list of available traffic mirror targets (Figure 17).
Figure 17 Available Traffic Mirror Targets
34 AWS Traffic Acquisition – Ingress Routing and Traffic
Setting the Virtual Interface Mode in the vSTREAM Agent Configuration Utility
AWS Traffic Mirroring encapsulates mirrored traffic in VXLAN packets before forwarding. Because of this, you must make sure that the monitoring interface used as the target for the mirror on the vSTREAM has its Virtual Interface Mode (vifn_mode) set to one of the VXLAN-NVGRE options in order for encapsulated packets to be processed correctly1. Use the following procedure:
1 Access the Agent Utility
• Log in to the data source remotely using SSH.
• Open the utility using: <InfiniStream install>/rtm/bin/localconsole
- or -
• From the Device Configuration interface in nGeniusONE, select the device you want to access and click Remote Login. The Remote Console displays the Agent Configuration Utility running on that device.
2 Enter the Select Interface option number in the Agent Configuration Utility Main Menu and press Enter.
3 Enter the applicable physical interface number and press Enter.
4 Enter the Change vifn_mode option number and press Enter.
5 Select one of the VXLAN-NVGRE modes from the list displayed on your appliance menu. Refer to the Agent Administrator Guide for CDM/ASI for details on the available modes.
6 Reset the agent to commit your settings.
1. The following VXLAN-NVGRE options are available – VXLAN-NVGRE, VXLAN-NVGRE-site, VXLAN-NVGRE-qos, and VXLAN-NGVGRE-vlan. Refer to the Agent Administrator Guide for CDM/ASI for details on each of these modes.
35
Creating a Traffic Mirroring Filter
1 Log in to the AWS Management Console and select the Services > Networking & Content Delivery > VPC option to launch the VPC Console.
2 Locate and select the Traffic Mirroring > Mirror Filters option in the navigation panel at the left of the console (Figure 18).
Figure 18 Creating a Mirror Filter
The Traffic mirror filters page appears, listing the existing filters for traffic mirroring.
3 Click the Create traffic mirror filter button to create a new filter.
4 Use the options in the Create traffic mirror filter page to define the Inbound and Outbound rules for the new filter (Table 15):
5 Click the Create button to create the new traffic mirror filter and add it to the list of available traffic mirror filters (Figure 19).
Figure 19 Available Traffic Mirror Filters
Table 15 New Traffic Mirror Filter Fields
Field Description
Name tag An optional name used to identify the filter in AWS displays.
Description An optional description to summarize the usage of the filter.
amazon-dns Check this box if you would like to mirror Amazon DNS traffic.
Inbound Rules Inbound rules apply to traffic arriving at whatever mirror source port you apply this filter to. Click the Add rule button and then use the available criteria to define the filter. You can accept or reject traffic based on L4 protocol, source/destination port ranges (optional), and source/destination CIDR blocks (mandatory). Filters are applied based on their priority, as specified by the Number field at the left of each rule’s entry in the list.
Outbound Rules Outbound rules apply to traffic sent out of whatever mirror source port you apply this filter to.
The same filtering criteria available for Inbound Rules are also available for Outbound Rules.
Tags Assign optional tags to help track this resource.
36 AWS Traffic Acquisition – Ingress Routing and Traffic
Creating a Traffic Mirroring Session
Once you’ve created both a target and a filter, you’re ready to establish a traffic mirroring session. Use the following procedure:
1 Log in to the AWS Management Console and select the Services > Networking & Content Delivery > VPC option to launch the VPC Console.
2 Locate and select the Traffic Mirroring > Mirror Sessions option in the navigation panel at the left of the console (Figure 20).
Figure 20 Creating a Mirror Filter
The Traffic mirror sessions page appears, listing the existing traffic mirroring sessions.
3 Click the Create traffic mirror session button to create a new session.
4 Use the options in the Create traffic mirror session page to set up the mirroring session (Table 16):
5 Click the Create button to create the new traffic mirror session and add it to the list of active sessions.
Note: Keep in mind that the mirroring session remains active until you cancel it from the Traffic mirror sessions page.
Table 16 New Traffic Mirror Session Fields
Field Description
Name tag An optional name used to identify the session in AWS displays.
Description An optional description to summarize the usage of the session.
Mirror source Use the dropdown list to select the interface whose traffic you want to mirror and monitor.
Note that only Nitro-based instances are supported as mirror sources. At this writing, the following instance types are Nitro-based – A1, C5, C5d, C5n, G4, I3en, Inf1, M5, M5a, M5ad, M5d, M5dn, M5n, p3dn.24xlarge, R5, R5a, R5ad, R5d, R5dn, R5n, T3, T3a, and z1d
Mirror target Use the dropdown list to select the interface where you want to send monitored traffic. This should be the vSTREAM monitoring interface you configured as a traffic mirror target in "Creating a Traffic Mirror Target" on page 32.
Session number Sessions are numbered to determine the order in which they are evaluated for matching packets and forwarding.
VNI You can optionally specify your own VXLAN Network Identifier to be included in the mirrored packet. A VNI is automatically used if you don’t choose one of your own.
Packet length By default, entire packets are mirrored. You can use this field to specify an optional slice size; anything beyond the specified byte limit is sliced before mirroring.
Filters Use the dropdown list to select one of the filters you created in "Creating a Traffic Mirroring Filter" on page 36.
Tags Assign optional tags to help track this resource.
37
Virtual nGeniusONE Deployment NotesThis section provides operational notes and answers frequently asked questions regarding Virtual nGeniusONE:
Table 17 Tips and Notes
Summary Description
Identification in Server Management
When operating as a local server, Virtual nGeniusONE is identified as Virtual nGeniusONE in the managing server’s Server Management interface.
Support for Direct Cloud Connections
Services such as AWS Direct Connect link the traditional, office-based data center with services in the public cloud over a secure connection. This allows connection to instances in the public cloud using private/internal IP addresses instead of relying on public-facing IP addresses. Figure 14 shows an example of a hybrid deployment such as this using Direct Connect and instrumented with NETSCOUT Smart Data Solutions.
When using services such as Direct Connect, you have access to some useful deployment Virtual nGeniusONE models:
Local Servers in the Cloud, Distributed Global Manager in the Data CenterWith the potential for many vSTREAMs in the public cloud, it's often helpful to locate a separate Virtual nGeniusONE server near each group of vSTREAMs (for example, within the same Amazon EC2 Region as the instrumentation). Because cloud vendors often charge higher rates for traffic flowing out of a tenant’s public cloud-space, it can be cost-efficient to locate a Virtual nGeniusONE in the same availability zone as its managed vSTREAM instances.
Depending on your design, you can manage the local servers from a Distributed Global Manager either in the public cloud or, more commonly, from an existing Distributed Global Manager in the data center, all connected using private/internal addresses over a direct cloud connection.
Public Cloud Addressing You use different IP addresses when integrating Virtual nGeniusONE with other NETSCOUT products depending on where the products reside:
• When integrating products that reside in the same public cloud space, use private IP addresses. For example, when adding vSTREAMs to a Virtual nGeniusONE residing in the same tenant’s availability zone, you use their private IP addresses.
• When integrating a product inside the public cloud with one outside the public cloud, you can still use private/internal IP addresses when using a direct cloud connection service such as AWS Direct Connect, as described above.If you are not using a direct cloud connection service, you can use either fully-qualified domain names or elastic IP addresses to integrate products inside the cloud with those outside. Elastic IP addresses are dynamically-assigned, public-facing IP addresses that remain consistent across reboots until explicitly released.For example, if you are associating a local Virtual nGeniusONE server in the public cloud from a Distributed Global Manager located in your data center and you are not using a direct cloud connect service, you could associate the two using their fully-qualified domain names or public-facing IP addresses.
38 Virtual nGeniusONE Deployment Notes
Operational GuidanceThis section provides information on assessing and monitoring the health of the NETSCOUT Application Performance Management for AWS solution. If you experience operational or performance issues not covered by this section, contact your NETSCOUT Support representative using the information in "Contacting NETSCOUT SYSTEMS, INC." on page iv.
• "Maintaining Visibility on System Health" on page 39
• "Snapshot and Backup Procedures" on page 40
• "Routine Maintenance" on page 42
Maintaining Visibility on System HealthThe documentation for the vSTREAM and nGeniusONE products each include information on commands and techniques used to assess the health of the products, including:
• Commands to retrieve the status of key services
• How to determine whether packets are being captured/monitored by instrumentation
• How to monitor the health of key tables in nGeniusONE
• How to use the Server Health, Device Health, and Notification Center views in nGeniusONE to monitor overall system health; see below for details.
Using the Server Health Summary in nGeniusONE
The Server Health Summary page provides an at-a-glance view of the current state of the nGeniusONE server(s). Users with a role that includes the Server Health Viewing privilege in the Server Management module in nGeniusONE can access the Server Health Summary page and review details on key statistics, such as the following:
• CPU % Utilization
• Cores Available
• Memory Available
• Swap % Used
• Disk Size
• Disk % Used
• Hardware errors
• Logging and Rollup statistics
Refer to the following topics in the nGeniusONE online help for details on working with the Server Health Summary:
• nGeniusONE Server and Instrumentation Health Summary
• Viewing Server Health Summary
• Viewing Server Information
• Viewing Server Health Details – the Details view provides additional server health statistics not shown in the Summary
• Understanding Server Health Alerts
39
Using the Instrumentation Health Summary in nGeniusONE
The Instrumentation Health Summary page provides an at-a-glance view of the current state of your instrumentation device(s), including vSTREAM devices. Users with a role that includes the Device Health Viewing privilege in the Server Management module in nGeniusONE can access the Device Health Summary page and review details on key statistics for individual devices, such as the following:
• Name, IP Address, Model, Serial Number, and Version Number
• Connection status to nGeniusONE
• Status of ASI, ASR, and packet recording storage.
• Alerts for disk usage and time synchronization
Refer to the following topics in the nGeniusONE online help for details on working with the Server Health Summary:
• nGeniusONE Server and Instrumentation Health Summary
• Viewing Instrumentation Health Summary
• Viewing Instrumentation Health Details – the Details view provides additional device health statistics not shown in the Summary
Using the Notification Center
You can also configure vSTREAM devices to report system health related alarms to nGeniusONE for display in the Notification Center. Refer to the Agent Administrator Guide for CDM/ASI for details on the following topics:
• Using the set npn_alarms command from the Agent Configuration Utility command line to enable the generation of alarms for the health of various ASI tables, as well as packet or recording drops. Once configured and triggered, alarms are reported in the managing nGeniusONE server’s Notification Center.
• Using the Health Monitoring option in the Agent Configuration Utility to enable statistics collection related to the system health of your device and certain ASI tables. These details are used to generate device alerts and to report statistics for the device and certain ASI tables to the nGeniusONE Instrumentation Health view. You can also view the same statistics on the device itself using the get health_mib info command from the Agent Configuration Utility command line.
Snapshot and Backup ProceduresThis section describes how to perform routine snapshot and backup procedures of Virtual nGeniusONE and vSTREAM virtual appliances using EBS Snapshots and EC2 Images as part of a standard Disaster Recovery Plan.
NETSCOUT recommends that you use an Automation process based on one of the following tools for creating snapshots and images:
• CreateImage API
• CreateSnapshot API
• AWS Data Life Cycle Manager
In general, NETSCOUT recommends that you back up custom AMIs instead of creating snapshots for easier orchestration of a disaster recovery. However, snapshots are also acceptable.
40 Operational Guidance
Backing Up nGeniusONE and vSTREAM Virtual Appliance
Use the AWS CreateImage API to back up an AMI image and the AWS CreateSnapshot API to take a snapshot. Refer to the following AWS documentation for details on using these tools:
• CreateImage – Creating an Amazon EBS-Backed Linux AMI
• CreateSnapshot – Creating an Amazon EBS Snapshot
In order to preserve file system integrity, you should avoid running CreateImage with the NoReboot flag or CreateSnapshot on a live EC2 or EBS instance. NETSCOUT recommends the following procedure to preserve file system integrity:
1 Shut down the Virtual nGeniusONE and vSTREAM virtual appliance EC2s targeted for backup.
2 Execute the necessary CreateImage/CreateSnapshot API calls.
3 Power the EC2s back on after CreateImage/CreateSnapshot has started.
Although these steps will cause a small service disruption, they do ensure file system integrity is maintained. Keep in mind that while CreateImage or CreateSnapshot processes are running, the performance of Virtual nGeniusONE and vSTREAM virtual appliance performance may be degraded.
If it is not possible to shut down the target EC2 instances, NETSCOUT recommends at least stopping Virtual nGeniusONE and vSTREAM virtual appliance processes before running CreateImage/CreateSnapshot. In addition, NETSCOUT recommends running CreateImage/CreateSnapshot during a time of day with the least network traffic.
Backing Up vSTREAM Agent
vSTREAM Agents are installed on Web, Application, and Database Servers and do not have a dedicated EC2 instance of their own. Because of this, NETSCOUT recommends that you follow your standard backup process for instances in your network. vSTREAM Agent will be backed up along with the rest of the target instance.
Note: Make sure the Snapshot process includes the entire portfolio of installed vSTREAM agents. You must retain the IP Addresses and serial numbers of all managed vSTREAM agents for a successful Disaster Recovery, including the stitching of existing data in nGeniusONE to the post-recovery agent.
Snapshot Examples by Target RPO
Figure 21 illustrates backup/snapshot options for nGeniusONE and vSTREAM Virtual Appliance based on the target Recovery Point Objectives (RPO) in Table 18:
For successful Disaster Recovery after an AWS Region failure, NETSCOUT recommends the following regular backups/snapshots:
1 Multi-Region backup of nGeniusONE database by Cross-Region Replication.
2 Multi-Region copies of AMIs by CopyImage API.
Table 18 Backup/Snapshot Techniques by Target RPO
RPO Target Backup/Snapshot Technique
12-24 Hours Life Cycle Manager
12 Hours or Less CreateImage or CreateSnapshot APIs
1 Hour or Less Direct backup of nGeniusONE database using AWS S3 Sync in addition to CreateImage/CreateSnapshot APIs.
41
3 Multi-Region copies of Snapshots by CopySnapshot API.
Because each of these steps can be executed programmatically using AWS Tools, you can extend them into your existing Backup Automation strategy using the tool of your choice.
Figure 21 Backup Options by Target RPO
Routine MaintenanceNETSCOUT recommends that you follow industry standard best practices for security with the NETSCOUT Application Performance Management solution, including key rotation and certificate maintenance.
In addition, it is important that you apply patches and upgrades for NETSCOUT components as they become available. Note the following when upgrading or patching NETSCOUT components:
• Upgrade Virtual nGeniusONE first, followed by vSTREAM devices.
Note: The exception to this rule is for a minor patch to vSTREAM. Minor patches can be applied to vSTREAM devices without upgrading Virtual nGeniusONE. The release notes accompanying the patch software always inform you of the proper upgrade sequence and dependencies.
• The Virtual nGeniusONE and physical nGeniusONE upgrade procedures are identical. Refer to the "Upgrading nGeniusONE" section in Chapter 2, "nGeniusONE Deployment Process," of the nGeniusONE Server Administrator Guide for details on the procedure.
• vSTREAM devices can be upgraded either remotely from the managing nGeniusONE server or by copying an installation file to the target device, stopping services, and executing the installation file:
– Refer to the vSTREAM Installation Guide for information on upgrading vSTREAM devices.
– Refer to the “Upgrading Data Source Software Remotely” topic in the nGeniusONE online help for instructions on upgrading a vSTREAM device remotely.
42 Operational Guidance
Security NotesTable 19 lists and describes some best practices for the security of NETSCOUT Smart Data solutions:
Table 19 Security Notes
Topic Notes
Permissions and Roles The minimum permissions for the account used to deploy NETSCOUT components are as follows:
• Assign the built-in AmazonEC2FullAccess policy.• Create a custom policy with a permission for Full access to the
CloudFormation service and assign it.
Key Rotation NETSCOUT recommends that you follow industry standard best practices for the rotation of SSH keys used to access NETSCOUT components.
Security Groups NETSCOUT recommends that you use AWS Security Groups and VPC access control lists to limit access to the networks where NETSCOUT components are deployed. Avoid using “open” security groups and consider limiting access to certain IP addresses or ranges.
Data Encryption You can optionally encrypt the vSTREAM virtual appliance storage volume by enabling the VolumeEncrypt option in the CloudFormation template during deployment. Doing so enhances the security of stored network data.
CloudTrail NETSCOUT recommends that you enable and use the AWS CloudTrail feature for enhanced logging capabilities, including flow logs and access logs. In addition, you can use nGeniusONE’s logging features to monitor usage of the solution. Refer to “Working with Activity Logs” in the nGeniusONE online help for details.
Resource Tagging Resources deployed as part of NETSCOUT Smart Data solutions are typically tagged with the NETSCOUT name to allow easy monitoring of the usage of its components.
43
Disaster RecoveryThis section discusses Disaster Recovery procedures for NETSCOUT Smart Data solutions. Separate sections discuss Disaster Recovery for both AWS Availability Zone and Region failures:
• Disaster Recovery: Key Concepts on page 44
• Sample Disaster Recovery Plans on page 44
– Availability Zone Recovery on page 45
– Region Recovery on page 47
Disaster Recovery: Key ConceptsSuccessful recovery of the NETSCOUT Smart Data solution from a failed hosting environment depends on preservation of the following:
• Serial numbers for vSTREAMs.
Serial numbers – also referred to as nsprobeids – are unique for each vSTREAM and ensure that data in the nGeniusONE database can be associated with the correct agent post-recovery.
• Private IP addresses of nGeniusONE and vSTREAMs.
It’s crucial to prepare a Disaster Recovery Plan in such a way that both of these items are preserved. Note that the procedures described in Snapshot and Backup Procedures on page 40 all ensure that the serial numbers and private IP addresses are retained for Disaster Recovery.
Additional Recommendations
• NETSCOUT recommends operating nGeniusONE and vSTREAM virtual appliances in their own VPC. Because private IP addresses are unique to a subnet in a VPC and a subnet cannot span multiple Availability Zones, this results in an improved Recovery Time Objective (RTO).
• Disaster Recovery also benefits from a carefully designed VPC Peering and Transit Gateway implementation in a multi-VPC architecture. Keep in mind that successful VPC Peering requires that VPC CIDRs do not overlap and that the associated Route Tables are configured properly.
Sample Disaster Recovery PlansThe sample Disaster Recovery plans in this section can be used as a reference when creating your own plans for recovery from both AWS Availability Zone and Region failures. Because the steps in these sample plans can all be executed programmatically using AWS Tools, you can extend them into your existing Disaster Recovery Automation strategy using the tool of your choice.
Note that these plans focus on Disaster Recovery for nGeniusONE and vSTREAM virtual appliances and assume that the Application Stack (where vSTREAM agents are installed on Web, Application, and Database servers) is unaffected by the disaster. Presumably, a well-designed Disaster Recovery Plan also exists for the Application Stack and ensures that the entire portfolio of installed vSTREAM agents is also recovered.
Recovery Plan Assumptions
The examples in the sections below assume the following scenario:
• The CIDR for the VPC where nGeniusONE and vSTREAM virtual appliance are installed is 10.10.10.0/23 (VPC1 and VPC3)
44 Disaster Recovery
• The CIDR for the Application Stack (where vSTREAM agents are installed) is 10.0.0.0/16 (VPC2)
• VPC1 is where the assumed disaster takes place (either an Availability Zone or Region failure).
• VPC2 hosts the Application Stack and resides in healthy Availability Zones.
• VPC3 will host recovered nGeniusONE and vSTREAM appliances in a healthy Availability Zone.
Availability Zone Recovery
Figure 22 illustrates a sample recovery from an unhealthy AWS Availability Zone. In this example, the Availability Zone for the Management and Monitoring subnets in VPC1 has experienced a failure. As part of our recovery plan, we will transition the NETSCOUT resources to VPC3 in a different Availability Zone. For this to work successfully, the networking configuration for the Management and Monitoring network interfaces on both Virtual nGeniusONE and all vSTREAM virtual appliance instances must be identical. This is summarized in Table 20.
Figure 22 Sample Disaster Recovery from Failed Availability Zone
Figure 22 illustrates the following steps during recovery from an Availability Zone failure:
1 Create a new VPC3 with Management and Monitoring Subnets in a healthy AZ within the same AWS Region while maintaining the IP Addresses from VPC1, as summarized in Table 20.
Table 20 Pre and Post-Disaster Network Configuration
Network Element Failed (VPC1) Recovered (VPC3)
VPC CIDR 10.10.10.0/23 10.10.10.0/23
Management Subnet CIDR 10.10.10.0/24 10.10.10.0/24
45
2 Remove the VPC Peering between VPC1 and VPC2.
3 Remove the Peering Route Table entry for VPC1’s CIDR from VPC2’s Route Table 2.
4 Create VPC Peering between VPC2 and VPC3 (for example, pcx-123abc456def).
5 Create Route Table entries for the following CIDR blocks from Table 20:
a VPC2’s CIDR of 10.0.0.0/16 in VPC3’s Route Table 3 via the pcx-123abc456def VPC Peering.
b VPC3’s CIDR of 10.10.10.0/23 in VPC2’s Route Table 2 via the pcx-123abc456def VPC Peering.
6 Disassociate the Elastic IP addresses from the Virtual nGeniusONE and vSTREAM virtual appliance Management interfaces
7 Replicate the Security Groups from VPC1 to VPC3. We will use these for Management and Monitoring interfaces later.
8 Create an nGeniusONE Management Interface in the Management Subnet (10.10.10.0/24) in VPC3.
a Assign the Private IP address of 10.10.10.10 to the nGeniusONE Management interface, identical to what it was in VPC1.
b Associate the existing nGeniusONE Elastic IP address (x1.x2.x3.x4) to the new interface in VPC3.
9 Create a vSTREAM virtual appliance Management Interface in the new Management Subnet (10.10.10.0/24) in VPC3.
a Assign the Private IP address of 10.10.10.11 to the vSTREAM virtual appliance Management interface, identical to what it was in VPC1.
b Associate the existing vSTREAM virtual appliance Elastic IP address (y1.y2.y3.y4) to the new interface in VPC3.
10 Create a vSTREAM virtual appliance Monitoring Interface in the new Monitoring Subnet (10.10.11.0/24) in VPC3 and assign the Private IP address of 10.10.11.10, identical to what it was in VPC1.
11 Assign the matching Security Groups from VPC1 (created in Step 7) to the new network interfaces you just created in VPC3.
12 Launch a new nGeniusONE Instance in the new Management Subnet of VPC3 using the Custom nGeniusONE AMI created in "Snapshot and Backup Procedures" on page 40.
a Add the Management Network Interface created in Step 8 to the new nGeniusONE instance in VPC3.
13 Launch a new vSTREAM virtual appliance Instance in the new Management Subnet of VPC3 using the Custom vSTREAM virtual appliance AMI created in "Snapshot and Backup Procedures" on page 40.
nGeniusONE Management Network Interface IP 10.10.10.10 10.10.10.10
vSTREAM Virtual Appliance Management Network Interface IP
10.10.10.11 10.10.10.11
Monitoring Subnet CIDR 10.10.11.0/24 10.10.11.0/24
vSTREAM Virtual Appliance Monitoring Network Interface IP
10.10.11.10 10.10.11.10
Table 20 Pre and Post-Disaster Network Configuration
Network Element Failed (VPC1) Recovered (VPC3)
46 Disaster Recovery
a Add the Management Interface created in Step 9 to the vSTREAM virtual appliance instance as the first interface added. Adding the Management Interface first ensures that it has the requisite Device Index of 0.
b Add the Monitoring Interface created in Step 10 to the vSTREAM virtual appliance instance as the second interface added. Adding the Monitoring Interface second ensures that it has the requisite Device Index of 1.
14 If you created an S3 Sync Backup of the nGeniusONE Database as described in "Backing Up nGeniusONE and vSTREAM Virtual Appliance" on page 41, use the following steps to restore the database once nGeniusONE is up and running:
a Open an SSH connection to the nGeniusONE instance.
b Stop nGeniusONE processes by navigating to the <nGeniusONE install>/rtm/bin directory and executing the ./stop command:
c Restore the nGeniusONE database from the S3 bucket to EC2 using S3 Sync.
d Start nGeniusONE processes by navigating to the <nGeniusONE install>/rtm/bin directory and executing the ./start command.
Region Recovery
Figure 23 illustrates a sample recovery from an unhealthy AWS Region. In this example, the Region for the Management and Monitoring subnets in VPC1 has experienced a failure. As part of our recovery plan, we will transition the NETSCOUT resources to VPC3 in a different Region. For this to work successfully, the networking configuration for the Management and Monitoring network interfaces on both Virtual nGeniusONE and all vSTREAM virtual appliance instances must be identical. This is summarized in Table 21.
Figure 23 Sample Disaster Recovery from Failed Region
47
Figure 23 illustrates the following steps during recovery from a Region failure:
1 Create a new VPC3 with Management and Monitoring Subnets in an AZ within a separate, healthy AWS Region while maintaining the IP Addresses from the previous configuration, as summarized in Table 21.
2 Remove the VPC Peering between VPC1 and VPC2.
3 Remove the Peering Route Table entry for VPC1’s CIDR from VPC2’s Route Table 2.
4 Create VPC Peering between VPC2 and VPC3 (for example, pcx-123xyz456abc).
5 Create Route Table entries for the following CIDR blocks from Table 21:
a VPC2’s CIDR of 10.0.0.0/16 in VPC3’s Route Table 3 via the pcx-123xyz456abc VPC Peering.
b VPC3’s CIDR of 10.10.10.0/23 in VPC2’s Route Table 2 via the pcx-123xyz456abc VPC Peering.
6 Allocate Elastic IP addresses for the nGeniusONE (x5.x6.x7.x8) and vSTREAM virtual appliance (y5.y6.y7.y8) Management interfaces in the same healthy Region of VPC3.
7 Replicate the Security Groups from VPC1 to VPC3. We will use these for Management and Monitoring interfaces later.
8 Create an nGeniusONE Management Interface in the Management Subnet (10.10.10.0/24) in VPC3.
a Assign the Private IP address of 10.10.10.10 to the nGeniusONE Management interface, identical to what it was in VPC1.
b Associate the nGeniusONE Elastic IP address (x5.x6.x7.x8) to the new interface in VPC3.
9 Create a vSTREAM virtual appliance Management Interface in the new Management Subnet (10.10.10.0/24) in VPC3.
a Assign the Private IP address of 10.10.10.11 to the vSTREAM virtual appliance Management interface, identical to what it was in VPC1.
b Associate the existing vSTREAM virtual appliance Elastic IP address (y5.y6.y7.y8) to the new interface in VPC3.
10 Create a vSTREAM virtual appliance Monitoring Interface in the new Monitoring Subnet (10.10.11.0/24) in VPC3 and assign the Private IP address of 10.10.11.10, identical to what it was in VPC1.
11 Assign the matching Security Groups from VPC1 (created in Step 7) to the new network interfaces you just created in VPC3.
Table 21 Pre and Post-Disaster Network Configuration
Network Element Failed (VPC1) Recovered (VPC3)
VPC CIDR 10.10.10.0/23 10.10.10.0/23
Management Subnet CIDR 10.10.10.0/24 10.10.10.0/24
nGeniusONE Management Network Interface IP 10.10.10.10 10.10.10.10
vSTREAM Virtual Appliance Management Network Interface IP
10.10.10.11 10.10.10.11
Monitoring Subnet CIDR 10.10.11.0/24 10.10.11.0/24
vSTREAM Virtual Appliance Monitoring Network Interface IP
10.10.11.10 10.10.11.10
48 Disaster Recovery
12 Launch a new nGeniusONE Instance in the new Management Subnet of VPC3 using the Custom nGeniusONE AMI created in "Snapshot and Backup Procedures" on page 40.
a Add the Management Network Interface created in Step 8 to the new nGeniusONE instance in VPC3.
13 Launch a new vSTREAM virtual appliance Instance in the new Management Subnet of VPC3 using the Custom vSTREAM virtual appliance AMI created in "Snapshot and Backup Procedures" on page 40.
a Add the Management Interface created in Step 9 to the vSTREAM virtual appliance instance as the first interface added. Adding the Management Interface first ensures that it has the requisite Device Index of 0.
b Add the Monitoring Interface created in Step 10 to the vSTREAM virtual appliance instance as the second interface added. Adding the Monitoring Interface second ensures that it has the requisite Device Index of 1.
14 Update the Route 53 DNS entries for the nGeniusONE and vSTREAM virtual appliance Management interfaces with new Elastic IP addresses from Step 8 and Step 9 respectively.
15 If you created an S3 Sync Backup of the nGeniusONE Database as described in "Backing Up nGeniusONE and vSTREAM Virtual Appliance" on page 41, use the following steps to restore the database once nGeniusONE is up and running:
a Open an SSH connection to the nGeniusONE instance.
b Stop nGeniusONE processes by navigating to the <nGeniusONE install>/rtm/bin directory and executing the ./stop command:
c Restore the nGeniusONE database from the S3 bucket to EC2 using S3 Sync.
d Start nGeniusONE processes by navigating to the <nGeniusONE install>/rtm/bin directory and executing the ./start command.
Activating MasterCare SupportAll customers who have purchased MasterCare must activate their account online. If you have not previously done so, access the following URL to activate your MasterCare account:
https://my.netscout.com/Pages/default.aspx
Enter the required information in the registration activation form. Your MasterCare account and web login access are confirmed within several business days.
49
50 Activating MasterCare Support
© 2020 NETSCOUT SYSTEMS, INC.All rights reserved.
733-1355 Rev. A
NETSCOUT SYSTEMS, INC.310 Littleton RoadWestford, MA 01886-4105Tel. 978-614-4000
888-999-5946Fax 978-614-4004E-mail [email protected] www.netscout.com