Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A

Page created by Jacob Carr
 
CONTINUE READING
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A
Getting Started with NETSCOUT Application
Performance Management for Amazon Web Services
733-1612 Rev. A

Contents

                                     NETSCOUT SYSTEMS, INC.
                                     Westford, MA 01886
                                     Telephone: 978.614.4000
                                     Fax: 978.614.4004

                                     Web: http://www.netscout.com
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A
Use of this product is subject to the End User License Agreement available at http://www.netscout.com/legal/
terms-and-conditions/or which accompanies the product at the time of shipment or, if applicable, the legal
agreement executed by and between NETSCOUT SYSTEMS, INC., and the purchaser of this product
(“Agreement”).
Government Use and Notice of Restricted Rights: In U.S. government ("Government") contracts or
subcontracts, Customer will provide that the Products and Documentation, including any technical data
(collectively "Materials"), sold or delivered pursuant to this Agreement for Government use are commercial
as defined in Federal Acquisition Regulation ("FAR") 2.101 and any supplement and further is provided with
RESTRICTED RIGHTS. All Materials were fully developed at private expense. Use, duplication, release,
modification, transfer, or disclosure ("Use") of the Materials is restricted by the terms of this Agreement and
further restricted in accordance with FAR 52.227-14 for civilian Government agency purposes and 252.227-
7015 of the Defense Federal Acquisition Regulations Supplement ("DFARS") for military Government agency
purposes, or the similar acquisition regulations of other applicable Government organizations, as applicable
and amended. The Use of Materials is restricted by the terms of this Agreement, and, in accordance with
DFARS Section 227.7202 and FAR Section 12.212, is further restricted in accordance with the terms of
NETSCOUT's commercial End User License Agreement. All other Use is prohibited, except as described
herein.
This Product may contain third-party technology. NETSCOUT may license such third-party technology and
documentation ("Third-Party Materials") for use with the Product only. In the event the Product contains
Third-Party Materials, or in the event you have the option to use the Product in conjunction with Third-Party
Materials (as identified by NETSCOUT in the applicable Documentation), then such third-party materials are
provided or accessible subject to the applicable third-party terms and conditions contained in the “Read Me”
or “About” file located on the Application CD for this Product. To the extent the Product includes Third-Party
Materials licensed to NETSCOUT by third parties, those third parties are third-party beneficiaries of, and may
enforce, the applicable provisions of such third-party terms and conditions.
Open-Source Software Acknowledgment: This product may incorporate open-source components that are
governed by the GNU General Public License ("GPL") or licenses that are compatible with the GPL license
("GPL Compatible License"). In accordance with the terms of the GPL or the applicable GPL Compatible
License, NETSCOUT will make available a complete, machine-readable copy of the source code components
of this product covered by the GPL or applicable GPL Compatible License, if any, upon receipt of a written
request. Please identify the product and send a request to:

NETSCOUT SYSTEMS, INC.
GPL Source Code Request
310 Littleton Road
Westford, MA 01886
Attn: Legal Department

ii
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A
Trademark and copyright notices:
© 2020 NETSCOUT SYSTEMS, INC. All rights reserved. NETSCOUT, the NETSCOUT logo, Guardians of the
Connected World, InfiniStream, nGenius, nGeniusONE, Psytechnics, Simena, and Sniffer are registered
trademarks; ASI, Fox Replay, Hyperlock, the Psytechnics logo, and TestStream are trademarks; and
MasterCare and ServiceONE are a service mark of NETSCOUT SYSTEMS, INC. and/or its affiliates in the United
States and/or other countries (“NETSCOUT”).
All other brands and product names and registered and unregistered trademarks are the sole property of
their respective owners. Dell, the DELL logo, and PowerEdge are trademarks of Dell Inc.
Microsoft, Windows, Windows Server, and MS-DOS are either trademarks or registered trademarks of
Microsoft Corporation in the United States and/or other countries.
Red Hat and Enterprise Linux are registered trademarks of Red Hat, Inc. in the United States and other
countries.
VMware and vSphere are registered trademarks or trademarks (the “Marks”) of VMware, Inc. in the United
States and/or other jurisdictions.
Citrix and XenServer are trademarks of Citrix Systems, Inc. and/or more of its subsidiaries, and may be
registered in the United States Patent and Trademark Office and in other countries.
Sun and Solaris are trademarks of Sun Microsystems, Inc. or its subsidiaries in the United States and other
countries.
NETSCOUT SYSTEMS, INC. disclaims any proprietary interest in trademarks and trade names other than its
own.
NETSCOUT reserves the right, at its sole discretion, to make changes at any time in its technical information,
specifications, service, and support programs.

Getting Started with NETSCOUT Application Performance Management for Amazon Web Services
733-1612 Rev. A
Copyright 2021 NETSCOUT SYSTEMS, INC. All rights reserved.

                                                                                                             iii
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A
Contacting NETSCOUT SYSTEMS, INC.
     Customer Support
     The best way to contact Customer Support is to submit a Support Request:
     https://my.netscout.com/mcp/Pages/Landing.aspx

     Telephone: In the US, call 888-357-7667; outside the US, call
     001 978-614-4000. Phone support hours are 8 a.m. to 8 p.m. Eastern Standard Time (EST).

     E-mail: awssupport@netscout.com

     When you contact Customer Support, the following information can be helpful in
     diagnosing and solving problems:
        — Type of network platform
        — Software, operating system, and kernel versions
        — EC2 instance type, AWS Region, and AWS Availability Zone
        — License type (BYOL or PAYG), license number, and your organization’s name
        — The text of any error messages
        — Supporting screen images, logs, and error files, as appropriate
        — A detailed description of the problem

     Sales
     Call 800-357-7666 for the sales office nearest your location.

     Education and Training
     Education and training resources including course listings, product certification, webinars,
     and case studies are available at:
     http://www.netscout.com/education/overview/

iv
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A
Contents
Introducing NETSCOUT Smart Data Solutions for
Hybrid Cloud Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
    Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
    Detailed Deployment Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
System Requirements – Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
    Skills and Specialized Knowledge Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
    Licensing Models – BYOL and PAYG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
       About BYOL Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
    About Pricing and Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Deployment Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Obtaining BYOL Licensing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Launching NETSCOUT Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
    Assign a Public IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
    Template Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
       Security Group Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
       Instance Type Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
    Connecting to Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Deploying vSTREAM Agent from Virtual nGeniusONE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
AWS Traffic Acquisition –
Ingress Routing and Traffic Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
    Configuring AWS VPC Traffic Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Virtual nGeniusONE Deployment Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Operational Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
    Maintaining Visibility on System Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
       Using the Server Health Summary in nGeniusONE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
       Using the Instrumentation Health Summary in nGeniusONE . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
       Using the Notification Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
    Snapshot and Backup Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
       Backing Up nGeniusONE and vSTREAM Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
       Backing Up vSTREAM Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
       Snapshot Examples by Target RPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
    Routine Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Security Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
    Disaster Recovery: Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
    Sample Disaster Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
       Availability Zone Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
       Region Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Activating MasterCare Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

                                                                                                                                                                v
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A
vi
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A
Getting Started with Application Performance
                       Management for AWS

 This document describes how to get started using nGeniusONE®44 Service Assurance platform
 with Amazon Web Services (AWS). See the following sections for details:
 • "Introducing NETSCOUT Smart Data Solutions for Hybrid Cloud Monitoring" on page 8
 • "System Requirements – Amazon Web Services" on page 11
 • "Deployment Summary" on page 15
 • "Obtaining BYOL Licensing Information" on page 16
 • "Launching NETSCOUT Templates" on page 16
 • "Deploying vSTREAM Agent from Virtual nGeniusONE" on page 31
 • "AWS Traffic Acquisition – Ingress Routing and Traffic Mirroring" on page 31
 • "Virtual nGeniusONE Deployment Notes" on page 39
 • "Operational Guidance" on page 40
 • "Security Notes" on page 44
 • "Disaster Recovery" on page 45

 Additional Resources
 NETSCOUT® Systems strongly recommends that you read this document in its entirety, as well as
 the most recent versions of the following additional documentation available online at
 My.NETSCOUT:
 • vSTREAM Installation Guide
 • Virtual nGeniusONE Installation Guide
 • Agent Administrator Guide for CDM/ASI
 • nGeniusONE documentation and Online Help

  Note: For the most current and comprehensive information, visit the NETSCOUT Technical Support
  knowledge base at the following URL: https://my.netscout.com/pages/mcplanding.aspx. This site
  contains related documents, tips, FAQs, and suggested workarounds. You can also download
  updated copies of product documentation from this site.

                                                                                                   7
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A
Introducing NETSCOUT Smart Data Solutions for
Hybrid Cloud Monitoring
      NETSCOUT smart data solutions provide end-to-end visibility on application workloads and their
      dependencies on compute, network, and storage infrastructure in hybrid cloud environments.
      nGeniusONE provides application performance management for AWS and allows you to:
     • Migrate application workloads to AWS cloud with confidence.
     • Assure the performance of the application in AWS cloud and hybrid environments.
     • Deliver a consistent and high quality user experience before, during and after cloud
       migration.
      Figure 1 illustrates a sample hybrid deployment with a physical nGeniusONE server operating as
      a Distributed Global Manager in the data center. The nGeniusONE server manages a Virtual
      nGeniusONE server deployed in the public cloud together with its associated vSTREAM Agents and
      vSTREAM virtual appliances, minimizing public cloud throughput charges.

                     Figure 1 Application Performance Management for AWS

8                                                                     Introducing NETSCOUT Smart Data Solutions for
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A
Solution Components
           The NETSCOUT Application Performance Management solution consists of the Virtual
           nGeniusONE console, vSTREAM virtual appliances, and vSTREAM agents, working together to
           deliver an overarching view into the performance of all infrastructure and application components
           across geographically dispersed data centers and cloud (Figure 2).

                                Figure 2 Detailed View of NETSCOUT Components
           The table below summarizes the role of each of these components:

vSTREAM Agent
  • Installers for Linux and Windows bundled with Virtual nGeniusONE AMI.
  • Install vSTREAM agent on same AMI as target monitored applications in the cloud.
  • The data source for AWS cloud visibility in the NETSCOUT Application Performance
    Management solution for AWS:
    • Reports on key performance indicators
    • Provides access to packet-level data by forwarding packets to vSTREAM.
  • Optimized for ASI visibility with minimal footprint.
  • Manage with Virtual nGeniusONE.

vSTREAM Virtual Appliance
  • Deploy as a virtual appliance in AWS EC2 using NETSCOUT’s configurable Cloud
    Formation Templates and ready-made AMI.
  • Scalable provisioning depending on Instance Type selected during deployment.
  • Receives traffic forwarded from multiple vSTREAMs for full ASI analysis and packet
    decodes.
  • Manage and visualize received data with vSTREAM.

Virtual nGeniusONE
  • Delivers overarching view into the performance of all infrastructure and application
    components associated with delivering IP-based services.
  • Deploys as a virtual appliance using NETSCOUT’s configurable Cloud Formation
    Template and ready-made AMI.
  • Provides seamless management of vSTREAM agent, vSTREAM virtual appliance, and
    InfiniStream appliances.
  • Integrate with Distributed Global Manager in data center (for example, over
    Amazon's Direct Connect service) for end-to-end visibility.

                                                                                                               9
Getting Started with NETSCOUT Application Performance Management for Amazon Web Services - 733-1612 Rev. A
Detailed Deployment Architecture
      Figure 3 illustrates a sample of a multi-VPC, load-balanced deployment, including an auto-scaling
      application with multi-AZ databases. Note the following:
      • nGeniusONE and vSTREAM virtual appliances reside in a separate VPC from the monitored
        Application deployment. Although this example shows both VPCs in the same AWS Region,
        they can also be in separate regions. Management traffic is shown in blue in the figure.
      • NETSCOUT’s CloudFormation templates in the AWS Marketplace are used to perform the
        deployment of nGeniusONE and vSTREAM virtual appliance instances.
      • vSTREAM Agents are installed on each Web, Application, and Database server targeted for
        monitoring. Monitored traffic is forwarded to vSTREAM virtual appliances in GRE/UDP
        tunnels shown in green in the figure below.
        You can either install vSTREAM Agents manually using the instructions in "Deploying
        vSTREAM Agent from Virtual nGeniusONE" on page 31 or you can use the
        NETSCOUT-provided Ansible Playbook (vstream_agent_playbook.yml) to automate
        deployment of vSTREAM Agent software to multiple hosts with a single command. Refer to
        “Installing vSTREAM as an Agent Using Ansible Playbook,” in the vSTREAM Installation Guide
        for details on using the NETSCOUT Ansible Playbook.
      • NETSCOUT recommends that you use a unique identifier of the monitored Web,
        Application, and Database servers as the serial number (nsprobeid) for the corresponding
        vSTREAM Agent used to monitor its traffic. This makes it easier to associate a vSTREAM
        Agent data source with its monitored server in nGeniusONE. Refer to the vSTREAM
        Installation Guide for details on configuring serial numbers for vSTREAM data sources.

                                                                 vSTREAM Agent

                              Figure 3 Detailed Deployment Diagram

10                                                                     Introducing NETSCOUT Smart Data Solutions for
System Requirements – Amazon Web Services
          Table 1 summarizes the necessary requirements to deploy the NETSCOUT Smart Data solution for
          AWS:

                                   Table 1 Deployment Requirements

 Component                                                        Description

 Amazon Web Services Account    You must have an active Amazon Web Services account with access to the EC2
                                Management Console to deploy in an AWS environment.

 Amazon Web Services            The Amazon Web Services account used to deploy NETSCOUT Smart Data
 Permissions                    solutions must have appropriate permissions granted. The simplest way to do
                                this is to grant the AdministratorAccess policy. However, if granting
                                administrator access is not acceptable in your environment, assign the
                                following policies to the account used to deploy NETSCOUT components:
                                    • Assign the built-in AmazonEC2FullAccess policy.
                                    • Create a custom policy with a permission for Full access to the
                                      CloudFormation service and assign it.
                                It’s easiest to grant these permissions in the AWS Organizations visual editor.
                                Note that granting these permissions complies with the “principle of least
                                privilege” – these are the minimum permissions required to deploy the
                                solution.
                                Refer to "Security Notes" on page 44 for more information on best practices for
                                the security of NETSCOUT Smart Data solutions.

 Static Private IP Address &    Bring Your Own License (BYOL) Deployments
 License Information            If you are deploying NETSCOUT Smart Data solutions using the BYOL model,
                                you will need a static private IP address for Virtual nGeniusONE. You use this IP
                                address to complete the product registration procedure and obtain the Serial
                                Number and Password to be entered in the CloudFormation templates and
                                deploy the BYOL AMIs from the AWS Marketplace. Refer to "Obtaining BYOL
                                Licensing Information" on page 16 for details.
                                Note: A static IP address is only needed for BYOL deployments. If you are
                                deploying using the Pay As You Go model (PAYG), you do not need a static IP
                                address.

 Existing AWS VPC               An existing AWS VPC with subnets for both Management and Monitoring.

 Route Tables/Security Groups   Appropriate Route Tables and Security Groups for communication between
                                nGeniusONE and vSTREAMs.

 NTP Server Access              Access to an NTP Server for accurate timestamps in NETSCOUT analysis.
                                NETSCOUT recommends using Amazon Time Sync Services. Note that NTP is
                                enabled by default.

 Access to Marketplace Images   You must have access to the NETSCOUT Application Performance Management
                                AMI images in the AWS Marketplace in the AWS region you are using.

 SSH Key Pair                   You must have a key pair for SSH access to deployed AMIs. You can create or
                                import the key pair in AWS using these instructions.
                                Note: SSH key pairs are created in AWS:
                                  • Public keys are in AWS, are not confidential and are protected at the
                                    account level.
                                  • Private keys are stored by the user and are their responsibility to protect.

                                                                                                                    11
Skills and Specialized Knowledge Recommendations
             Table 2 summarizes recommended skills and specialized knowledge for deployment of the
             NETSCOUT Smart Data solution for AWS:

                            Table 2 Skills and Specialized Knowledge Recommendations

      AWS Component                                                    Description

     AWS Core Services                  • Understanding of EC2 Core services, including Marketplace.
                                        • Understanding of EC2 backup, snapshot, and restore processes.
                                        • High level understanding of AWS networking services, including VPCs,
                                          Subnets, Route Tables, Elastic/Public IP addresses, and Security Group.

     AWS CloudFormation                 • Able to launch a Stack from a predefined CloudFormation Template.
                                        • Optional – Understanding of YAML.

     AWS IAM                            • Able to attach AWS Managed IAM Policies to an IAM User running the
                                          deployment, either directly or via a Group.

     Tools for AWS                      • Able to write scripts for regular maintenance of the EC2. There are multiple
                                          tools for scripting available, including AWS Command Line Tools and AWS
                                          SDKs. You can see a list of all supported Tools for Amazon Web Services
                                          here.

Licensing Models – BYOL and PAYG
             NETSCOUT Smart Data solutions are available in the AWS Marketplace as both BYOL (Bring Your
             Own License) and PAYG (Pay As You Go) deployments for both Commercial and GovCloud
             environments:
             • BYOL – In the BYOL model, you purchase an instance license for Virtual nGeniusONE from
               NETSCOUT systems in addition to sufficient vCPU license blocks to cover managed
               vSTREAMs. This is the same model as solutions purchased directly from NETSCOUT
               systems. Refer to "About BYOL Licenses" on page 13 for details on BYOL licenses.
             • PAYG – In the PAYG model, you pay AWS for usage of Virtual nGeniusONE on either an
               annual or hourly basis. Virtual nGeniusONE deployments using the PAYG model can
               manage vSTREAMs up to a specific vCPU limit specified by the selected CFT (8 in this
               release).
               Note: If you require additional vSTREAM vCPUs, you can extend the Virtual nGeniusONE
               PAYG deployment’s capacity by applying additional BYOL vCPU block licenses.
             Table 3 summarizes the available CFT templates for both BYOL and PAYG deployments:

                                  Table 3 Available CFT Templates by License Type

     Deployment
     Type                            Description                                  Available CFT Templates

 Bring Your           • Purchase vNG1 license from NETSCOUT              • Virtual nGeniusONE and vSTREAM
 Own License            based on static IP address. Install using        • vSTREAM Only
                        license utility.                                 • Virtual nGeniusONE Only
                      • Purchase 8-vCPU block licenses to cover all
                        managed vSTREAM instances. Extend as
                        necessary with additional vSTREAM licenses.
                        Refer to "About BYOL Licenses" on page 13
                        for details.

12                                                                                     System Requirements – Amazon Web Services
Table 3 Available CFT Templates by License Type

Deployment
Type                               Description                               Available CFT Templates

Pay As You Go     • Select a PAYG CFT template authorized to        • Virtual nGeniusONE and vSTREAM (8 vCPU)
                    manage a specific number of vSTREAM             • Virtual nGeniusONE Only (8 vCPU)
                    vCPUs on either an annual or hourly basis.
                  • Add vSTREAMs up to the specified vCPU
                    limit.
                  • In the rare case you require additional
                    vCPUs, purchase and apply additional BYOL
                    vSTREAM vCPU licenses.

         About BYOL Licenses
         This section describes licensing for deployments using the BYOL CFT templates:
         • BYOL Virtual nGeniusONE provides support for fifty Type 1 monitoring interfaces.
         • BYOL Virtual nGeniusONE must be licensed for the quantity of vSTREAM vCPUs you want
           to manage in blocks of 8. This is summarized in Table 4:

                                   Table 4 vSTREAM vCPU Licenses in nGeniusONE (BYOL)

                    License Type                                       Description

             vCPU Licenses                NETSCOUT uses licenses to control the maximum number of vCPUs
                                          provisioned across all vSTREAM instances managed by nGeniusONE.
                                          You purchase and apply vSTREAM vCPU licenses in blocks of eight.
                                          Keep in mind the following:
                                            • vCPU blocks can be subdivided. For example, an 8-vCPU block
                                              license could be shared by two separate vSTREAM instances, each
                                              of which was assigned four vCPUs.
                                            • Once a pool of vCPU licenses is exhausted, no more vSTREAM
                                              instances can be added to the server.
                                            • The pool of vSTREAM licenses is shared among all vSTREAM 6.2.1+
                                              instances managed by nGeniusONE, regardless of whether they
                                              are installed as an agent, container, or virtual appliance.
                                            • The license pool for vSTREAM 6.2.1+ devices is completely
                                              separate from the vCPU license pool for legacy vSCOUT and
                                              vSTREAM-EMB devices released prior to 6.2.1.
                                          nGeniusONE will display an error message if you try to add a vSTREAM
                                          whose assigned vCPUs would exceed the licensed capacity.

             Type 1 Interface Licenses    Each 8-vCPU block license in use on the nGeniusONE server counts as
                                          one Type 1 interface against the nGeniusONE Server’s total capacity
                                          (50, by default, for a standalone server).
                                          The Type 1 interface is debited from the local nGeniusONE server
                                          when the first vCPU in the block is consumed by a vSTREAM added to
                                          that nGeniusONE server. A second Type 1 interface is not debited until
                                          the initial 8-vCPU block is fully consumed and a vSTREAM is added to
                                          nGeniusONE that begins using a second 8-vCPU block.
                                          Note: The PAYG Virtual nGeniusONE includes five Type-1 licenses,
                                          which is more than sufficient for the single 8-vCPU vSTREAM block
                                          license included in this release.

                                                                                                                   13
About Pricing and Costs
       The NETSCOUT site on the AWS Marketplace provides helpful tools that let you estimate the costs
       of using NETSCOUT Smart Data solutions with different configuration choices. After navigating to
       the NETSCOUT site on the AWS Marketplace, click on the Pricing tab and fill out the fields to
       estimate your costs. Keep in mind that yoIur usage and costs may vary from the estimate
       depending on actual usage.

       Figure 4 Estimating Costs for NETSCOUT Application Performance Management Solutions
       In addition, Support is included as part of the pricing on the page referenced above.

14                                                                        System Requirements – Amazon Web Services
Deployment Summary
     Deploying NETSCOUT Smart Data solutions consists of the following major steps:
    1 If you are using one of the BYOL templates, work with your NETSCOUT Sales Representative
      to obtain the necessary licensing information for both Virtual nGeniusONE and vSTREAM.
      You will need to have a static private IP address for Virtual nGeniusONE in order to obtain
      the Serial Number and Password from the NETSCOUT registration site to enter in the
      CloudFormation Templates as part of the deployment for both products.
    2 Install NETSCOUT Smart Data solution components in the following order:
       a Virtual nGeniusONE and vSTREAM Virtual Appliance (the components deploy
         together using the same CloudFormation Template).
       b vSTREAM Virtual Appliance. Depending on the number of vSTREAM agents from
         which you expect to forward traffic (and the quantity of traffic each agent will send),
         you may want to install multiple vSTREAM virtual appliances.
         Note: There is a separate BYOL CFT for a vSTREAM virtual appliance-only installation.
         You can deploy additional vSTREAM virtual appliances either by using the vSTREAM
         virtual appliance-only template or by cloning the vSTREAM virtual appliance
         deployed in Step a using the combined Virtual nGeniusONE/vSTREAM Virtual
         Appliance deployment.
         Note: A PAYG Virtual nGeniusONE can manage vSTREAMs deployed using the BYOL
         template so long as the total number of managed vSTREAM vCPUs does not exceed
         the maximum authorized by the Virtual nGeniusONE PAYG CFT (8 in this release).
       c vSTREAM Agent. The installers for vSTREAM Agent are bundled with the Virtual
         nGeniusONE AMI. You can copy them to a target AMI from Virtual nGeniusONE and
         install them using the standard installation procedure described in "Deploying
         vSTREAM Agent from Virtual nGeniusONE" on page 31.
    3 Optional: If you want to connect to deployed instances over the public internet (instead of
      a VPN, for example), assign a public IP address to Virtual nGeniusONE.
    4 Ensure that both vSTREAM virtual appliance and vSTREAM agent instances are
      communicating properly with nGeniusONE:
       • When you deploy vSTREAM virtual appliance in AWS, you enter the private IP address
         of the managing Virtual nGeniusONE server in the CloudFormation template. This
         lets vSTREAM virtual appliance add itself to nGeniusONE automatically immediately
         upon boot up.
       • When you install vSTREAM agent on a target AMI, you can either configure the private
         IP address of the managing Virtual nGeniusONE server prior to installation or add the
         vSTREAM agent manually after installation (both approaches are described in the
         vSTREAM Installation Guide).
       If for some reason an instance is not communicating properly with Virtual nGeniusONE, log
       in to the command line of the vSTREAM, run the Agent Configuration utility, and make sure
       that the Virtual nGeniusONE private IP address is specified under [4] Change Config Server
       Address.

                                                                                                    15
5 Configure Traffic Forwarding from vSTREAM agent sources to vSTREAM virtual appliance
       destinations using Device Configuration in Virtual nGeniusONE. Refer to the vSTREAM
       Installation Guide and the Virtual nGeniusONE online help for details.
           Note: vSTREAM agents provide the data gathering engine for the NETSCOUT
           Smart Data solution. However, in their default configuration, they do not provide
           all of the functionality that vSTREAM virtual appliances do. Unless you’ve enabled
           a packet store on your vSTREAM agents, you may want to forward traffic from
           vSTREAM agent sources to vSTREAM virtual appliances for in-depth packet-level
           analysis.

Obtaining BYOL Licensing Information
      Use the following procedure to obtain the Serial Numbers and Passwords from the NETSCOUT
      registration site to enter in the BYOL CloudFormation Templates as part of the deployment for
      both Virtual nGeniusONE and vSTREAM.
      Note: This procedure only applies to BYOL deployments; PAYG deployments are authorized
      directly through the Marketplace.
     1 When you purchase Virtual nGeniusONE or vSTREAM from NETSCOUT, you receive a
       registration form that includes a registration key. Locate this form.
     2 Open a web browser and navigate to https://my.netscout.com/mcp/Pages/default.aspx.
     3 Navigate to Licensing & Downloads and follow the instructions there to enter your
       registration key. You will also enter an IP address:
        • If you are licensing Virtual nGeniusONE, you enter the static, private IP address to be
          used for Virtual nGeniusONE in the AWS public cloud.
        • If you are licensing vSTREAM, you enter the IP address of its managing Virtual
          nGeniusONE server.
     4 When you complete the registration procedure, you receive both a serial number and a
       password (license key). Print the screen that contains this information. You will enter these
       values in the CloudFormation templates when you deploy the Virtual nGeniusONE and
       vSTREAM AMIs.

Launching NETSCOUT Templates
      This section describes how to deploy the NETSCOUT Smart Data solution using the
      CloudFormation templates and AMIs available in the NETSCOUT site on the AWS Marketplace:
      Note: Do not install or configure Virtual nGeniusONE or vSTREAM as the root user.
     1 Search the Amazon Marketplace for NETSCOUT.
        The Amazon MarketPlace shows the entry for the NETSCOUT Application Management
        Solution for AWS.
     2 Click the                     button for the NETSCOUT Application Management Solution
       for AWS.
     3 Accept the Terms and Conditions for the NETSCOUT Application Management Solution
       for AWS.
     4 Click the Continue to Configuration button.
     5 Select the type of deployment you want to perform by choosing from the following
       Fulfillment Options/CloudFormation templates (Figure 5):

16                                                                                   Obtaining BYOL Licensing Information
• NETSCOUT Application Performance Management Solution for AWS (BYOL)
    (installs both Virtual nGeniusONE and vSTREAM virtual appliance)
  • NETSCOUT vSTREAM for AWS (BYOL)
  • NETSCOUT Virtual nGeniusONE for AWS (BYOL)
  • NETSCOUT Application Performance Management for AWS (PAYG)
    (installs both Virtual nGeniusONE and vSTREAM virtual appliance)
  • NETSCOUT Virtual nGeniusONE for AWS (PAYG)

          Figure 5 Selecting the CloudFormation Template for the Deployment
6 Use the Software Version dropdown to select the version of the selected CFT to deploy.
7 Use the Region dropdown to specify the Availability Zone where the software should be
  deployed.
8 Click Continue to Launch to continue.
9 Review the configuration details in the Launch page and click Launch when ready to
  continue.

                                                                                           17
The Create stack wizard appears with the Select Template screen prepopulated with the
        selected CloudFormation template. For example, Figure 6 shows the Create stack wizard
        prepopulated with the Virtual nGeniusONE and vSTREAM BYOL CloudFormation
        template.

         Figure 6 Create Stack Wizard with CFT for Virtual nGeniusONE and vSTREAM Selected
     10 Click Next to continue.
     11 The Specify Details screen appears. Supply a Stack name and fill out the Parameters for
        the CloudFormation template using the information in "Template Parameters" on page 21.
        Figure 7 shows an example of the combined Virtual nGeniusONE/vSTREAM CFT.

              Note: You configure different parameters depending on the selected template.
              "Template Parameters" on page 21 describes all of the available parameters.

18                                                                                   Launching NETSCOUT Templates
Figure 7 Supplying Values for the CloudFormation Template
12 When you have finished configuring the CloudFormation parameters, click Next to
   continue.
13 The Options page appears, allowing you to configure the standard CloudFormation Stack
   settings listed below. These are all optional; none are required. Use the links below to learn
   more about these AWS options.
    • Tags (key-value pairs)
    • Permissions
    • Rollback Triggers
    • Advanced
    When you have finished setting Options, click Next to continue.
14 The Create Stack Wizard displays a summary of the settings for the new stack. Review the
   settings and use the Previous button to correct if necessary. When you are satisfied with
   your settings, click Create stack to launch the new instance(s).

                                                                                                    19
The Stack Wizard begins to create the requested resources (Figure 8) and eventually
        launches the instance.

                               Figure 8 Stack Creation in Progress
     15 After a few minutes, you can see the instance(s) in the EC2 Management Console’s
        Instances list. (Figure 9).

                                Figure 9 Newly Created Instances

20                                                                              Launching NETSCOUT Templates
Assign a Public IP Address
         By default, the NETSCOUT CFT templates do not assign a public IP address to deployed instances.
         If you want to be able to connect to Virtual nGeniusONE and/or vSTREAM virtual appliances from
         the public internet, make sure you allocate an elastic IP address to the instance after deployment.

                          Note: A public IP is automatically assigned by AWS if the subnet to
                          which you are adding Virtual nGeniusONE has the Enable
                          auto-assign public IPv4 address option enabled.

         Once you’ve assigned a public IP address to an instance, you can connect to it from the Internet.
         Open a web browser and connect to the public IP address for the Virtual nGeniusONE server and
         see that its associated vSTREAM virtual appliance virtual appliance was automatically added in
         Device Configuration and is available for analysis (Figure 9). For example:
            https://:8443/console/

                          Note: Security Group settings for Virtual nGeniusONE require that
                          you use HTTPS instead of HTTP.

         The default credentials for Virtual nGeniusONE are administrator/netscout1.

     Figure 10 Virtual nGeniusONE Deployed in AWS with vSTREAM Virtual Appliance Automatically Added
         Refer to "Connecting to Instances" on page 30 for information on opening an SSH connection to
         the operating system of the new instances.

Template Parameters
         Table 5 lists and describes the parameters you must supply as part of the deployment of the
         NETSCOUT Smart Data solution CloudFormation templates. The table lists the parameters from
         the combined Virtual nGeniusONE and vSTREAM virtual appliance template. If you are using one
         of the templates for an individual Virtual nGeniusONE or vSTREAM virtual appliance, the
         parameters you supply will be a subset of those in Table 5. Similarly, certain parameters only apply
         to the BYOL or PAYG templates; these are called out in the table as such.

                     Table 5 Configuration Parameters for CloudFormation Templates

  Parameter                                                            Description

  Stack name                              Provide a unique name for this stack.

  General Configuration

                                                                                                            21
Table 5 Configuration Parameters for CloudFormation Templates

     Parameter                                                          Description

     AvailabilityZone                     Select an AWS Availability Zone to be used for the deployment from
                                          the dropdown list. The list includes the Availability Zones accessible
                                          from your account

     KeyName                              Select an existing keypair from the dropdown to be used for access to
                                          the instance(s). You can review your existing keypairs in Network &
                                          Security > Key Pairs from the EC2 Dashboard.

     Virtual nGeniusONE Configuration

     vnG1InstanceType                     Choose an Instance Type for the Virtual nGeniusONE deployment
                                          from the dropdown list.
                                          Each Instance Type provides a different combination of computing
                                          resources (CPU, memory, storage, and networking). You can select
                                          from the following Instance Types for Virtual nGeniusONE:
                                            • m5.2xlarge
                                            • m5.4xlarge
                                            • m5.8xlarge
                                          Refer to "Choosing an Instance Type for Virtual nGeniusONE" on
                                          page 29 for guidance on selecting an Instance Type appropriate for
                                          your needs.
                                          NOTE: Instance Types are priced differently in the AWS Public Cloud
                                          based on the amount of resources provisioned. Refer to
                                          https://aws.amazon.com/ec2/instance-types for details.

     vnG1ServerIP                         Supply a static, private IP address in an existing subnet belonging to
                                          the target VPC.
                                          Note: For BYOL deployments, this should match the IP address you
                                          used to register Virtual nGeniusONE on the NETSCOUT MasterCare
                                          Portal.
                                          Note: The CloudFormation template only supports IPv4 addresses in
                                          this release. Contact NETSCOUT for assistance if you require IPV6
                                          support.

     vnG1dbONEVolumeSize                  Specify the size of the Virtual nGeniusONE database in GB. The default
                                          value is 1000 MB (1GB).

     vnG1dbONEVolumeEncrypt               Use the dropdown to specify whether the Virtual nGeniusONE storage
                                          database (dbONE) should be encrypted. By default, it is not.

22                                                                                           Launching NETSCOUT Templates
Table 5 Configuration Parameters for CloudFormation Templates

Parameter                                                        Description

vSTREAM Configuration

vSTREAMInstanceType                 Choose an Instance Type for the vSTREAM virtual appliance
                                    deployment from the dropdown list.
                                    Each Instance Type provides a different combination of computing
                                    resources (CPU, memory, storage, and networking). You can select
                                    from the following Instance Types for vSTREAM virtual appliance:
                                      • m5.2xlarge (BYOL and PAYG)
                                      • m5.4xlarge (BYOL only; this instance type uses 16 vCPUs and
                                        exceeds the PAYG Virtual nGeniusONE’s maximum capacity for
                                        vSTREAM vCPUs of 8 in this release).
                                      • m5.8xlarge (BYOL only; this instance type uses 32 vCPUs and
                                        exceeds the PAYG Virtual nGeniusONE’s maximum capacity for
                                        vSTREAM vCPUs of 8 in this release)
                                    Refer to "Choosing an Instance Type for vSTREAM Virtual Appliance"
                                    on page 29 for guidance on selecting an Instance Type appropriate for
                                    your needs.
                                    NOTE: Instance Types are priced differently in the AWS Public Cloud
                                    based on the amount of resources provisioned. Refer to
                                    https://aws.amazon.com/ec2/instance-types for details.

vSTREAMVolumeSize                   Specify the size of the vSTREAM virtual appliance storage volume.
                                    Acceptable values range from 100-16,000 GB (16TB). The default is 100
                                    GB.
                                    The size of your storage volume corresponds directly to your ability to
                                    store packet and ASI data on the monitoring vSTREAM virtual
                                    appliance agent. Contact your Sales Representative for assistance in
                                    choosing a volume size that balances expenses with your need to
                                    preserve data based on expected traffic types and load.

vSTREAMVolumeEncrypt                Use the dropdown to specify whether the vSTREAM virtual appliance
                                    storage volume should be encrypted. By default, it is not.

Network

VpcId                               Use the dropdown to select an existing VPC for the deployment. If you
                                    are deploying Virtual nGeniusONE and vSTREAM virtual appliance
                                    together, both AMIs will be deployed in the same VPC.
                                    If you have many VPCs associated with your account, you can type an
                                    entry in the field to narrow the results to matching IDs or name tag
                                    values.

MgmtSubnet                          Use the dropdown list to select an existing subnet for Management
                                    traffic between Virtual nGeniusONE and managed vSTREAM devices.
                                    The dropdown lists the subnets already provisioned for your account.
                                    If you are deploying Virtual nGeniusONE and vSTREAM virtual
                                    appliance together, the subnet selected here is used for the
                                    Management port on both instances.
                                    Note that the Capture and Management subnets must both be in
                                    the same AWS Availability Zone (the Availability Zone selected for
                                    the Virtual nGeniusONE deployment, above).
                                    If you have many subnets associated with your account, you can type
                                    an entry in the field to narrow the results to matching IDs or name tag
                                    values.

                                                                                                              23
Table 5 Configuration Parameters for CloudFormation Templates

     Parameter                                                              Description

     CaptureSubnet                             Use the dropdown lists to select an existing subnet for the vSTREAM
                                               virtual appliance monitoring interface. The dropdown lists the subnets
                                               already provisioned for your account.
                                               You can either select the same subnet you are using for Management
                                               traffic or choose a different one. Note that the Capture and
                                               Management subnets must both be in the same AWS Availability
                                               Zone (the Availability Zone selected for the Virtual nGeniusONE
                                               deployment, above).
                                               In general, it’s a good practice to keep management traffic separate
                                               from the capture subnet. This way, you aren’t adding additional traffic
                                               to the monitored subnet and you also have a means of contacting a
                                               managed vSTREAM if its capture subnet goes down.
                                               If you have many subnets associated with your account, you can type
                                               an entry in the field to narrow the results to matching IDs or name tag
                                               values.

     AccessLocation                            Use this field to limit the range of IP addresses from which the
                                               deployed instance(s) will accept SSH connections. This field is
                                               mandatory. However, if you want to allow SSH connections from any
                                               location, you can enter a value of 0.0.0.0/0.
                                               If you are deploying Virtual nGeniusONE and vSTREAM virtual
                                               appliance together, the range specified here is used for SSH
                                               connections to the Management port on both instances.
                                               You can edit the Security Group settings later on to change the IP
                                               addresses for which access is allowed. Refer to Working with Security
                                               Groups in the AWS documentation for details.

     Security Groups
     Use these fields to assign Virtual nGeniusONE and vSTREAM interfaces to AWS Security Groups.
       • If you leave these options set to CREATE (the default), the template automatically assigns the corresponding
         interface to a Security Group with the necessary permissions and open ports to allow communications with
         other NETSCOUT Smart Data solutions. Ports are opened in accordance with the principle of least privilege –
         only the ports required for successful communications are opened.
       • You can also supply the name of an existing Security Group. If you use an existing Security Group, you must
         open the necessary ports manually using the information in "Security Group Details" on page 25.
     Refer to "Security Group Details" on page 25 for details on which ports are opened for which Security Groups.

     vnG1MgmtSecurityGroupID                   Use this field to assign the Virtual nGeniusONE’s Mgmt interface (eth0)
                                               to a Security Group.
                                               Refer to "About the Virtual nGeniusONE Mgmt Security Group" on
                                               page 26 for details on the ports opened for this group.

     vSTREAMMgmtSecurityGroupID                Use this field to assign the vSTREAM virtual appliance’s Mgmt interface
                                               (eth0) to a Security Group.
                                               Refer to "About the vSTREAM Mgmt Security Group" on page 26 for
                                               details on the ports opened for this group.

     vSTREAMMonSecurityGroupID                 Use this field to assign the vSTREAM virtual appliance’s monitoring
                                               interface (eth1) to a Security Group.
                                               Refer to "About the vSTREAM Mon Security Group" on page 27 for
                                               details on the ports opened for this group.

24                                                                                                Launching NETSCOUT Templates
Table 5 Configuration Parameters for CloudFormation Templates

Parameter                                                           Description

vSTREAMAgentSecurityGroupID            Use this field to create a Security Group for use with vSTREAM Agent
                                       interfaces.
                                       Because vSTREAM Agents are installed on a third-party virtual
                                       machine targeted for monitoring, this group is a container to which
                                       you can assign desired interfaces on virtual machines with vSTREAM
                                       Agent installed. Interfaces in this group will be able to perform
                                       necessary communications with other interfaces in the Virtual
                                       nGeniusONE and vSTREAM Security Groups.
                                       Refer to "About the vSTREAM Agent Security Group" on page 28 for
                                       details on the ports opened for this group.

License – BYOL Deployments Only

vSTREAMSerialNumber                    For BYOL deployments, supply the Serial Number and Password you
                                       received from the MasterCare Portal when you registered your
vSTREAMPassword                        software in "Obtaining BYOL Licensing Information" on page 16.

vnG1 SerialNumber                      For BYOL deployments, supply the Serial Number and Password you
                                       received from the MasterCare Portal when you registered your
vnG1Password                           software in "Obtaining BYOL Licensing Information" on page 16.
                                       Make sure the IP address you used to obtain the Serial Number and
                                       Password is the same as the one specified for the Virtual nGeniusONE
                                       IP address in the template, above.

        Security Group Details
        As described in Table 5, the NETSCOUT CFT templates provide the options of creating AWS Security
        Groups for Virtual nGeniusONE, vSTREAM virtual appliance, and vSTREAM Agent interfaces. This
        section describes the ports opened by each of these Security Groups.
        The default settings for NETSCOUT Security Groups ensure that the necessary communications
        between NETSCOUT components in these different groups can take place successfully (for
        example, interfaces in the vSTREAM Monitoring Security Group can receive traffic forwarded from
        interfaces in the vSTREAM Agent Security Group).
        If you did not create Security Groups as part of the CFT templates, you can also use the information
        in these sections to open the necessary ports for NETSCOUT communications in your own Security
        Groups:
        • "About the Virtual nGeniusONE Mgmt Security Group" on page 26
        • "About the vSTREAM Mgmt Security Group" on page 26
        • "About the vSTREAM Mon Security Group" on page 27
        • "About the vSTREAM Agent Security Group" on page 28
        Table 6 lists the default Security Groups created by the NETSCOUT CFT templates. Following the
        table, Figure 9 illustrates sample creation of these groups.

                        Table 6 NETSCOUT Smart Data Solutions Security Groups

 Name                       Group Name                      Instance                     Interface

sg-vnG1-mgmt         vnG1MgmtSecurityGroup        Virtual nGeniusONE eth0       eth0

sg-vSTREAM-mgmt      vStreamMgmtSecurityGroup     vSTREAM Virtual Appliance     eth0
                                                  Mgmt Port

                                                                                                              25
Table 6 NETSCOUT Smart Data Solutions Security Groups

     Name                        Group Name                    Instance                        Interface

     sg-vSTREAM-mon     vStreamMonSecurityGroup       vSTREAM Virtual Appliance    eth1
                                                      Monitoring Port

     sg-vSTREAM Agent   vStreamAgentSecurityGroup     vSTREAM Agents               User assigned

                                      Figure 11 NETSCOUT Security Groups

            About the Virtual nGeniusONE Mgmt Security Group
            The Virtual nGeniusONE Security Group allows packets and selected ports from interfaces in the
            sg-vSTREAM-mgmt and sg-vSTREAM Agent groups as summarized in Table 7.

                             Table 7 Traffic Allowed by Virtual nGeniusONE Mgmt Security Group

               Description                                                              Protocol        Port Range

              HTTP from interfaces in vSTREAM Mgmt and vSTREAM Agent              TCP                 8080
              Security Groups.

              HTTPS from interfaces in vSTREAM Mgmt and vSTREAM Agent             TCP                 8443
              Security Groups.

              SSH, as configured by AccessLocation parameter in CTP Template      SSH                 22

              NETSCOUT SNMP Traps from interfaces in vSTREAM Mgmt and             UDP                 395
              vSTREAM Agent Security Groups.

              TFTP, remote upgrades from interfaces in vSTREAM Mgmt Security      UDP                 69
              Group.

              All ICMP-IPv4 (PING) from interfaces in vSTREAM Mgmt and vSTREAM    All                 N/A
              Agent Security Groups.

            About the vSTREAM Mgmt Security Group
            The vSTREAM Mgmt Security Group allows packets and selected ports from interfaces in the
            sg-vnG1-mgmt and sg-vSTREAM Agent groups as summarized in Table 8.

                                  Table 8 Traffic Allowed by vSTREAM Mgmt Security Group

               Description                                                              Protocol        Port Range

              HTTP from interfaces in Virtual nGeniusONE Mgmt Security Group.     TCP                8080

              HTTPS from interfaces in Virtual nGeniusONE Mgmt Security Groups.   TCP                8443

              SSH, as configured by AccessLocation parameter in CTP Template      TCP                22

26                                                                                            Launching NETSCOUT Templates
Table 8 Traffic Allowed by vSTREAM Mgmt Security Group

   Description                                                                 Protocol     Port Range

  All ICMP-IPv4 (PING) from interfaces in vSTREAM Mgmt and vSTREAM       All              N/A
  Agent Security Groups.

About the vSTREAM Mon Security Group
The vSTREAM Mon Security Group accepts GRE and UDP from interfaces in the vSTREAM Agent
Security Group, allowing monitoring interfaces to accept traffic tunneled from vSTREAM Agents, as
summarized in Table 9.

                       Table 9 Traffic Allowed by vSTREAM Mon Security Group

   Description                                                                 Protocol     Port Range

  GRE from interfaces in vSTREAM Agent Security Group.                   GRE (47)         All

  UDP from interfaces in vSTREAM Agent Security Group.                   UDP              50100

         Note: If you are using VPC Traffic Mirroring on VXLAN as part of your forwarding
         solution, the traffic mirror target must have UDP Port 4789 open in order to receive
         traffic.

                                                                                                         27
About the vSTREAM Agent Security Group
     The vSTREAM Agent Security Group allows packets and selected ports from interfaces in the
     sg-vnG1-mgmt and sg-vSTREAM-mgmt groups as summarized in Table 10.
     Note: Because vSTREAM Agents are installed on third-party virtual machines targeted for
     monitoring (for example, a web server), you must assign vSTREAM Agent interfaces manually to
     the vSTREAM Agent Security Group (or open the ports listed in Table 10 for whatever group the
     vSTREAM Agent’s interface already belongs to).

                            Table 10 Traffic Allowed by vSTREAM Agent Security Group

        Description                                                              Protocol        Port Range

       HTTP from interfaces in Virtual nGeniusONE Mgmt Security Group.     TCP                8080

       HTTPS from interfaces in Virtual nGeniusONE Mgmt Security Groups.   TCP                8443

       SSH, as configured by AccessLocation parameter in CTP Template      TCP                22

       All ICMP-IPv4 (PING) from interfaces in Virtual nGeniusONE Mgmt     All                N/A
       and vSTREAM Mgmt Security Groups.

     Instance Type Recommendations
     The CloudFormation templates for the NETSCOUT Application Performance Management solution
     let you select an Instance Type for both the Virtual nGeniusONE and vSTREAM virtual appliance
     virtual machines. Each Instance Type provides a different combination of computing resources
     (CPU, memory, storage, and networking; refer to Table 11) and is priced differently based on the
     amount of resources provisioned.
     Refer to the sections below for guidance on selecting an Instance Type for both Virtual
     nGeniusONE and vSTREAM virtual appliance:
     • "Choosing an Instance Type for Virtual nGeniusONE" on page 29
     • "Choosing an Instance Type for vSTREAM Virtual Appliance" on page 29
     Note: I Refer to https://aws.amazon.com/ec2/instance-types for details on instance types.

                  Table 11 Summary of Instance Types for NETSCOUT Smart Data Solutions

                                                                 Dedicated EBS                Network
       Instance Type     vCPUs       Memory       Storage      Bandwidth (Mbps)             Performance

     m5.2xlarge         8          32 GB        EBS-only     Up to 4,750               Up to 10 Gbps

     m5.4xlarge         16         64 GB        EBS-only     4,750                     Up to 10 Gbps

     m5.8xlarge         32         128 GB       EBS-only     6,800                     10 Gbps

28                                                                                     Launching NETSCOUT Templates
Choosing an Instance Type for Virtual nGeniusONE
             Table 12 provides guidance on selecting an instance type for Virtual nGeniusONE.

                Table 12 Instance Type Recommendations per Managed Interfaces and System Load

                                                                                              ASI Flows/
                                                                                              5-Minute                        Concurrent
      Instance Type              vCPUs        Memory           Managed Interfaces              Polling         Reports          Users

m5.2xlarge                      8            32 GB          20 Type 1 interfaces/           1 million         50            10
Recommended for
general-purpose
deployments.

m5.4xlarge                      16           64 GB          40 Type 1 interfaces1           1.5 million       50            10
Recommended for high
usage environments.

m5.8xlarge                      32           128 GB         50 Type 1 interfaces1           2 million         50            10
Recommended for highest
usage environments.

    1. To support the full allotment of 50 Type 1 interfaces included with a full license, provision Virtual nGeniusONE with a minimum of
    48 GB of RAM (64 GB recommended) and 24 vCPUs.

             Choosing an Instance Type for vSTREAM Virtual Appliance
             Table 13 provides guidance on selecting an instance type for vSTREAM.

                                         Table 13 System Requirements per vSTREAM

                                                                             System                                      Monitoring
              Scenario                       vCPUs        Memory              Drive          Storage Drive               Interfaces

m5.2xlarge                               8             32 GB               50 GB          100 GB – 16 TB           Up to four vNICs
Recommended for general-purpose
                                                                                          Configure the            Note: NETSCOUT
deployments.                                                                                                       recommends choosing
                                                                                          volume size to
                                                                                          balance your             one of the .4xlarge or
m5.4xlarge (BYOL Only)                   16            64 GB               50 GB
                                                                                          packet retention         .8xlarge Instance Types
Recommended if the Subscriber
                                                                                                                   for any vSTREAM virtual
Table is enabled for integration with                                                     needs with costs.
                                                                                                                   appliance provisioned
nGenius Business Intelligence or                                                          Larger drives cost       with 4 vNICs.
when using the URL discovery                                                              more but keep
option.                                                                                   packets longer.
m5.8xlarge                               32            128 GB              50 GB
Recommended for deployments
with multiple packet forwarding
destinations and/or Omnis adaptors;
refer to the vSTREAM Installation
Guide for details.

             Note that only the m5.2xlarge instance type is available for PAYG vSTREAM deployments. This is
             because the m5.4xlarge and m5.8xlarge instance types use more vCPUs than the PAYG Virtual
             nGeniusONE’s maximum capacity for vSTREAM vCPUs in this release (8).

                                                                                                                                             29
Connecting to Instances
      Connect to the operating system of NETSCOUT instances using the key pair you selected as part
      of the CloudFormation template as follows:
      1 Click the Services dropdown                in the AWS Management Console and select
        Compute > EC2.
      2 Click the Instances entry in the left column.
      3 Make sure the desired instance is selected.
      4 Click the Connect button (Figure 12).

                           Figure 12 Connecting to the vSTREAM Instance
      5 The Connect To Your Instance window provides guidance on using SSH to connect to the
        instance remotely, either using the Linux ssh command or a Windows client, such as
        PuTTY. Keep in mind the following:
        • You will need access to your private key file. The Connect To Your Instance window
          reminds you of the name of the private key file you associated with the instance.
        • Your private key file must not be publicly viewable for SSH to work. You can use
          chmod 400  to make your private key file not publicly viewable.
        • The Connect To Your instance window shows you the IP address you should use to
          connect to your instance along with the correct SSH syntax. For example, in Figure
          13, we can use the following SSH command to log in to the default centos account
          provided with NETSCOUT AMIs:
           $ ssh -i "vstream-keys.pem" centos@34.203.23.249

                          Figure 13 The Connect To Your Instance Window
      6 Click Close on the Connect To Your Instance window.

30                                                                               Launching NETSCOUT Templates
7 Open a terminal window and use the ssh command to connect to the NETSCOUT instance:
           $ ssh -i "" centos@

Deploying vSTREAM Agent from Virtual nGeniusONE
      The installation files for the vSTREAM agent are bundled with the Virtual nGeniusONE image and
      stored under /opt/vSTREAM_Agent once the instance has been deployed. There are separate
      installers depending on the target environment.
      Refer to the vSTREAM Installation Guide on My.NETSCOUT for details on selecting the correct
      installer for your target environment and performing the installation. The general procedure is as
      follows:
      1 Connect to the Virtual nGeniusONE instance using the instructions in the previous section.
        Note: NETSCOUT recommends that you do not use root access to copy the vSTREAM Agent
        installer from /opt/vSTREAM_Agent – you can do it as the centos user provided with the
        AWS instance.
      2 Copy the installer for your operating system to the target instance.
      3 If you are installing in Linux, you can preconfigure the address of the managing Virtual
        nGeniusONE server in a /tmp/nsagent_config.cfg configuration file. The values stored in
        this file are read in during installation and allow the newly installed vSTREAM agent to add
        itself to Virtual nGeniusONE automatically. Refer to the vSTREAM Installation Guide for
        details on how to do this.
            Note: If you are installing in Windows, the installation wizard prompts you to
            supply the IP address of the managing Virtual nGeniusONE server.

      4 Run the installer.
      5 When installation is complete, open the Agent Configuration Utility (localconsole) and
        ensure that [4] Change Config Server Address is set to the address of the managing
        Virtual nGeniusONE server.

AWS Traffic Acquisition –
Ingress Routing and Traffic Mirroring
      In addition to forwarding packets from vSTREAM Agents to vSTREAM virtual appliances, AWS
      provides additional tools that help NETSCOUT Smart Data solutions provide visibility on
      cloud-based traffic:
      • Amazon VPC ingress routing lets you define routing rules at the Internet Gateway (IGW)
        and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances
        before it reaches the final destination. Traffic coming in or out of a VPC can be redirected
        to security or packet-shaping virtual applications, which in turn can be monitored through
        VPC traffic mirroring with vSTREAM for advanced service performance and security
        assurance.
      • Amazon VPC traffic mirroring allows you to acquire packet data from multiple application
        workloads in an Amazon VPC and mirror it to a vSTREAM instance’s monitor port.
      Figure 14 shows an example of using AWS VPC Ingress Routing together with Amazon VPC Traffic
      Mirroring to acquire traffic that traverses VPC boundaries and route it to vSTREAM appliances for
      real-time analysis for service and security assurance.

                                                                                                       31
You can also read