Many organizations, even those not typically associated with technology, are migrating to the cloud. This trend is growing because the cloud offers increased flexibility and agility. Last year, 89% of the enterprises adopted public cloud, and 71% a hybrid cloud model.
With this mass migration, organizations have more segments to manage and more potential blind spots in their networks. Organizations also need to ensure compliance and security policies are extended to public cloud workloads.
In an on-premises deployment, there are options to get access to traffic from the infrastructure for real-time analysis such as TAPs (physical or virtual) or SPAN sessions, but when deploying applications in the public cloud, none of these options are available. For example, in Amazon Web Services (AWS), a multi-tier application can run in an isolated Virtual Private Cloud (VPC), lacking any traffic monitoring capability. Agent-based monitoring is an option, but that could lead to a very complex architecture, especially if you have multiple tools that need access to the same traffic for inspection and analysis.
Nuage can solve this problem using its Network Service Gateway (NSGs) and policy-based mirroring capability. Nuage NSG-V can be deployed in AWS as an Amazon Machine Image (AMI). The NSG-V then acts as a gateway to a VPC hosted on AWS, just as it would to an on-premises datacenter or a branch location. Then, using Nuage Virtual Service Directory (VSD), you can configure a policy-based port mirror, where you can filter and copy traffic based on the L2 – L4 protocol fields and tunnel this data from your public cloud to any machine or tool you have in your network. Nuage uses standard Generic Routing Encapsulation (GRE), so copied packets can traverse across any network, even when your destination is not directly connected to your NSG. For example, you can filter all http traffic that is going through your Amazon VPC and tunnel it back to your data center where the network tools are located.
The Nuage solution enables IT organizations to monitor enterprise workloads where it is most advantageous based on their needs. For some, this means monitoring within the AWS VPC, or at a dedicated VPC that contains the necessary tools. For others, it may mean centralizing the capability on-premises or private infrastructure.
Nuage policy-based port mirroring provides many benefits to IT organizations, such as:
- Saving time and resources – by expediting troubleshooting
- Reduces bandwidth to tools by filtering packets at the source instances, and eliminating unwanted traffic so tools can operate more efficiently
- Ensuring comprehensive security – by enabling security inspection of traffic flowing among AWS workloads by forwarding that traffic to premised or cloud-hosted security devices
- Validating compliance – through continuous monitoring of and enabling reporting of public cloud-hosted resource access and use
Mirror destinations (mirrored traffic receivers) can be IDS tools (e.g., Snort), packet capture tools (e.g., Wireshark), or network performance tools (e.g., ExtraHop). These tools are identified by IP addresses that are reachable in the underlay IP network. The mirrored traffic is transported to the destination IP address by means of a GRE tunnel using the Bridged Ethernet encapsulation (GRE protocol type 0x6558).
Nuage VSD allow several mirror ports to be configured. You can have up to 16 different tools or mirror destinations. In the figure below, I have three different port mirror destinations configured.
These mirror destinations can be linked to a specific policy where you can filter the traffic based on L2-L4 information. Instead of mirroring all traffic flows, policy based mirroring enables mirroring of selected/filtered traffic. Mirroring of select traffic is achieved using ACLs only on allowed traffic. ACL mirroring can be applied to ingress and/or egress directions. Here is an example of port mirroring HTTP traffic from a VPC network to a Wireshark tool.
In addition to the public cloud monitoring, Nuage policy-based port mirroring can be used in the private data centers to monitor & troubleshoot different workloads such as containers, VMs, and bare metal servers. Nuage policy-based port mirrors are supported on Nuage VRS (on KVM and ESXi hypervisors), VRS-G, and NSG.