SteelCentral AppResponse Cloud Deployment and Configuration Guide For AWS

This document describes the deployment and configuration of a SteelCentral AppResponse Cloud instance in Amazon Web Services (AWS). AppResponse Cloud furnishes the functionality of SteelCentral AppResponse 11 as a cloud-based virtual appliance. AppResponse Cloud Version 11.12.0 provides support for the SPA and ASA feature modules. The DBA, UCA, and WTA feature modules are not supported in Version 11.12.0.

2. Installing and configuring one of the supported mechanisms to deliver packets from your VPC to your AppResponse Cloud virtual appliance.

This document describes the steps in process 1. Some guidance about process 2 follows in the next section.

◼ Send packets to AppResponse Cloud via an L2GRE tunnel. AppResponse Cloud supports this with the following:

◼ GigaMon GigaSECURE Cloud. If you are using GigaMon’s Visibility Platform for AWS, please follow the setup instructions in the https://s3.amazonaws.com/configuration-guide/5.2/AWS-ConfigurationGuide_v5200.pdf document.

◼ Ixia (now Keysight) CloudLens; please follow the instructions in the
https://www.ixiacom.com/resources/cloudlens-riverbed-aws-deployment-guide document.

◼ Send packets to AppResponse Cloud via an ERSPAN Type II session.

◼ This is supported for Cisco CSR 1000v. If you are using ER-SPAN v2.0 from a Cisco Cloud Services Router, please follow the instructions in the https://supportforums.cisco.com/t5/network-infrastructure-documents/understanding-span-rspan-and-erspan/ta-p/3144951 document.

◼ To enable traffic mirroring in AWS, you must add a Security Group entry that allows incoming UDP packets to use port 4789. Refer to the description of Security Groups in the Amazon Virtual Private Cloud User Guide for details.

All the supported remote packet sources will send copies of packets to AppResponse Cloud's management IP address; the management port is the one that terminates the ERSPAN/L2GRE tunnels that forward packets to the appliance. Packets from ERSPAN/L2GRE that are sent to AppResponse Cloud will always be treated as part of a single logical VIFG.

Once you have your AppResponse Cloud instance up and running with the right license keys, and you have configured one or more remote packet sources to send packets to it, you should verify that AppResponse Cloud is receiving packets successfully from those remote packet sources.

◼ If you are using only the Shark Packet Analysis (SPA) feature module license, you can do this by configuring one or more capture jobs to store the packets that AppResponse Cloud is seeing (refer to the AppResponse 11 User’s Guide), and using Packet Analyzer Plus to verify the capture jobs are working as expected. A good way to do this is to apply the Bandwidth Over Time view in Packet Analyzer Plus to monitor the flow of packets in each capture job.

◼ If your deployment includes the optional Application Stream Analysis (ASA) feature module, you can launch the Summary: All Traffic Insight in the AppResponse Cloud web UI to see the overall volume and type of traffic that the appliance is seeing.

◼ You can initiate live and retrospective packet analysis workflows using Packet Analyzer Plus, as described in the Packet Analyzer Plus User’s Guide.

◼ You can configure AppResponse Cloud to send SteelFlow Net (enhanced NetFlow) to NetProfiler as described in the AppResponse 11 User’s Guide, in the section, “Configuring Flow Export.” Note: This version of AppResponse Cloud is compatible only with NetProfiler version 10.14 or later releases.

◼ You can configure the optional ASA feature module to track and monitor the performance of key applications, servers, and IP addresses in your AWS environment by defining your own General Applications, URL Applications, and Host Groups as described in the AppResponse 11 User’s Guide.

Type t2.2xlarge is the only supported instance type. Make certain to verify that type t2.2xlarge is available in the region in which you intend to deploy.

AppResponse Cloud instances are deployed from an Amazon Machine Image (AMI). In order to access the product AMI, it must be shared with your AWS account. Send your AWS account ID and AWS region to the Email alias sc-arcloud-setup@riverbed.com. You will receive a confirmation once the AMI is shared with your account.

Note that, if you are using an AWS GovCloud account, “us-gov-west1” is the only region supported. Refer to the description of Regions and Availability Zones in the Amazon Elastic Compute Cloud User Guide For Linux Instances for additional details.

Once the AMI is available in your account, you can deploy an AppResponse Cloud instance from the AMI. From the AWS Console, select the EC2 service. Then, from the menu at the left, select AMIs under the Images menu group. The AMI that Riverbed made available for you should appear in the list. Select the checkbox in front of the AMI image; this will display some information about the AMI. Click the blue Launch button to deploy the AMI.

Type t2.2xlarge is the only supported instance type. Make certain to verify that type t2.2xlarge is available in the region in which you intend to deploy.

There are no changes that need to be made specific to AppResponse Cloud on this page. You should configure settings according to your infrastructure setup. For example, the subnet that you assign should be one on which the appliance will be able to communicate with the system(s) sending traffic. Click Next.

The main volume that is displayed (/dev/xvda) is for the OS and for metrics collection. You can choose to configure a second drive as packet storage, depending on your needs. To add packet storage from this page, click Add New Volume. This will add a row to the table of attached volumes. The second drive should be between 16GB and 8TB in size. Select “/dev/sdb/” as the device. Click Next.

There are no AppResponse Cloud-specific tags required. In general, adding tags is a good practice, and, at a minimum, you should add a name tag. Click Next.

AppResponse Cloud in AWS receives traffic over generic routing encapsulation (GRE). To support this, a security profile that allows incoming GRE traffic needs to be applied to the instance. You can select an existing security group or create a new one. For UI connectivity via HTTPS, and management over SSH, the corresponding ports need to be allowed as well.

The example below shows the creation of a new security profile named "ar11-sg," which allows SSH, HTTPS, and GRE traffic.

Select Create a new security group and configure a name and description. Click the button Add Rule and add an entry for HTTPS. Repeat for GRE. Click Review and Launch.

To enable traffic mirroring in AWS, you must add an entry that allows incoming UDP packets to use port 4789.

Review the instance settings and verify that they are what you expect. Warnings about access might be displayed, depending on your security profile configuration. Click Launch.

A window will appear for configuring SSH key pairs. AppResponse Cloud does not support key pairs for authentication of SSH sessions. Select Proceed without a key pair, click the acknowledgment checkbox, and click Launch Instances.

The newly launched instance will appear in your list of instances. From this page, you will need the IP (public or private depending on your infrastructure/network configuration) as well as the instance ID.

In a browser, navigate to the IP using HTTPS. The default credentials are username "admin", and the password is the instance ID (in this example "i-07baaaec476a5aa4d"). You will see the home page of AppResponse Cloud appliance.

If an additional volume needs to be added later (after deploying the instance), from the EC2 Management Console, select Volumes (it is under menu group Elastic Block Store). Then, click the blue button, Create Volume.

The second drive should be between 16GB and 8TB. Make sure the availability zone matches the zone in which the instance of AppResponse Cloud is already running.

The newly created volume should appear in your list of volumes. Select the volume from the list, click the Action button, and select Attach volume.

Fill in the AppResponse Cloud instance ID to attach the volume. Set the device name to be "/dev/xvdb".

AWS systems work just like VMs and SCAN-06170/08170s in this regard. They do not automatically format and initialize the added capture storage for use. After you attach the new disk, you must SSH into the admin CLI and issue these commands to set up the new disk for use with capture:

> storage data_section primary_capture_data reinitialize
> storage data_area packet_capture section primary_capture_data

◼ Allow the AppResponse Cloud appliance to operate.

◼ Enable the licensed capabilities and capacities.

A product key can be used on the Licenses page of the Riverbed Support site (https://licensing.riverbed.com) to view and manage your licenses. For more information on licenses, see Licensing in the AppResponse 11 User’s Guide or the AppResponse 11 web UI Help.

The header line at the top of each AppResponse Cloud web UI page shows the AppResponse model and license. If no license is installed, “UNLICENSED” is displayed after the model.

4. Click Activate Product. No further action is required. AppResponse Cloud automatically opens a connection over the Internet to the Riverbed Licensing site. A valid license is activated and the Feature Keys are installed automatically.

An AppResponse Cloud license can be deactivated and used again. When deactivating a license:

◼ Only a license with an Active License Status on the License Information page can be deactivated.

◼ Copy the Deactivation Code that is displayed during the process on the web UI page.

◼ This code is used to deactivate the license and allow reactivation.

◼ You must delete the existing license after successfully deactivating the license.

5. The Deactivate Product screen appears (the License Information page with a Delete License button may appear first; ignore it for the moment). The Deactivate Product screen displays a deactivation code, used on the Riverbed Licensing site to deactivate the license and allow reactivation.

8. Inform the license provider that the Product Key was deactivated. When completed, the Product Key is again available for installing AppResponse Cloud. The license deactivation occurs automatically.

5. Click Copy to Clipboard. The Activation Code is used to access the Feature Keys on the Riverbed Licensing site.

6. On a computer with an Internet connection, go to the Licenses page of the Riverbed Licensing web site (https://licensing.riverbed.com) and paste the Activation Code in the Enter Unique Product Identifier box.

7. Click Next. The Product Key is activated and the Product Key Details are displayed. The License Status is assigned and the Available Feature Set table shows each license Feature Key.

8. Return to the Activate Product screen in the web UI and copy the Feature Keys, one per line, in the Features Keys text box.