Brute Force vRealize Network Insight Cloud (vRNI)
- Part 1: Install an AWS Data Source
Why?
Well, two reasons actually. One, I have always thought vRNI was really cool and valuable and two, I signed up to teach once of the VMware Customer Connect webinars on vRNI Cloud. I know enough about vRNI to completely embarrass myself in front of complete strangers so it was time to dig in.
What?
According to the VMware vRNI Cloud User's Guide: "vRealize Network Insight Cloud delivers intelligent operations for software-defined networking and security."
Micro-segmentation is definitely vRNIs advertised use, but I think vRNI is also really helpful for the kind of Application Dependency Mapping required for data center/cloud migration and D/R planning. It is important to know what hosts/VMs are talking to what hosts/VMs before moving any of them.
How?
In my case, I thought a good demo for the Customer Connect webinar is to connect vRNI Cloud to AWS Cloud. Once I got that working, I would connect vRNI Cloud to my Home Lab
Sign Up for a vRNI Cloud Trial
VMware is nice enough to offer a 30 day trial of vRNI Cloud. Just go to cloud.vmware.com, hover your mouse over Networking and choose vRealize Network Insight.
Scroll to the bottom of the next page and choose REQUEST FREE TRIAL
Fill out all the pages of the form and then select Submit
Within a few minutes you should receive an approval email that vRNI Cloud is ready for you.
The next time you log in to the Cloud Services Console at cloud.vmware.com, you should vRNI Cloud has been provisioned for you and you can choose LAUNCH SERVICE to get started.
Connect vRNI to AWS
This was really hard for me. Not the connecting to AWS, but the getting network flow data into vRNI. First, select Accounts and Data Sources from the Settings menu.
From the next screen, select ADD SOURCE
Then choose Amazon Web Services
Enter an AWS Access Key and Secret Key pair with authorization to the AWS VPC(es) you want to instrument and choose VALIDATE.
Check the box next to "Enable Flow data collection". This is very important as vRNI cannot work without flow data. We will set upthe CloudWatch flow data next.
Give this AWS Data Source a name and optional notes and choose SUBMIT
After a few minutes (well, once your blessed CloudWatch logs are setup), your data source will collect some data to be analyzed
Tangent - Collecting AWS Flow Data is Confusing and Missing from the vRNI Manual
The vRNI Cloud manual basically says "Check the Enable flow data collection box". Getting flows from AWS is much more complicated than that. In a nutshell, you need to create an AWS policy, role, trust, log group and CloudWatch flow log, but in native format not S3 format. I finally found a great blog post that filled in the gaps in the VMware vRNI manual. After many failed attempts at flow logs, these steps ended up working for me:
Create IAM Policy that can publish flow data to CloudWatch logs
IAM > Policies > Create policy > JSON. Paste below data (from blog above):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Skip the Tags step
On the final screen, give your policy a name, and select Create policy
Create a Role for your new policy
Identity and Access Management (IAM) > Roles > Create role
Select AWS service and EC2, then select Next
On the Add permissions screen, check the box for the policy you just created and select Next
Give the role a name and select Create role.
Edit trust relationship for your new role
IAM > Roles > select the role just created
Select the Trust relationships tab and then Edit trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Create a CloudWatch Log Group
CloudWatch > Create Log Group
Name your log group and select Create
Enable AWS VPC Flow Logs
Services > VPC > Your VPCs > YourVPCName > Flow logs > Create flow log
Name your Flow Log, capture All traffic, choose your capture granularity. Only choose "Send to CloudWatch logs". Send to S3 will collect the flows but vRNI will not read them.
Choose the Log Group and IAM Role you just created as well as "AWS default format" and select Create flow log.
Woof! That was a lot. The good news is that VRNI should now be capturing AWS flows.
Take a look at some AWS EC2 flows in vRNI
I spun up a few free-tier EC2 Linux instances. One instance has a web server and the other instance downloads the entire web site once every minute.
vRNI > Environments > Amazon AWS
If I select my VM, aws-vrni-001, I can see that vRNI has already started to recommend some micro-segmentation firewall rules and has identified flows between aws-vrni-001 and other machines.
If I sort by Total Traffic Descending, I can see my "Top Talkers".
Oh, imagine that! The top talker is aws-vrni-002! Much better than foreign hackers which is always a possibility with Internet-facing EC2 instances. 🙂
Thank you
OK. That was a lot and there is a lot more, but this is a good place to stop for now. I will write additional posts on connecting vRNI to vCenter as well as analyzing application dependency with vRNI. As always, thank you for taking the time to read this post. I hope you found this helpful. I welcome your feedback.
Comments