Brute Force vRealize Network Insight & AWS

 Brute Force vRealize Network Insight Cloud (vRNI)
- Part 1: Install an AWS Data Source




Why?


Well, two reasons actually. One, I have always thought vRNI was really cool and valuable and two, I signed up to teach once of the VMware Customer Connect webinars on vRNI Cloud. I know enough about vRNI to completely embarrass myself in front of complete strangers so it was time to dig in.

What?




According to the VMware vRNI Cloud User's Guide: "vRealize Network Insight Cloud delivers intelligent operations for software-defined networking and security." 

Micro-segmentation is definitely vRNIs advertised use, but I think vRNI is also really helpful for the kind of Application Dependency Mapping required for data center/cloud migration and D/R planning. It is important to know what hosts/VMs are talking to what hosts/VMs before moving any of them.

How?

In my case, I thought a good demo for the Customer Connect webinar is to connect vRNI Cloud to AWS Cloud. Once I got that working, I would connect vRNI Cloud to my Home Lab

Sign Up for a vRNI Cloud Trial

VMware is nice enough to offer a 30 day trial of vRNI Cloud. Just go to cloud.vmware.com, hover your mouse over Networking and choose vRealize Network Insight.


Scroll to the bottom of the next page and choose REQUEST FREE TRIAL


Fill out all the pages of the form and then select Submit


Within a few minutes you should receive an approval email that vRNI Cloud is ready for you. 


The next time you log in to the Cloud Services Console at cloud.vmware.com, you should vRNI Cloud has been provisioned for you and you can choose LAUNCH SERVICE to get started.







Connect vRNI to AWS

This was really hard for me. Not the connecting to AWS, but the getting network flow data into vRNI.  First, select Accounts and Data Sources from the Settings menu.



 From the next screen, select ADD SOURCE



Then choose Amazon Web Services




Enter an AWS Access Key and Secret Key pair with authorization to the AWS VPC(es) you want to instrument and choose VALIDATE.



Check the box next to "Enable Flow data collection". This is very important as vRNI cannot work without flow data. We will set upthe CloudWatch flow data next.


Give this AWS Data Source a name and optional notes and choose SUBMIT


After a few minutes (well, once your blessed CloudWatch logs are setup), your data source will collect some data to be analyzed



Tangent - Collecting AWS Flow Data is Confusing and Missing from the vRNI Manual

The vRNI Cloud manual basically says "Check the Enable flow data collection box". Getting flows from AWS is much more complicated than that. In a nutshell, you need to create an AWS policy, role, trust, log group and CloudWatch flow log, but in native format not S3 format. I finally found a great blog post that filled in the gaps in the VMware vRNI manual. After many failed attempts at flow logs, these steps ended up working for me:

Create IAM Policy that can publish flow data to CloudWatch logs

IAM > Policies > Create policy > JSON. Paste below data (from blog above):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}


Skip the Tags step
On the final screen, give your policy a name, and select Create policy




Create a Role for your new policy

Identity and Access Management (IAM) > Roles > Create role
Select AWS service and EC2, then select Next


On the Add permissions screen, check the box for the policy you just created and select Next



Give the role a name and select Create role. 


After creation, copy the Role ARN and save it somewhere



Edit trust relationship for your new role

IAM > Roles > select the role just created
Select the Trust relationships tab and then Edit trust policy



Paste this JSON from the blog post above and then select Update policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
         "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}




Create a CloudWatch Log Group


CloudWatch > Create Log Group



Name your log group and select Create



Enable AWS VPC Flow Logs

Services > VPC > Your VPCs > YourVPCName > Flow logs > Create flow log

Name your Flow Log, capture All traffic, choose your capture granularity. Only choose "Send to CloudWatch logs". Send to S3 will collect the flows but vRNI will not read them. 


Choose the Log Group and IAM Role you just created as well as "AWS default format" and select Create flow log.



If everything went well, you will receive an Active status for your new Flow Log.



Woof! That was a lot. The good news is that VRNI should now be capturing AWS flows.

Take a look at some AWS EC2 flows in vRNI

I spun up a few free-tier EC2 Linux instances. One instance has a web server and the other instance downloads the entire web site once every minute.




vRNI > Environments > Amazon AWS



If I select my VM, aws-vrni-001, I can see that vRNI has already started to recommend some micro-segmentation firewall rules and has identified flows between aws-vrni-001 and other machines.



Let's drill into the flows to see the traffic between aws-vrni-001 and aws-vrni-002. If I select the ">" next to "486 Flows", I can see all the flows to and from aws-vrni-001. 

If I sort by Total Traffic Descending, I can see my "Top Talkers".



Oh, imagine that! The top talker is aws-vrni-002! Much better than foreign hackers which is always a possibility with Internet-facing EC2 instances. πŸ™‚



Thank you

OK. That was a lot and there is a lot more, but this is a good place to stop for now. I will write additional posts on connecting vRNI to vCenter as well as analyzing application dependency with vRNI. As always, thank you for taking the time to read this post. I hope you found this helpful. I welcome your feedback.

Comments