vRNI and Cross Cloud Architecture

As part of last year’s announced VMware’s Cross Cloud Architecture, VMware introduced native Amazon AWS public cloud support for vRealize Network Insight 3.4 Enterprise Edition: “vRealize Network Insight now provides visibility into native AWS constructs such as VPC, VM, Security Group, and Firewall rules. Traffic flows are also analyzed to provide security and micro-segmentation view of cloud workloads (Enterprise edition only).”

Since I just started building an AWS lab using the AWS Free Tier service (please see my previous post on how to get started with the AWS Free Tier), this is a great opportunity to test this awesome new feature and combine two amazing solutions: VMware vRealize Network Insight and Amazon AWS. This blogpost will explain how to deploy vRNI, add Data Sources (including AWS) and explain what steps are required in AWS cloud.

Deploying vRealize Network Insight (vRNI)

vRNI is provided by VMware as a Virtual Appliance (OVA). The vRNI architecture is made up of a Platform appliance and a Proxy appliance. In my lab environment I can suffice with a single Platform appliance and a single Proxy appliance. I have to warn you: vRNI is very hefty on resources. The Platform appliance requires 8 vCPUs and 32GB RAM and the Proxy appliance 4 vCPUs and 10Gb RAM. I have not yet examined or tested how vRNI behaves with fewer resources provisioned.

The deployment process is straightfoward:

Once the initial Platform OVA deployment is finished, you need to point your browser to the appliance IP address or FQDN to enter and activate the license key and add a Proxy appliance:

   .

You need to generate and copy the Shared Secret key to your clipboard and use it during the deployment of the Proxy appliance:

Once the Proxy appliance is booted, it will be discovered by the Platform appliance. You can now login to the primary console of vRNI. The default username is admin@local and the password was set during the deployment.

Adding vCenter Server and NSX Manager as Data Sources

The next step is adding vCenter Server and, because I am running NSX-v in my lab environment, NSX Manager as data sources:

Adding Amazon AWS as Data Source

In order to successfully add AWS as a Data Source, some prerequisite steps need to be taken in AWS. First step is to create a Flow Log for the VPC:

I have to admit, I have not yet explored the concept of AWS Flow Logs in-depth, but basically it is just a feature that captures IP traffic and flows. For more background information please refer to the AWS documentation. These Flow Logs are stored in CloudWatch. The final step is to add ‘CloudWatchLogsReadOnlyAccess‘ permissions to the AWS account you are going to use with vRNI:

You can now add AWS as a Data Source using the AWS account’s Acces Key ID and Secret Access Key. If you successfully created the Flow Log and added the required permissions, you will be able to check the ‘Enable Flow data collection (Highly Recommended)’ checkbox:

Analyzing cross-cloud traffic flows with vRNI

That’s it! You are now able to see and analyze traffic flows within and across your AWS VPC using AWS native constructs such as Security Groups. I have created two basic Apache web servers behind a classic load balancer, within a Security Group called Web: