GigaVUE Cloud Suite Azure
Product Information
Specifications
- Product Name: GigaVUE Cloud Suite
- Product Version: 6.3
- Document Version: 1.0
- Last Updated: Friday, February 9, 2024
Overview
GigaVUE Cloud Suite is a comprehensive solution designed for Azure environments to monitor and manage network traffic efficiently.
Components
The GigaVUE Cloud Suite for Azure comprises various components such as G-vTAP Agents, GigaVUE-FM, and Fabric Components.
Architecture
The architecture of GigaVUE Cloud Suite for Azure includes hybrid cloud capabilities, virtual dashboard widgets, and monitoring domains for efficient traffic monitoring.
License Information
The product offers Volume Based Licenses (VBL), Base Bundles, and Add-on Packages. License management includes tracking usage, applying licenses, and managing trial licenses.
Deployment
Deploying GigaVUE Cloud Suite involves steps like obtaining GigaVUE-FM image, installing/upgrading GigaVUE-FM, creating Azure credentials, preparing G-vTAP Agents, and configuring fabric components.
Users and Roles
The product allows configuring custom roles, user groups, and role-based access for third-party orchestration. Users can be added, roles created, and user accounts managed efficiently.
Prerequisites
Ensure VPN connectivity, obtain necessary images, permissions, and privileges before starting the deployment process.
Monitoring Domain
Create and manage monitoring domains to organize and monitor network traffic effectively using GigaVUE Cloud Suite.
Configuration
Configure GigaVUE Fabric Components in both GigaVUE-FM and Azure environments for seamless integration and operation.
User Management
Add users, create roles, and manage user accounts to ensure proper access control and user permissions within the GigaVUE Cloud Suite environment.
Product Usage Instructions
Before You Begin
Prerequisites:
- Ensure VPN connectivity is established.
- Obtain the GigaVUE-FM image required for deployment.
- Install and upgrade GigaVUE-FM on the designated platform.
- Set up necessary permissions and privileges for deployment.
Deploy GigaVUE Cloud Suite for Azure:
- Choose deployment options for GigaVUE Cloud Suite based on requirements.
- Create Azure credentials for authentication purposes.
- Prepare G-vTAP Agents for monitoring traffic by installing them on Linux or Windows systems.
- Create images with the agent installed for monitoring purposes.
- Configure monitoring domains to organize and manage network traffic efficiently.
- Manage connections domains and fabric components for optimal performance.
- Configure GigaVUE Fabric Components in both GigaVUE-FM and Azure environments.
GigaVUE Cloud Suite for AzureGigaVUE V
Series 2 Guide
GigaVUE Cloud Suite
Product Version: 6.3 Document Version: 1.0 Last Updated: Friday, February 9, 2024
(See Change Notes for document updates.)
Copyright 2024 Gigamon Inc.. All rights reserved.
Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. No part of this publication may be reproduced, transcribed, translated into any language, stored in a retrieval system, or transmitted in any form or any means without the written permission of Gigamon Inc..
Trademark Attributions
Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at www.gigamon.com/legaltrademarks. All other trademarks are the trademarks of their respective owners.
Gigamon Inc. 3300 Olcott Street Santa Clara, CA 95054 408.831.4000
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Change Notes
When a document is updated, the document version number on the cover page will indicate a new version and will provide a link to this Change Notes table, which will describe the updates.
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Create a New Map Example- Create a New Map using Inclusion and Exclusion Maps
Add Applications to Monitoring Session Deploy Monitoring Session View Monitoring Session Statistics Visualize the Network Topology
Configure Application Intelligence Solutions on GigaVUE V Series Nodes for Azure
Configure Environment Create Environment
Create Credentials Create Azure Credentials
Connect to Azure Create Connection Create Source Selectors Create Tunnel Specifications User Defined Application
Create Rules under User Defined Application Supported Protocols and Attributes Mindata Supported RegExp Syntax Limitations Configure Application Intelligence Session Prerequisites Create an Application Intelligence Session in Virtual Environment Slicing and Masking in Application Filtering Intelligence Configuring Application Filtering Intelligence with Slicing Configuring Application Filtering Intelligence with Masking Configuring Application Filtering Intelligence with Slicing and Masking Application Metadata Intelligence Create Application Metadata Intelligence Session for Virtual Environment NetFlow Session on Virtual Environment Configure NetFlow Session on Virtual Environment NetFlow Dashboard
Monitor Cloud Health
Configuration Health Monitoring Traffic Health Monitoring
Create Threshold Template Apply Threshold Template Edit Threshold Template
104 107 108 108 110 112
113
114 114 115 115 116 116 122 124 126 126 127 131 131 132 132 132 133 135 136 136
136 137
137 142 142 146
147
147 148 149 149 150
Contents
6
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Clear Thresholds Supported Resources and Metrics View Health Status View Health Status of the Entire Monitoring Session View Health Status of an Application View Health Status for Individual V Series Nodes View Application Health Status for Individual V Series Nodes View Health Status on the Monitoring Session Page Health V Series Node Health Target Source Health
Fabric Health Analytics for Virtual Resources
Virtual Inventory Statistics and Cloud Applications Dashboard
Administer GigaVUE Cloud Suite for Azure
Set Up Email Notifications Configure Email Notifications
Configure Proxy Server Configure Azure Settings Role Based Access Control About Events About Audit Logs
GigaVUE-FM Version Compatibility Matrix Additional Sources of Information
Documentation How to Download Software and Release Notes from My Gigamon
Documentation Feedback Contact Technical Support Contact Sales
Premium Support The VÜE Community
Glossary
151 151 153 153 153 154 154 155 155 155 155
156
156
162
162 162 163 165 165 166 168
170 171
171 174 174 175 176 176 176
177
Contents
7
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
GigaVUE Cloud Suite for Azure GigaVUE V Series 2
This guide describes how to install, configure and deploy the GigaVUE Cloud solution on the Microsoft® Azure cloud. Use this document for instructions on configuring the GigaVUE Cloud components and setting up the traffic monitoring sessions for the Azure Cloud.
Refer to the following sections for details: l Overview of GigaVUE Cloud Suite for Azure l Get Started with GigaVUE Cloud Suite for Azure l Deploy GigaVUE Cloud Suite for Azure l Configure Monitoring Session l Configure Application Intelligence Solutions on GigaVUE V Series Nodes for Azure l Monitor Cloud Health l Fabric Health Analytics for Virtual Resources l Administer GigaVUE Cloud Suite for Azure l GigaVUE-FM Version Compatibility Matrix
GigaVUE Cloud Suite for AzureGigaVUE V Series 2
8
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Overview of GigaVUE Cloud Suite for Azure
GigaVUE® Fabric Manager (GigaVUE-FM) is a web-based fabric management interface that provides a single-pane-of-glass visibility and management of both the physical and virtual traffic. GigaVUE-FM is a key component of the GigaVUE Cloud Suite for Azure.
GigaVUE-FM integrates with the Azure APIs and deploys the components of the GigaVUE Cloud Suite for Azure in an Azure Virtual Network (VNet).
Refer to the following sections for details: l Components of GigaVUE Cloud Suite for Azure l Architecture of GigaVUE Cloud Suite for Azure l Cloud Overview Page
Overview of GigaVUE Cloud Suite for Azure
9
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Components of GigaVUE Cloud Suite for Azure
The GigaVUE Cloud Suite for Azure consists of the following components:
Component
Description
GigaVUE® Fabric Manager (GigaVUE-FM)
A web-based fabric management interface that provides a single pane of glass visibility and management of both the physical and virtual traffic that forms the GigaVUE Cloud for Azure. GigaVUE-FM manages the configuration of the rest of the components in your cloud platform.
l G-vTAP Controllers (only if you are using G-vTAP Agent as the traffic acquisition method)
l For V Series 2 Configuration
l GigaVUE® V Series Proxy
l GigaVUE® V Series 2 nodes
G-vTAP Agents
An agent that is installed in your virtual machines. This agent mirrors the selected traffic from the virtual machines to the GigaVUE V Series Node.
G-vTAP Controllers
Manages multiple G-vTAP Agents and orchestrates the flow of mirrored traffic to GigaVUE V Series nodes. GigaVUE-FM uses one or more G-vTAP Controllers to communicate with the G-vTAP Agents.
Next generation G-vTAP Agent
Next generation G-vTAP Agent is a lightweight solution that acquires traffic from Virtual Machines and in-turn improves the performance of the G-vTAP Agent mirroring capability. The solution has a prefiltering capability at the tap level that reduces the traffic flow from the agent to GigaVUE V Series Node and in-turn reduces the V Series load. Next generation G-vTAP Agent gets activated only on Linux systems with a Kernel version above 5.4. Prefiltering allows you to filter the traffic in G-vTAP Agents before sending it to the GigaVUE V Series Nodes. For prefiltering the traffic, GigaVUE-FM allows you to create a prefiltering policy template and the template can be applied to a monitoring session.
GigaVUE V Series Proxy
The GigaVUE V Series Proxy is a optional component. If GigaVUE-FM cannot directly reach the GigaVUE V Series Nodes (management interface) directly over the network, a Proxy should be used. It manages multiple GigaVUE V Series Nodes and orchestrates the flow of traffic from GigaVUE V Series Nodes to the monitoring tools. GigaVUE-FM uses one or more GigaVUE V Series Proxies to communicate with the GigaVUE V Series Nodes. A single GigaVUE V Series Proxy can be launched to provide the GigaVUE-FM network communication to hundreds of GigaVUE V Series Nodes present in private networks behind the Proxy.
GigaVUE V Series Nodes
A visibility node that aggregates mirrored traffic. It applies filters, manipulates the packets using GigaSMART applications, and distributes the optimized traffic to cloud-based tools or backhaul to on premise device or tools. GigaVUE Cloud Suite for Azure uses the standard VXLAN tunnel to deliver traffic to tool endpoints.
Components of GigaVUE Cloud Suite for Azure
10
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
This solution is launched by subscribing to the GigaVUE Cloud Suite for Azure in the Azure Marketplace. Once the GigaVUE-FM is launched in Azure, the rest of the solution components are launched from GigaVUE-FM. Refer to Install GigaVUE-FM on Azure for more detailed information on how to launch GigaVUE-FM in Azure.
For V Series 2 configuration, you can only configure the GigaVUE fabric components in a Centralized VNet only. In case of a shared VNet, you must select a VNet as your Centralized VNet for GigaVUE fabric configuration.
Components of GigaVUE Cloud Suite for Azure
11
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Architecture of GigaVUE Cloud Suite for Azure
Hybrid Cloud
In the hybrid cloud deployment model, you can send the customized traffic to the tools in Azure as well as the tools in the enterprise data center.
Cloud Overview Page
The overview page is a central location to view and monitor all the monitoring sessions in a single place. You can use this overview page to spot issues which will help in troubleshooting, or perform basic actions like view, edit, clone, and delete. This page provides a quick overview of basic statistics, V Series Alarms, Connection Status and Volume Usage vs Allowance and a table to summarize the active monitoring sessions details. You can also edit the monitoring session from this page instead of navigating to the monitoring session page in each platform.
Go to Traffic > Virtual > Orchestrated Flows > Overview. The Cloud Homepage appears.
Virtual Dashboard Widgets
This section describes the widgets that can be viewed on the overview page.
Architecture of GigaVUE Cloud Suite for Azure
12
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
l Overview l V Series Alarms l Connection Status l Usage (VBL) l Summary (Monitoring Session details) l Traffic Rate l Aggregate Summary
Overview
The overview dashboard displays the number of GigaVUE V Series Nodes active in GigaVUEFM, number of Monitoring sessions and connections configured in all the platofrms, and the number of alarms triggered in V Series Nodes.
V Series Alarms
The V Series Alarms widget presents a pie chart that helps you to quickly to view the V Series alarms generated . Each type of alarm triggered is assigned a color in the graph, which is specified by the legend. Hovering the mouse over an area in the chart displays the total number of V Series alarms triggered.
Connection Status
The connection status presents a pie chart that helps you to quickly to view the connection status of connections configured in the monitoring domain. Each type of connection status is assigned a color in the graph, which is specified by the legend. Hovering the mouse over an area in the chart displays the total number of connected.
Usage
The Usage widget displays the amount of traffic that flows through the GigaVUE V Series Nodes. Each bar in the graph indicates the volume usage on a particular day. Hovering the mouse over a bar in the graph displays the volume allowance and volume usage on that particular day.
Summary
This widget allows you to view the list of all the available monitoring session along with the respective monitoring domain, platform, connection, their health status, V Series Node health status and the deployment status of the connection. You can click on the monitoring session name to view the Edit Monitoring session page of the respective monitoring session.
Cloud Overview Page
13
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Traffic Rate
The traffic rate widget displays the rate of traffic flowing through the GigaVUE V Series Nodes. Each line in the graph indicates the rate of traffic flow for transmitting, receiving, and their ratio which is specified by the legend.
Aggregate Summary
The aggregate summary displays the highest daily volume usage, average daily volume usage, highest daily volume over usage, average daily volume over usage, 95th percentile daily volume usage and the average daily volume allowance.
Cloud Overview Page
14
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Get Started with GigaVUE Cloud Suite for Azure
This chapter describes how to plan and start the GigaVUE Cloud Suite for Azure deployment on the Microsoft® Azure cloud.
Refer to the following sections for details: License Information Before You Begin Install and Upgrade GigaVUE-FM Install GigaVUE-FM on Azure Permissions and Privileges
License Information
The GigaVUE Cloud Suite Cloud suite is available in both the public Azure cloud and in Azure Government, and supports the Volume Based License (VBL) model that you can avail from the Azure Marketplace.
Refer to the following topics for detailed information: l Volume Based License (VBL) l Apply License
Volume Based License (VBL)
All the V Series 2 nodes connected to GigaVUE-FM periodically reports statistics on the amount of traffic that flows through the V Series Nodes. The statistics give information on the actual data volume that flows through the V Series Nodes. All licensed applications, when running on the node, generate usage statistics. In the Volume-Based Licensing (VBL) scheme, a license entitles specific applications on your devices to use a specified amount of total data volume over the term of the license. The distribution of the license to individual nodes or devices becomes irrelevant for Gigamon’s accounting purpose. GigaVUE-FM tracks the total amount of data processed by the various licensed applications and provides visibility into the actual amount of data, each licensed application is using on each node, and track the overuse if any.
Get Started with GigaVUE Cloud Suite for Azure License Information
15
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Volume-based licensing has a service period of 1 month. Service period is the period of time for which the total usage or overage is tracked. There is a grace period for each license that is encoded in the license file. The license effectively provides data allowance for this additional time after the official end time of the license.
For purchasing licenses with the Volume-Based License (VBL) option, contact our Sales. Refer to Contact Sales.
Base Bundles
GigaVUE-FM has the following three base bundles:
l SecureVUEPlus (highest) l NetVUE (intermediate) l CoreVUE (lowest)
The number in the SKU indicates the total volume allowance of the SKU. For example, VBL250T-BN-CORE has a volume allowance of 250 terabytes.
Bundle Replacement Policy
You can always upgrade to a higher bundle but you cannot move to a lower version. You cannot have two different base bundles at the same time however, you can have multiple base bundles of the same type. Once upgraded to a higher bundle, the existing lower bundles will be automatically deactivated.
While upgrading to a higher bundle, the total licensed allowance of the higher bundle must be at least equal to the total licensed allowance of the replaced bundle.
Add-on Packages
GigaVUE-FM allows you to add additional packages called add-on packages to the base bundles. These add-on packages allow you to add additional applications to your base bundles. Add-on packages have their own start/end date and volume specifications.
Rules for add-on packages:
l Add-on packages can only to be added when there is an active base bundle available in GigaVUE-FM.
l The base bundle limits the total volume usage of the add-on package. l If your add-on package has volume allowance less than the base bundle, then your add-
on package can only handle volume allocated for add-on package. l When the life term of an add-on package extends beyond the base bundle, then when
the base bundle expires, the volume allowance of the add-on package will be reduced to zero until a new base bundle is added.
Get Started with GigaVUE Cloud Suite for Azure License Information
16
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
For more information about SKUs refer to the respective Data Sheets as follows:
GigaVUE Data Sheets
GigaVUE Cloud Suite for VMware Data Sheet GigaVUE Cloud Suite for AWS Data Sheet GigaVUE Cloud Suite for Azure Data Sheet GigaVUE Cloud Suite for OpenStack GigaVUE Cloud Suite for Nutanix GigaVUE Cloud Suite for Kubernetes
How GigaVUE-FM Tracks Volume-Based License Usage
GigaVUE-FM tracks the license usage for each V series node as follows:
l When you create and deploy a monitoring session, GigaVUE-FM allows you to use only those applications that are licensed at that point.
l When a license goes into grace period, you will be notified, along with a list of monitoring sessions that would be affected after the expiry of the grace period.
l When a license expires (and has not been renewed yet), the monitoring sessions using the corresponding license will be undeployed, but not deleted from the database.
l When a license is renewed or newly imported, the undeployed monitoring sessions will be redeployed.
Manage Volume-Based License
To manage active Volume-Based License:
1. On the left navigation pane, click . 2. Go to System > Licenses. From the top navigation bar, select the VBL Active from the
FM/Cloud drop-down.
This page lists information like SKUs, Bundles, Start date, End date, Type, and Activation ID of the Volume-Based Licenses that are active. The expired licenses are automatically moved to the VBL Inactive page, which can be found under the FM/Cloud drop-down in the top navigation bar.
Click on the individual SKU to view the list of applications available for that particular SKU.
Use the following buttons to manage your active VBL.
Get Started with GigaVUE Cloud Suite for Azure License Information
17
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Button
Activate Licenses Email Volume Usage Filter
Export
Description
Use this button to activate a Volume-Based License. Refer Activate Licenses for more information.
Use this button to send the volume usage details to the email recipients.
Use this option to narrow down the list of active Volume-Based Licenses that are displayed on the VBL active page.
Use this button to export the details in the VBL active page to a CSV or XLSX file.
For more detailed information on dashboards and reports generation for Volume-Based Licensing refer the following table:
For details about: How to generate Volume-Based License reports
Reference section Generate VBL Usage Reports
Volume-Based Licensed report details
Fabric health analytics dashboards for VolumeBased Licenses usage
Volume Based License Usage Report
Dashboards for Volume Based Licenses Usage
Guide
GigaVUE Administration Guide
GigaVUE Administration Guide
GigaVUE-FM User Guide
Default Trial Licenses
After you install GigaVUE-FM, a default free 1TB of CoreVUE trial volume-based license (VBL) is provided one-time for 30 days (from the date of installation).
This license includes the following applications:
l ERSPAN l Geneve
Get Started with GigaVUE Cloud Suite
for Azure License Information
18
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
l Slicing l Masking l Trailer l Tunneling l Load Balancing l Enhanced Load Balancing l Flowmap l Header-stripping l Add header
NOTE: There is no grace period for the trial license. If you do not have any other Volume-based licenses installed, then after 30 days, on expiry of the trial license, any deployed monitoring sessions will be undeployed from the existing V series 2.0 nodes.
To deactivate the trial VBL refer to Delete Default Trial Licenses section for details.
Apply License
For instructions on how to generate and apply license refer to the GigaVUE Licensing Guide..
Before You Begin
You must create an account and configure a VNet as per your requirements. This section describes the requirements for launching the GigaVUE-FM VM.
Prerequisites VPN Connectivity Obtain GigaVUE-FM Image
Prerequisites
To enable the flow of traffic between the components and the monitoring tools, you must create the following requirements:
Resource Group Virtual Network Subnets for VNet Network Interfaces (NICs) for VMs Network Security Groups Virtual Network Peering Access control (IAM)
Get Started with GigaVUE Cloud Suite for Azure Before You Begin
19
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Default Login Credentials Recommended Instance Types
Resource Group
The resource group is a container that holds all the resources for a solution.
To create a resource group in Azure, refer to Create a resource group topic in the Azure Documentation.
Virtual Network
Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks.
For V Series 2 configuration, you can only configure the GigaVUE fabric components in a Centralized VNet only. In case of a shared VNet, you must select a VNet as your Centralized VNet for GigaVUE fabric configuration.
To create a virtual network in Azure, refer to Create a virtual network topic in the Azure Documentation.
Subnets for VNet
The following table lists the two recommended subnets that your VNet must have to configure the GigaVUE Cloud Suite Cloud components in Azure.
You can add subnets when creating a VNet or add subnets on an existing VNet. Refer to Add a subnet topic in the Azure Documentation for detailed information.
Subnet
Management Subnet Data Subnet
Description
Subnet that the GigaVUE-FM uses to communicate with the GigaVUE V Series Nodes and Proxy.
A data subnet can accept incoming mirrored traffic from agents to the GigaVUE V Series Nodes or be used to egress traffic to a tool from the GigaVUE V Series Nodes. There can be multiple data subnets.
Ingress is VXLAN from agents Egress is either VXLAN tunnel to tools or to GigaVUE HC Series
tunnel port, or raw packets through a NAT when using NetFlow.
NOTE: If you are using a single subnet, then the Management
Get Started with GigaVUE Cloud Suite for Azure Before You Begin
20
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Subnet Tool Subnet
Description
subnet will also be used as a Data Subnet.
A tool subnet can accept egress traffic to a tool from the GigaVUE V Series Nodes. There can be only one tool subnet.
Egress is either VXLAN tunnel to tools or to GigaVUE HC Series tunnel port, or raw packets through a NAT when using NetFlow.
Network Interfaces (NICs) for VMs
When using G-vTAP Agent as the traffic acquisition method, for the G-vTAP Agents to mirror the traffic from the VMs, you must configure one or more Network Interfaces (NICs) on the VMs.
Single NIC–If there is only one interface configured on the VM with the G-vTAP Agent, the G-vTAP Agent sends the mirrored traffic out using the same interface.
Multiple NICs–If there are two or more interfaces configured on the VM with the GvTAP Agent, the G-vTAP Agent monitors any number of interfaces but has an option to send the mirrored traffic out using any one of the interfaces or using a separate, nonmonitored interface.
Network Security Groups
A network security group defines the virtual firewall rules for your VM to control inbound and outbound traffic. When you launch GigaVUE-FM, GigaVUE V Series Proxy, GigaVUE V Series Nodes, and G-vTAP Controllers in your VNet, you add rules that control the inbound traffic to VMs, and a separate set of rules that control the outbound traffic.
To create a network security group and add in Azure, refer to Create a network security group topic in the Azure Documentation.
It is recommended to create a separate security group for each component using the rules and port numbers.
In your Azure portal, select a network security group from the list. In the Settings section select the Inbound and Outbound security rules to the following rules.
Network Security Groups for V Series 2 Node
Following are the Network Firewall Requirements for V Series 2 configuration.
Get Started with GigaVUE Cloud Suite for Azure Before You Begin
21
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Direction
Type
Protocol
GigaVUE-FM
Inbound
HTTPS SSH
TCP
Inbound
Custom TCP Rule
TCP
Port
443 22 5671
Outbound
Outbound (optional)
Custom TCP Rule
ICMP (optional)
Custom TCP Rule
TCP(6) TCP
Outbound
(configuration without V Series Proxy)
Custom TCP Rule
G-vTAP Controller
Inbound
Custom TCP Rule
TCP TCP(6)
Outbound
Custom TCP Rule
TCP(6)
Outbound
Custom TCP Rule
TCP
9900 8890 8889
9900 9901 5671
G-vTAP Agent
Inbound
Custom TCP Rule
TCP(6)
9901
Source/Destination
Purpose
Administrator Subnet V Series 2 Node IP
GigaVUE-FM IP V Series Proxy IP V Series 2 Node IP
Management connection to GigaVUE-FM
Allows GigaVUE V Series 2 Nodes to send traffic health updates to GigaVUE-FM
Allows Next Generation GvTAP Agents to send statistics to GigaVUE-FM.
Allows G-vTAP Controller to communicate with GigaVUE-FM
Allows GigaVUE-FM to communicate with GigaVUE V Series Proxy
Allows GigaVUE-FM to communicate with GigaVUE V Series Node
GigaVUE-FM IP G-vTAP Controller IP GigaVUE-FM IP
Allows G-vTAP Controller to communicate with GigaVUE-FM
Allows G-vTAP Controller to communicate with G-vTAP Agents
Allows G-vTAP Controller to send traffic health updates to GigaVUE-FM.
G-vTAP Controller IP
Allows G-vTAP Agents to communicate with
Get Started with GigaVUE Cloud Suite for Azure Before You Begin
22
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Direction Outbound
Type
UDP
Protocol
UDP (VXLAN)
GigaVUE V Series Proxy (optional)
Inbound
Custom TCP Rule
TCP
Outbound
Custom TCP Rule
TCP
GigaVUE V Series 2 Node
Inbound
Custom TCP Rule
TCP
Inbound
UDP
UDP (VXLAN)
Outbound
Custom UDP UDP
Rule
(VXLAN)
Outbound
Custom TCP Rule
TCP
Outbound (optional)
ICMP
ICMP
Port
Source/Destination
VXLAN (default 4789)
G-vTAP Agent or Subnet IP
8890
GigaVUE-FM IP
8889
V Series 2 node IP
8889
GigaVUE-FM IP V Series Proxy IP
VXLAN (default 4789)
G-vTAP Agent or Subnet IP
VXLAN (default 4789)
Tool IP
5671
GigaVUE-FM IP
echo request
echo reply
Tool IP
Purpose
G-vTAP Controller
Allows G-vTAP Agents to VXLAN tunnel traffic to GigaVUE V Series Nodes
Allows GigaVUE-FM to communicate with GigaVUE V Series Proxy
Allows GigaVUE V Series Proxy to communicate with GigaVUE V Series Node
Allows V Series Proxy or GigaVUEFM to communicate with GigaVUE V Series Node
Allows G-vTAP Agents to (VXLAN) tunnel traffic to GigaVUE V Series Nodes
Allows GigaVUE V Series Node to communicate and tunnel traffic to the Tool
Allows GigaVUE V Series Node to send traffic health updates to GigaVUE-FM
Allows GigaVUE V Series to health check tunnel destination traffic
Get Started with GigaVUE Cloud Suite for Azure Before You Begin
23
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Virtual Network Peering
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. Virtual Network Peering is only applicable when multiple Virtual Networks are used in a design. Refer to Virtual Network Peering topic in Azure documentation for more details.
Access control (IAM)
You must have full resource access to the control the GigaVUE Cloud Suite cloud components. Refer to Check access for a user topic in the Azure documentation for more details.
To add a role assignment, refer to Steps to assign an Azure role.
Default Login Credentials
You can login to the GigaVUE V Series Node, GigaVUE V Series Proxy, and G-vTAP Controller by using the default credentials.
Product
Login credentials
GigaVUE V Series Node
You can login to the GigaVUE V Series Node by using ssh. The default username and password is not configured.
GigaVUE V Series You can login to the GigaVUE V Series Node by using ssh. The default username and
proxy
password is not configured.
G-vTAP Controller You can login to the GigaVUE V Series Node by using ssh. The default username and password is not configured.
Recommended Instance Types
NOTE: Additional instance types are also supported. Refer to Support, Sales, or Professional Services for deployment optimization.
Product
Instance Type
GigaVUE V Series Node
GigaVUE V Series Proxy
G-vTAP Controller
Standard_D4s_v4
Standard_D8S_V4 Standard_B1s Standard_B1s
vCPU
4 vCPU 8 vCPU 1 vCPU 1 vCPU
RAM
16 GB 32 GB 1 GB 1 GB
Get Started with GigaVUE Cloud Suite for Azure Before You Begin
24
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
VPN Connectivity
GigaVUE-FM requires Internet access to integrate with the public API endpoints to integrate with the GigaVUE Cloud Suite Cloud platform. If there is no Internet access, refer to Configure Proxy Server.
Obtain GigaVUE-FM Image
The image for the GigaVUE Cloud Suite Cloud is available in both the Azure Public Cloud and in the Azure Government portal.
GigaVUE Cloud Suite Cloud Suite in Azure Public Cloud
GigaVUE Cloud Suite Cloud is available in the Azure Marketplace with the Volume Based License options.
GigaVUE Cloud Suite Cloud Suite in Azure Government
Azure Government is an isolated Azure region that contains specific regulatory and compliance requirements of the US government agencies.
To monitor the VMs that contain all categories of Controlled Unclassified Information (CUI) data and sensitive government data in the Azure Government (US) Region, the Azure Government solution provides the same robust features in Azure Government as in the Azure public cloud.
Get Started with GigaVUE Cloud Suite for Azure Before You Begin
25
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Install and Upgrade GigaVUE-FM
You can install and upgrade the GigaVUE Cloud Suite® Fabric Manager (GigaVUE-FM) on cloud or on-premises.
Cloud–To install GigaVUE-FM inside your Azure environment, you can launch the GigaVUE-FM instance in your VNet. For installing the GigaVUE-FM instance, refer to Install GigaVUE-FM on Azure.
On-premises–To install and upgrade GigaVUE-FM in your enterprise data center, refer to GigaVUE-FM Installation and Upgrade Guide available in the Gigamon Documentation Library.
Install GigaVUE-FM on Azure
The GigaVUE-FM can be launched from the Azure VM dashboard or Azure Marketplace. The following instructions describes how to launch GigaVUE-FM in your VNet from the Azure VM Dashboard. Refer to Create a Linux virtual machine in the Azure topics in Azure Documentation for more information.
In the Virtual Machines page, click Create to create an Azure Virtual Machine. The following table describes the important fields.
Parameter Basics Subscription Resource Group Virtual machine name Region Image
Size
Description
Select your subscription. Select an existing resource group or create a new resource group. For more information, refer to Create a resource group topic in the Azure Documentation. Enter a name for the VM. Select a region for Azure VM. Select the latest GigaVUE-FM images. NOTE: You cannot select multiple images for a VM. Refer to Configure GigaVUE Fabric Components in Azure for more details on configuring GigaVUE V Series Node, GigaVUE V Series Proxy, and G-vTAP Controller in Azure.
For V Series 2 configuration, the recommended instance types are as follows: GigaVUE-FM – Standard_D4s_v3 G-vTAP Controller – Standard_B1ms V Series Node – Standard_D4s_v4 V Series Proxy – Standard_B1ms
Install and Upgrade GigaVUE-FM
26
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Parameter
Authentication Type
Disks Disk Size Networking Virtual Network
Configure network security group
Description
For the V Series 1 configuration, the recommended instance types are as follows: GigaVUE-FM – Standard_DS2_v2 G-vTAP Controller – Standard_B1s V Series Node – Standard_DS2_v2 V Series Controller – Standard_B1s
Select an authentication type. SSH public key
o Enter the administrator username for the VM. o Enter the SSH public key pair name. Password o Enter the administrator username for the VM. o Enter the administrator password.
The required disk size for GigaVUE-FM is 2 x 40GB.
Select an existing VNet or create a new VNet. For more information, refer to Create a virtual network topic in the Azure Documentation. On selecting an existing VNet, the Subnet and the Public IP values are autopopulated.
Select an existing network security group or create a new network security group. For more information, refer to Network Security Groups. Configure the Network Security Group to allow GigaVUE-FM to communicate with the rest of the components.
NOTE: Verify the summary before proceeding to create. It will take several minutes for the VM to initialize. After the initialization is completed, you can verify the VM through the Web interface.
After the VM deployment, navigate to the VM overview page, copy the Public IP address, and paste it in a new web browser tab.
If GigaVUE-FM is deployed in Azure, use admin123A!! as the password for the admin user to login to GigaVUE-FM. You must change the default password after logging in to GigaVUE-FM.
Install GigaVUE-FM on Azure
27
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Permissions and Privileges
When you first connect GigaVUE-FM to Azure, you need the appropriate authentication for Azure to verify your identity and check if you have permission to access the resources that you are requesting. This is used for GigaVUE-FM to integrate with Azure APIs and to automate the fabric deployment and management.
Permissions and Privileges
28
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Prerequisites
Permissions and Privileges
29
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
1. Accept EULA: For GigaVUE-FM to be able to launch the fabric images, you must accept the terms of the end user license agreements (EULAs) and enable programmatic access. This can be done in the Azure portal or through Azure Portal Cloud Shell.
NOTE: For accepting EULA, you need to have Owner role on the Subscription.
Permissions and Privileges
30
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
a. Accept the Gigamon EULAs using CLI
Permissions and Privileges
31
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
i. BYOL FM: The following example shows how to accept EULA for BYOL FM
using Azure Portal Cloud Shell
az vm image terms accept –urn gigamon-inc:gigamon-gigavue-cloud-suite:gfmazure:6.2.00 {
“accepted”: true, “id”: “/subscriptions/6447eb55-9d09-481b-89bc52e96bb52823/providers/Microsoft.MarketplaceOrdering/offerTypes/Microsoft.Marketpla ceOrdering/offertypes/publishers/gigamon-inc/offers/gigamon-gigavue-cloudsuite/plans/gfm-azure/agreements/current”, “licenseTextLink”: “https://mpcprodsa.blob.core.windows.net/legalterms/3E5ED_ legalterms_ GIGAMON%253a2DINC%253a24GIGAMON%253a2DGIGAVUE%253a2DCLOUD%253a2DSUITE%253a24GFM%253 a2DAZURE%253a24BGSZOQHPVC4M4GL4ZK5K752EDRWRVJPTVJ7LMSHSRRRN5TYHJR47WNYMJH2ULRWBWUG5 CNO4E6LF34G43TGV3SOGRXJ4OCBMLHLBTXQ.txt”, “marketplaceTermsLink”: “https://mpcprodsa.blob.core.windows.net/marketplaceterms/3EDEF_marketplaceterms_ VIRTUALMACHINE%253a24AAK2OAIZEAWW5H4MSP5KSTVB6NDKKRTUBAU23BRFTWN4YC2MQLJUB5ZEYUOUJB VF3YK34CIVPZL2HWYASPGDUY5O2FWEGRBYOXWZE5Y.txt”, “name”: “gfm-azure”, “plan”: “gfm-azure”, “privacyPolicyLink”: “https://www.gigamon.com/privacy-policy.html”, “product”: “gigamon-gigavue-cloud-suite”, “publisher”: “gigamon-inc”, “retrieveDatetime”: “2023-05-02T20:09:36.1347592Z”, “signature”: “SZL3CYR5MMU5QC5FEBIDHLMOYE7DD4CBSMLOVRMCKAAUD5CKLG4RIWPALULYWCFWCENMFF77RCXM4CM2B2 4WV3PGEFWW7UL4VMI3BVI”, “systemData”: {
“createdAt”: “2023-05-02T20:09:38.101210+00:00”, “createdBy”: “6447eb55-9d09-481b-89bc-52e96bb52823”, “createdByType”: “ManagedIdentity”, “lastModifiedAt”: “2023-05-02T20:09:38.101210+00:00”, “lastModifiedBy”: “6447eb55-9d09-481b-89bc-52e96bb52823”, “lastModifiedByType”: “ManagedIdentity” }, “type”: “Microsoft.MarketplaceOrdering/offertypes” }
Permissions and Privileges
32
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
ii. Fabric Images (need to accept on all 3): The following examples show how to accept EULA for different fabric components using Azure Portal Cloud Shell
For G-vTAP Controller
az vm image terms accept –urn gigamon-inc:gigamon-gigavue-cloud-suite:gvtapcntlr:6.2.00 {
“accepted”: true, ……………
“type”: “Microsoft.MarketplaceOrdering/offertypes” }
For GigaVUE V Series Node
az vm image terms accept –urn gigamon-inc:gigamon-gigavue-cloud-suite:vseriesnode:6.2.00 {
“accepted”: true, …………… “type”: “Microsoft.MarketplaceOrdering/offertypes” }
For GigaVUE V Series Proxy
az vm image terms accept –urn gigamon-inc:gigamon-gigavue-cloud-suite:vseriesproxy:6.2.00 {
“accepted”: true, ……………..
“type”: “Microsoft.MarketplaceOrdering/offertypes” }
b. Accept the Gigamon EULAs using Azure Portal: Configure programmatic deployment through the Azure portal so that GigaVUE-FM can launch these images: i. Go to Market Place, search Gigamon. ii. Select Gigamon GigaVUE Cloud Suite for Azure from the search results. Select the required image from the Plan drop-down menu. iii. Click the “Want to deploy programmatically? Get started” link. iv. Review the terms of service and the subscription name and then click Enable.
2. Have pre-defined custom roles or create new custom roles, that can be attached to the resource group or subscription level. Refer to Custom Roles topic for more detailed information on how to create custom roles.
Permissions and Privileges
33
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Custom Roles
The `built-in’ roles provided by Microsoft are open to all resources. You can create a custom role if required. For more information, refer to Azure custom roles topic in the Azure Documentation.
You can use the following command to create custom roles in CLI:
az role definition create –role-definition <Custom Role>.json
The following examples provides the minimum permissions that are required for GigaVUEFM to deploy the fabric components and/or inventory the G-vTAP Agents. The permissions can be applied at the resource group level or subscription level:
Example 1: Create Custom Role for GigaVUE-FM to deploy visibility fabric components and inventory G-vTAP agents
{
“name”: “GigaVue-FM-Service-Role” “roleName”: “CustomRoleFabricDeploymentAndInventory”, “description”: “The minimum requirements for FM to deploy Fabric Components and inventory GvTAP agents”, “assignableScopes”: [
“/subscriptions/<SubscriptionID>/resourceGroups/<resourceGroup name>” ], “permissions”: [
{ “actions”: [ “Microsoft.Compute/virtualMachines/read”, “Microsoft.Compute/virtualMachines/write”, “Microsoft.Compute/virtualMachines/delete”, “Microsoft.Compute/virtualMachines/start/action”, “Microsoft.Compute/virtualMachines/powerOff/action”, “Microsoft.Compute/virtualMachines/restart/action”, “Microsoft.Compute/virtualMachines/instanceView/read”, “Microsoft.Compute/locations/vmSizes/read”, “Microsoft.Compute/images/read”, “Microsoft.Compute/disks/read”, “Microsoft.Compute/disks/write”, “Microsoft.Compute/disks/delete”, “Microsoft.Network/networkInterfaces/read”, “Microsoft.Network/networkInterfaces/write”, “Microsoft.Network/virtualNetworks/subnets/join/action”, “Microsoft.Network/virtualNetworks/subnets/read”, “Microsoft.Network/networkInterfaces/join/action”, “Microsoft.Network/networkInterfaces/delete”, “Microsoft.Network/publicIPAddresses/read”, “Microsoft.Network/publicIPAddresses/write”, “Microsoft.Network/publicIPAddresses/delete”, “Microsoft.Network/publicIPAddresses/join/action”, “Microsoft.Network/virtualNetworks/read”, “Microsoft.Network/virtualNetworks/virtualMachines/read”, “Microsoft.Network/networkSecurityGroups/read”,
Permissions and Privileges
34
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
“Microsoft.Network/networkSecurityGroups/join/action”, “Microsoft.Network/publicIPAddresses/read”, “Microsoft.Network/publicIPAddresses/write”, “Microsoft.Network/publicIPAddresses/delete”, “Microsoft.Network/publicIPAddresses/join/action”, “Microsoft.Resources/subscriptions/locations/read”, “Microsoft.Resources/subscriptions/resourceGroups/read”, “Microsoft.Resources/subscriptions/resourcegroups/resources/read” ], “notActions”: [], “dataActions”: [], “notDataActions”: [] } ] }
Example 2: Create Custom Role for GigaVUE-FM to only inventory G-vTAP Agents
{ “name”: “GigaVue-FM-Service-Role” “roleName”: “CustomRoleInventoryG-vTAP “, “description”: “Minimum requirements for FM to inventory G-vTAP agents”, “/subscriptions/<Subscription ID>/resourceGroups/<resourceGroup name>” ], “permissions”: [ { “actions”: [ “Microsoft.Compute/virtualMachines/read”, “Microsoft.Compute/virtualMachines/instanceView/read”, “Microsoft.Compute/images/read”, “Microsoft.Compute/disks/read”, “Microsoft.Network/networkInterfaces/read”, “Microsoft.Network/virtualNetworks/subnets/read”, “Microsoft.Network/publicIPAddresses/read”, “Microsoft.Network/virtualNetworks/read”, “Microsoft.Network/virtualNetworks/virtualMachines/read”, “Microsoft.Network/networkSecurityGroups/read”, “Microsoft.Network/publicIPAddresses/read”, “Microsoft.Resources/subscriptions/locations/read”, “Microsoft.Resources/subscriptions/resourceGroups/read”, “Microsoft.Resources/subscriptions/resourcegroups/resources/read” ], “notActions”: [], “dataActions”: [], “notDataActions”: [] } ]
}
You can use the following snippet in the above JSON file to assign your custom role at either resource group level or subscription level
For Resource group level:
Permissions and Privileges
35
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
“assignableScopes”: [ “/subscriptions/<Subscription ID>/resourceGroups/<resourceGroup name>”
],
For Subscription level:
“assignableScopes”: [ “/subscriptions/<Subscription ID>/”
],
GigaVUE-FM supports two types of authentications with Azure. Refer to the following sections for more detailed information on how to enable each type of authentication for GigaVUE-FM and how to assign the above created custom roles for GigaVUE-FM:
l Managed Identity (recommended) l Application ID with client secret
Managed Identity (recommended)
Managed Identity (MSI) is a feature of Azure Active Directory. When you enable MSI on an Azure service, Azure automatically creates an identity for the service VM in the Azure AD tenant used by your Azure subscription.
Managed Identity (MSI) is only available when GigaVUE-FM is launched inside Azure. If GigaVUE-FM is launched in one VNet and the GigaVUE V Series Nodes are deployed in a different VNet, then Virtual Network Peering must be configured. Refer to the Virtual Network Peering for more details on how to configure Virtual Network Peering.
There are 2 steps to have MSI work:
1. Enable MSI on the VM running in GigaVUE-FM. It can be done in using Azure portal or CLI. a. Azure Portal: Refer to Configure managed identities using the Azure portal in the Azure documentation for detailed instructions b. Azure CLI: l For resource group level: az vm identity assign -g <Resource group where FM is
deployed> -n <GigaVUE-FM name> -scope <resource group id>
l For subscription level: az vm identity assign -g <Resource group where FM is
deployed> -n <GigaVUE-FM name> -scope <subscription id>
For more information, refer to Configure managed identities for Azure resources using Azure CLI topic in the Azure Documentation.
Permissions and Privileges
36
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
2. Assign permissions to this VM on all the resources where you need GigaVUE-FM to manage.
After enabling MSI, you can assign custom roles to GigaVUE-FM at a resource group level or subscription level:
Assign a Custom Role using CLI
1. Assign a custom role at resource group level where you will deploy the fabric:
az vm identity assign -g <Resource group where FM is deployed> -role <Custom Role> -n <GigaVUE-FM name> –scope <resource group id>
2. Assign a custom role at the subscription level to view the complete account details:
az vm identity assign -g <Resource group where FM is deployed> -role <Custom Role> -n <GigaVUE-FM name> –scope <subscription id>
If you want to update the Role, you can edit the JSON file, and then update the Role in Azure using the following CLI command:
az role definition update –role-definition <Custom Role>.json
You can run these commands in the Azure Portal in a cloud shell (icon in the upper right of the portal as seen here): .
Assign a Custom Role using Azure Portal
You can assign roles to GigaVUE-FM using Azure Portal for Resource Group Level or Subscription Level. Refer to Assign Azure roles topic in Azure Documentation for detailed information.
Application ID with client secret
GigaVUE-FM supports application id with client secret authentication. When using GigaVUE-FM to connect to Azure, it uses a service principal. A service principal is an account for a non-human such as an application to connect to Azure. When GigaVUE-FM is launched outside Azure, Application ID with client secret is preferred.
To create a service principal in Azure, refer to the following topics in the Azure Documentation:
Create an Azure service principal with the Azure CLI Create an Azure service principal with Azure PowerShell Create an Azure service principal with Azure Portal
GigaVUE-FM must be able to access the URLs listed in the Allow the Azure portal URLs on your firewall or proxy server in order to connect to Azure. Following are the required endpoints for Azure GovCloud:
Permissions and Privileges
37
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
l authentication_endpoint = https://login.microsoftonline.us/ l azure_endpoint = https://management.usgovcloudapi.net/
After creating service principal in Azure, you can add custom roles. Refer to Assign a Custom Role using CLI or Assign a Custom Role using Azure Portal for detailed information on how to assign roles.
The key fields required for GigaVUE-FM to connect to Azure are Subscription ID, Tenant ID, Application ID, and Application Secret.
l When creating the service principal using the Azure CLI, the output of that command will display the “appId” and “password” fields. These two are the Application ID and Application Secret fields that are required for GigaVUE-FM to connect to Azure. Copy them.
l Now, using the Azure CLI again, do an `account show’ command and copy the Subscription ID and the Tenant ID of your subscription.
The Subscription ID, Tenant ID, Application ID, and Application Secret will be used when creating credentials in GigaVUE-FM. Refer to Create Azure Credentials for step-by-step instructions.
DISCLAIMER: These are general guidelines for enabling a deployment in Azure. Since the Azure interface is subject to change and is outside Gigamon’s purview, please see Azure documentation for instructions on using Azure.
Permissions and Privileges
38
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Deploy GigaVUE Cloud Suite for Azure
The image for the GigaVUE Cloud is available in both the Azure Public Cloud and in the Azure Government portal.
l GigaVUE Cloud in Azure Public Cloud: GigaVUE Cloud is available in the Azure Marketplace for Bring Your Own License (BYOL), and the Volume Based License (VBL) options.
l GigaVUE Cloud in Azure Government: Azure Government is an isolated Azure region that contains specific regulatory and compliance requirements of the US government agencies.
To monitor the VMs that contain all categories of Controlled Unclassified Information (CUI) data and sensitive government data in the Azure Government (US) Region, the Azure Government solution provides the same robust features in Azure Government as in the Azure public cloud.
Refer to the following topics for details:
l Deployment Options for GigaVUE Cloud Suite for Azure l Prepare G-vTAP Agent to Monitor Traffic l Create Azure Credentials l Install Custom Certificate l Create Monitoring Domain l Configure GigaVUE Fabric Components in GigaVUE-FM l Configure Role-Based Access for Third Party Orchestration l Configure GigaVUE Fabric Components in Azure l Upgrade GigaVUE Fabric Components in GigaVUE-FM for Azure
Refer Deploying GigaVUE Cloud Suite for Azure using V Series with Hybrid architecture for more detailed information.
Deployment Options for GigaVUE Cloud Suite for Azure
This section provides a detailed information on the multiple ways in which GigaVUE Cloud Suite for AzureGigaVUE V Series 2 can be configured to provide visibility for physical and virtual traffic. There are three different ways in which GigaVUE Cloud Suite for Azure
Deploy GigaVUE Cloud Suite for Azure Deployment Options for GigaVUE Cloud Suite for Azure
39
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
GigaVUE V Series 2 can be configured based on the traffic acquisition method and the method in which you want to deploy fabric components. Refer to the Before You Begin section for prerequisites that are required to be configured. For more detailed information and the work flow refer the following topics:
l Deploy GigaVUE Fabric Components using Azure
l Deploy GigaVUE Fabric Components using GigaVUE-FM l Traffic Acquisition Method as G-vTAP l Traffic Acquisition Method as Customer Orchestrated Source
Deploy GigaVUE Fabric Components using Azure
GigaVUE-FM allows you to use Azure as an orchestrator to deploy GigaVUE fabric nodes and then use GigaVUE-FM to configure the advanced features supported by these nodes. Refer the following table for the step-by-step instructions.
Step No
1 2
Task
Obtain GigaVUE-FM Image Install GigaVUE-FM on Azure
Refer the following topics
Obtain GigaVUE-FM Image Install GigaVUE-FM on Azure
3
Establish connection between GigaVUE-FM and Azure Establish Connection to Azure
4
Install G-vTAP Agents
For Linux: Linux G-vTAP Agent
NOTE: When using Azure as your orchestration system you can only use G-TAP Agents.
Installation
For Windows: Windows G-vTAP Agent Installation
5
Create Azure Credentials to monitor workloads across Create Azure Credentials
multiple Azure subscriptions
6
Create a Monitoring Domain
Create Monitoring Domain
NOTE: Ensure that the Use FM to Launch Fabric toggle button is disabled.
7
Configure GigaVUE Fabric Components
Configure GigaVUE Fabric
NOTE: Select G-vTAP as the Traffic Acquisition
Components in Azure
Method.
8
Create Monitoring session
9
Add Applications to the Monitoring Session
10
Deploy Monitoring Session
11
View Monitoring Session Statistics
Configure Monitoring Session Add Applications to Monitoring Session Deploy Monitoring Session View Monitoring Session Statistics
Deploy GigaVUE Cloud Suite for Azure Deployment Options for GigaVUE Cloud Suite for Azure
40
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Deploy GigaVUE Fabric Components using GigaVUE-FM
You can deploy GigaVUE fabric components using GigaVUE-FM, using one of the following two traffic acquisition methods:
Traffic Acquisition Method as G-vTAP
Follow instruction in the below table if you wish to use G-vTAP as your traffic acquisition method. In this case the traffic from the Virtual Machines are acquired using the G-vTAP Agents and it is sent to the GigaVUE V Series Nodes.
Step No
1 2
Task
Obtain GigaVUE-FM Image Install GigaVUE-FM on Azure
Refer the following topics
Obtain GigaVUE-FM Image Install GigaVUE-FM on Azure
3
Establish connection between GigaVUE-FM and Azure Establish Connection to Azure
4
Install G-vTAP Agents
For Linux: Linux G-vTAP Agent Installation
For Windows: Windows G-vTAP Agent Installation
5
Create Azure Credentials to monitor workloads across Create Azure Credentials
multiple Azure subscriptions
6
Create a Monitoring Domain
Create Monitoring Domain
NOTE: Ensure that the Use FM to Launch Fabric toggle button is enabled.
7
Configure GigaVUE Fabric Components
Configure GigaVUE Fabric
NOTE: Select G-vTAP as the Traffic Acquisition
Components in Azure
Method.
8
Create Monitoring session
9
Add Applications to the Monitoring Session
10
Deploy Monitoring Session
11
View Monitoring Session Statistics
Configure Monitoring Session Add Applications to Monitoring Session Deploy Monitoring Session View Monitoring Session Statistics
Traffic Acquisition Method as Customer Orchestrated Source
Follow instruction in the below table, when using Customer Orchestrated Source as your traffic acquisition method. In this case you can use tunnels as a source where the traffic is directly tunneled to V Series nodes without deploying G-vTAP Agents or G-vTAP controllers.
Deploy GigaVUE Cloud Suite for Azure Deployment Options for GigaVUE Cloud Suite for Azure
41
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Step No
1 2 3 2
3
4 5 6 7 8
Task
Obtain GigaVUE-FM Image Install GigaVUE-FM on Azure Establish connection between GigaVUE-FM and Azure Create a Monitoring Domain
NOTE: Ensure that the Use FM to Launch Fabric toggle button is enabled.
Configure GigaVUE Fabric Components NOTE: Select Tunnel as the Traffic Acquisition Method.
Create Monitoring session Create Ingress and Egress Tunnel Endpoints Add Applications to the Monitoring Session
Deploy Monitoring Session View Monitoring Session Statistics
Refer the following topics
Obtain GigaVUE-FM Image Install GigaVUE-FM on Azure Establish Connection to Azure Create Monitoring Domain
Configure GigaVUE Fabric Components in Azure
Configure Monitoring Session Create Ingress and Egress Tunnels Add Applications to Monitoring Session Deploy Monitoring Session View Monitoring Session Statistics
Create Azure Credentials
You can monitor workloads across multiple Azure subscriptions within one monitoring domain. All the deployed GigaVUE fabric nodes are shared among many Azure subscriptions to reduce the cost since each Azure subscription used to have a set of GigaVUE fabric nodes.
l After launching GigaVUE-FM in Azure, the Managed Identity authentication credential is automatically added to the Azure Credential page as the default credential.
l You can only add the Application ID with Client Secret authentication credentials to the Azure Credential page.
To create Azure credentials:
Deploy GigaVUE Cloud Suite for Azure Create Azure Credentials
42
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
1. Go to Inventory > VIRTUAL > Azure, and then click Settings > Credential. The Azure Credential page appears.
2. In the Azure Credential page, click Add. The Configure Credentialwizard appears.
3. Enter or select the appropriate information for the Azure credential as described in the following table.
Field
Description
Name Authentication Type
Azure Environment
An alias used to identify the Azure credential.
Application ID with Client Secret: Connection with Azure with a service principal. Enter the values for the following fields.
o Tenant ID–a unique identifier of the Azure Active Directory instance. o Application ID–a unique identifier of an application in Azure platform. o Application Secret–a password or key to request tokens. Refer to Application ID with client secret for detailed information.
Select an Azure environment where your workloads are located. For example, Azure_US_Government.
4. Click Save. You can view the list of available credentials in the Azure Credential page.
Deploy GigaVUE Cloud Suite for Azure Create Azure Credentials
43
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Prepare G-vTAP Agent to Monitor Traffic
A G-vTAP Agent is the primary Gigamon monitoring module that is installed in your Virtual Machines (VMs). This agent mirrors the selected traffic from the VMs, encapsulates it using VXLAN tunneling, and forwards it to the GigaVUE Cloud Suite® V Series node.
NOTE: The G-vTAP Agent installation is applicable only when the G-vTAP is your traffic acquisition method.
A G-vTAP Agent consists of a source interface and a destination interface. The network packets collected from the source interface are sent to the destination interface. From the destination interface, the packets traverse through VXLAN tunnel interface to the GigaVUE V Series node.
A source interface can be configured with one or more Network Interface Cards (NICs). While configuring a source interface, you can specify the direction of the traffic to be monitored in the VM. The direction of the traffic can be egress, ingress, or both.
Refer to the following sections for more information:
Linux G-vTAP Agent Installation
Refer to the following sections for the Linux agent installation: l Single NIC Configuration l Dual NIC Configuration l Install G-vTAP Agents
Single NIC Configuration
A single NIC/vNIC acts both as the source and the destination interface. A G-vTAP Agent with a single NIC/vNIC configuration lets you monitor the ingress or egress traffic from the NIC/vNIC. The monitored traffic is sent out using the same NIC/vNIC.
For example, assume that there is only one interface eth0 in the monitoring VM. In the GvTAP configuration, you can configure eth0 as the source and the destination interface, and specify both egress and ingress traffic to be selected for monitoring purpose. The egress and ingress traffic from eth0 is mirrored and sent out using the same interface.
NOTE: Using a single NIC/vNIC as the source and the destination interface may cause increased latency in sending the traffic out from the VM.
Example of the G-vTAP config file for a single NIC/vNIC configuration:
Prepare G-vTAP Agent to Monitor Traffic
44
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Grant permission to monitor ingress and egress traffic at iface # eth0 mirror-src-ingress mirror-src-egress mirror-dst
Dual NIC Configuration
A G-vTAP Agent lets you configure two NICs/vNICs. One NIC/vNIC can be configured as the source interface and another NIC/vNIC can be configured as the destination interface.
For example, assume that there is eth0 and eth1 in the monitoring VM. In the G-vTAP Agent configuration, eth0 can be configured as the source interface and egress traffic can be selected for monitoring purpose. The eth1 interface can be configured as the destination interface. So, the mirrored traffic from eth0 is sent to eth1. From eth1, the traffic is sent to the GigaVUE V Series Node.
Example of the G-vTAP config file for a dual NIC/vNIC configuration:
Grant permission to monitor ingress and egress traffic at iface # ‘eth0’ to monitor and ‘eth1’ to transmit the mirrored packets. # eth0 mirror-src-ingress mirror-src-egress # eth1 mirror-dst
Install G-vTAP Agents
You must have sudo/root access to edit the G-vTAP Agent configuration file.
For dual or multiple NIC/ENI configuration, you may need to modify the network configuration files to make sure that the extra NIC/ENI will initialize at boot time.
NOTE: Before installing G-vTAP Agent .deb or .rpm packages on your Linux VMs, you must install packages like Python3 and Python modules (netifaces, urllib3, and requests).
You can install the G-vTAP Agents either from Debian or RPM packages.
Refer to the following topics for details: l Install G-vTAP from Ubuntu/Debian Package l Install G-vTAP from RPM package l Install G-vTAP from Red Hat Enterprise Linux and CentOS with Selinux Enabled
Install G-vTAP from Ubuntu/Debian Package
To install from a Debian package:
Prepare G-vTAP Agent to Monitor Traffic
45
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
1. Download the G-vTAP Agent 6.3.00 Debian (.deb) package from the Gigamon Customer Portal. For assistance contact Contact Technical Support.
2. Copy this package to your instance. Install the package with root privileges, for example: $ ls gvtap-agent_6.3.00_amd64.deb $ sudo dpkg -i gvtap-agent_6.3.00_amd64.deb
3. Once the G-vTAP package is installed, modify the file /etc/gvtap-agent/gvtapagent.conf to configure and register the source and destination interfaces. The following examples registers eth0 as the mirror source for both ingress and egress traffic and eth1 as the destination for this traffic:
NOTE: Any changes to the GvTAP agent config file made after the initial setup require an agent restart and an inventory refresh or sync from GigaVUE-FM to pick up the new changes and re-initiate the traffic mirroring. When you have an active, successful monitoring session deployed, modifying the GvTAP config file results in traffic loss until GigaVUE-FM does a periodic sync on its own every 15 minutes.
Example 1–Configuration example to monitor ingress and egress traffic at interface eth0 and use the same interface to send out the mirrored packets
# eth0 mirror-src-ingress mirror-src-egress mirror-dst
Example 2–Configuration example to monitor ingress and egress traffic at interface eth0 and use the interface eth1 to send out the mirrored packets
# eth0 mirror-src-ingress mirror-src-egress # eth1 mirror-dst
Example 3–Configuration example to monitor ingress and egress traffic at interface eth0 and eth 1; use the interface eth1 to send out the mirrored packets
# eth0 mirror-src-ingress mirror-src-egress # eth1 mirror-src-ingress mirror-src-egress mirror-dst 4. Save the file.
Prepare G-vTAP Agent to Monitor Traffic
46
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
5. To enable the third-party orchestration, a configuration file /etc/gigamon-cloud.conf needs to be created with the following contents:
Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: <Username> password: <Password> remoteIP: <IP address of the G-vTAP Controller 1>, <IP address of the G-vTAP Controller 2> remotePort: 8891
6. Reboot the instance.
The G-vTAP Agent status will be displayed as running. Check the status using the following command:
$ sudo /etc/init.d/gvtap-agent status G-vTAP Agent is running
Install G-vTAP from RPM package
To install from an RPM (.rpm) package on a Redhat, CentOS, or other RPM-based system:
1. Download the G-vTAP Agent 6.3.00 RPM (.rpm) package from the Gigamon Customer Portal. For assistance contact Contact Technical Support.
2. Copy this package to your instance. Install the package with root privileges, for example: $ ls gvtap-agent_6.3.00_x86_64.rpm $ sudo rpm -i gvtap-agent_6.3.00_x86_64.rpm
Prepare G-vTAP Agent to Monitor Traffic
47
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
3. Modify the file /etc/gvtap-agent/gvtap-agent.conf to configure and register the source and destination interfaces.The following example registers the eth0 as the mirror source for both ingress and egress traffic and registers eth1 as the destination for this traffic as follows:
NOTE: Any changes to the GvTAP agent config file made after the initial setup require an agent restart and an inventory refresh or sync from GigaVUE-FM to pick up the new changes and re-initiate the traffic mirroring. When you have an active, successful monitoring session deployed, modifying the GvTAP config file results in traffic loss until GigaVUE-FM does a periodic sync on its own every 15 minutes.
Example 1–Configuration example to monitor ingress and egress traffic at interface eth0 and use the same interface to send out the mirrored packets
# eth0 mirror-src-ingress mirror-src-egress mirror-dst
Example 2–Configuration example to monitor ingress and egress traffic at interface eth0 and use the interface eth1 to send out the mirrored packets
# eth0 mirror-src-ingress mirror-src-egress # eth1 mirror-dst
Example 3–Configuration example to monitor ingress and egress traffic at interface eth0 and eth 1; use the interface eth1 to send out the mirrored packets
# eth0 mirror-src-ingress mirror-src-egress # eth1 mirror-src-ingress mirror-src-egress mirror-dst 4. Save the file.
5. To enable the third-party orchestration, a configuration file /etc/gigamon-cloud.conf needs to be created with the following contents:
Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: <Username> password: <Password> remoteIP: <IP address of the G-vTAP Controller 1>, <IP address of the G-vTAP Controller 2> remotePort: 8891
6. Reboot the instance.
Check the status with the following command: $ sudo service gvtap-agent status G-vTAP Agent is running
Prepare G-vTAP Agent to Monitor Traffic
48
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Install G-vTAP from Red Hat Enterprise Linux and CentOS with Selinux Enabled
Prerequisite:
You must ensure that port 9901 is allowed in the Firewall. This port is required for the communication between G-vTAP and G-vTAP controller.
To install, follow these steps:
1. Launch the RHEL/CentOS agent AMI image. 2. Download the following packages from the Gigamon Customer Portal. For assistance
contact Contact Technical Support. l gvtap-agent_6.3.00_x86_64.rpm l gvtap.te files (type enforcement files) 3. Copy the downloaded G-vTAP package files and strongSwan TAR file to G-vTAP Agent. 4. Checkmodule -M -m -o gvtap.mod gvtap.te
semodule_package -o gvtap.pp -m gvtap.mod sudo semodule -i gvtap.pp
5. Install G-vTAP Agent package: sudo rpm -ivh gvtap-agent_6.3.00_x86_64.rpm
6. Edit gvtap-agent.conf file to configure the required interface as source/destination for mirror: NOTE: Any changes to the GvTAP agent config file made after the initial setup require an agent restart and an inventory refresh or sync from GigaVUE-FM to pick up the new changes and re-initiate the traffic mirroring. When you have an active, successful monitoring session deployed, modifying the GvTAP config file results in traffic loss until GigaVUE-FM does a periodic sync on its own every 15 minutes.
# eth0 mirror-src-ingress mirror-src-egress mirror-dst # sudo /etc/init.d/gvtap-agent restart
7. Reboot the instance.
Windows G-vTAP Agent Installation
Windows G-vTAP Agent allows you to select the network interfaces by subnet/CIDR and modify the corresponding monitoring permissions in the configuration file. This gives you more granular control over what traffic is monitored and mirrored.
VXLAN is the only supported tunnel type for Windows G-vTAP Agent.
Windows G-vTAP Agent Installation Using MSI Package
To install the Windows G-vTAP Agent using the MSI file:
Prepare G-vTAP Agent to Monitor Traffic
49
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
1. Download the Windows G-vTAP Agent 6.3.00 MSI package from the Gigamon Customer Portal. For assistance contact Contact Technical Support.
2. Install the downloaded MSI package as Administratorand the G-vTAP Agent service starts automatically.
3. Once the G-vTAP package is installed, modify the file C:ProgramDataGvtapagentgvtap-agent.conf to configure and register the source and destination interfaces.
NOTE: Any changes to the GvTAP agent config file made after the initial setup require an agent restart and an inventory refresh or sync from GigaVUE-FM to pick up the new changes and re-initiate the traffic mirroring. When you have an active, successful monitoring session deployed, modifying the GvTAP config file results in traffic loss until GigaVUE-FM does a periodic sync on its own every 15 minutes.
Following are the rules to modify the G-vTAP configuration file: l Interface is selected by matching its CIDR address with config entries. l For the VMs with single interface (.conf file modification is optional):
o if neither mirror-src permissions is granted to the interface, both mirrorsrc-ingress and mirror-src-egress are granted to it.
o mirror-dst is always granted implicitly to the interface.
l For the VMs with multiple interfaces: o mirror-dst needs to be granted explicitly in the config file. Only the first matched interface is selected for mirror-dst, all other matched interfaces are ignored. o if none interfaces is granted any mirror-src permission, all interfaces will be granted mirror-src-ingress and mirror-src-egress.
Example 1–Configuration example to monitor ingress and egress traffic at interface 192.168.1.0/24 and use the same interface to send out the mirrored packets.
192.168.1.0/24 mirror-src-ingress mirror-src-egress mirror-dst
Example 2–Configuration example to monitor ingress and egress traffic at interface 192.168.1.0/24 and use the interface 192.168.2.0/24 to send out the mirrored packets.
192.168.1.0/24 mirror-src-ingress mirror-src-egress 192.168.2.0/24 mirror-dst 4. Save the file.
Prepare G-vTAP Agent to Monitor Traffic
50
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
5. To enable the third-party orchestration, a configuration file C:ProgramDataGvtapagentgigamon-cloud.conf needs to be created with the following contents:
Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: orchestration password: orchestration123A! remoteIP: <controller list IP addresses separated by comma> remotePort: 8891
6. To restart the Windows G-vTAP Agent, perform one of the following actions: l Restart the VM. l Run ‘sc stop gvtap’ and ‘sc start gvtap’ from the command prompt. l Restart the G-vTAP Agent from the Windows Task Manager.
You can check the status of the G-vTAP Agent in the Service tab of the Windows Task Manager.
Windows G-vTAP Agent Installation Using ZIP Package
To install the Windows G-vTAP Agent using the ZIP package:
1. Download the Windows G-vTAP Agent 6.3.00 ZIP package from the Gigamon Customer Portal. For assistance contact Contact Technical Support.
2. Extract the contents of the .zip file into a convenient location. 3. Run `install.bat’ as an Administratorand the G-vTAP Agent service starts automatically.
Prepare G-vTAP Agent to Monitor Traffic
51
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
4. Once the G-vTAP package is installed, modify the file C:ProgramDataGvtapagentgvtap-agent.conf to configure and register the source and destination interfaces.
NOTE: Any changes to the GvTAP agent config file made after the initial setup require an agent restart and an inventory refresh or sync from GigaVUE-FM to pick up the new changes and re-initiate the traffic mirroring. When you have an active, successful monitoring session deployed, modifying the GvTAP config file results in traffic loss until GigaVUE-FM does a periodic sync on its own every 15 minutes.
Following are the rules to modify the G-vTAP configuration file: l Interface is selected by matching its CIDR address with config entries. l For the VMs with single interface (.conf file modification is optional):
o if neither mirror-src permissions is granted to the interface, both mirrorsrc-ingress and mirror-src-egress are granted to it.
o mirror-dst is always granted implicitly to the interface.
l For the VMs with multiple interfaces: o mirror-dst needs to be granted explicitly in the config file. Only the first matched interface is selected for mirror-dst, all other matched interfaces are ignored. o if none interfaces is granted any mirror-src permission, all interfaces will be granted mirror-src-ingress and mirror-src-egress.
Example 1–Configuration example to monitor ingress and egress traffic at interface 192.168.1.0/24 and use the same interface to send out the mirrored packets.
192.168.1.0/24 mirror-src-ingress mirror-src-egress mirror-dst
Example 2–Configuration example to monitor ingress and egress traffic at interface 192.168.1.0/24 and use the interface 192.168.2.0/24 to send out the mirrored packets.
192.168.1.0/24 mirror-src-ingress mirror-src-egress 192.168.2.0/24 mirror-dst 5. Save the file.
6. To enable the third-party orchestration, a configuration file C:ProgramDataGvtapagentgigamon-cloud.conf needs to be created with the following contents:
Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> remoteIP: <controller list IP addresses separated by comma>
Prepare G-vTAP Agent to Monitor Traffic
52
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
7. To restart the Windows G-vTAP Agent, perform one of the following actions: l Restart the VM. l Run ‘sc stop gvtap’ and ‘sc start gvtap’ from the command prompt. l Restart the G-vTAP Agent from the Windows Task Manager.
You can check the status of the G-vTAP Agent in the Service tab of the Windows Task Manager.
NOTE: You must edit the Windows Firewall settings to grant access to the gvtap process. To do this, access the Windows Firewall settings and find “gvtapd” in the list of apps and features. Select it to grant access. Be sure to select both Private and Public check boxes. If “gvtapd” does not appear in the list, click Add another app… Browse your program files for the gvtap-agent application (gvtapd.exe) and then click Add. (Disclaimer: These are general guidelines for changing Windows Firewall settings. See Microsoft Windows help for official instructions on Windows functionality.)
Prepare G-vTAP Agent to Monitor Traffic
53
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Create Images with the Agent Installed
If you want to avoid downloading and installing the G-vTAP Agents every time there is a new VM to be monitored, you can save the G-vTAP Agent running on a VM as a private image. When a new VM is launched that contains the G-vTAP Agent, GigaVUE-FM automatically detects the new VM and updates the number of monitoring VMs in the monitoring session.
To save the G-vTAP Agent as an image, refer to Capture VM to managed image topic in the Microsoft Azure Documentation.
Install Custom Certificate
GigaVUE V Series Node, GigaVUE V Series Proxy, and G-vTAP Controllers have default selfsigned certificates installed. The communication between GigaVUE-FM and the fabric components happens in a secure way using these default self-signed certificates, however you can also add custom certificates like SSL/TLS certificate to avoid the trust issues that occurs when the GigaVUE V Series Nodes, GigaVUE V Series Proxy, or G-vTAP Controllers run through the security scanners.
You can upload the custom certificate in two ways: l Upload Custom Certificates using GigaVUE-FM l Upload Custom Certificate using Third Party Orchestration
Install Custom Certificate
54
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Upload Custom Certificates using GigaVUE-FM
To upload the custom certificate using GigaVUE-FM follow the steps given below:
1. Go to Inventory > Security > Custom SSL Certificate. The Custom Certificate Configuration page appears.
2. On the Custom Certificate Configuration page, click Add. The New Custom Certificate page appears.
3. Enter or select the appropriate information as shown in the following table.
Field
Action
Certificate Name Enter the custom certificate name.
Certificate
Click on the Upload Button to upload the certificate.
Private Key
Click on the Upload Button to upload the private key associated with the certificate.
4. Click Save.
You must also add root or the leaf CA certificate in the Trust Store. For more detailed information on how to add root CA Certificate, refer to Trust Store topic in GigaVUE Administration Guide.
The certificates uploaded here can be linked to the respective GigaVUE V Series Node, GigaVUE V Series Proxy, and G-vTAP Controller in the Fabric Launch Configuration Page. Refer to Configure GigaVUE Fabric Components in GigaVUE-FM topic in the respective cloud guides for more detailed information.
Install Custom Certificate
55
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Upload Custom Certificate using Third Party Orchestration
You can also upload custom certificates to GigaVUE V Series Nodes, GigaVUE V Series Proxy, and G-vTAP Controller using your own cloud platform at the time of deploying the fabric components. Refer to the following topics on more detailed information on how to upload custom certificates using third party orchestration in the respective platforms:
For integrated mode:
l Configure GigaVUE Fabric Components in AWS l Configure GigaVUE Fabric Components in Azure l Configure GigaVUE Fabric Components in OpenStack
For generic mode:
l Configure GigaVUE Fabric Components in AWS l Configure GigaVUE Fabric Components in Azure l Configure GigaVUE Fabric Components in GCP l Configure GigaVUE Fabric Components in Nutanix l Configure GigaVUE Fabric Components in OpenStack l Configure GigaVUE V Series Nodes using VMware ESXi
Create Monitoring Domain
You must establish a connection between GigaVUE-FM and your Azure environment before you can perform the configuration steps. Creating a monitoring domain in GigaVUE-FM allows you to establish a connection between your Azure environment and GigaVUE-FM. After establishing a connection, you will be able to use GigaVUE-FM to specify a launch configuration for the G-vTAP Controllers, GigaVUE V Series Proxy, and GigaVUE V Series Nodes in the specified VNet and Resource Groups. GigaVUE-FM connects to Azure using either an Application ID with the client secret or the MSI method of authentication. After the connection establishment, GigaVUE-FM launches the G-vTAP Controller, GigaVUE V Series Proxy, and GigaVUE V Series 2 Node.
To create an Azure monitoring domain in GigaVUE-FM:
Create Monitoring Domain
56
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
1. Go to Inventory > VIRTUAL > Azure, and then click Monitoring Domain. The Monitoring Domain page appears.
2. In the Monitoring Domain page, click New. The Azure Monitoring Domain Configuration wizard appears.
Create Monitoring Domain
57
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
3. Enter or select the appropriate information for the monitoring domain as described in the following table.
Field
Description
Monitoring Domain
Use V Series 2
Traffic Acquisition Method
An alias used to identify the monitoring domain.
Select Yes for V Series 2 configuration.
Select a Tapping method. The available options are: G-vTAP: If you select G-vTAP as the tapping method, the traffic is acquired from the G-vTAP Agents installed on your standard VMs in the Resource Group or in the Scale Sets. Then the acquired traffic is forwarded to the GigaVUE V Series nodes. You must configure the G-vTAP Controller to monitor the G-vTAP Agents. Customer Orchestrated Source: If you use select Customer Orchestrated Source as the tapping method, you can select the tunnel as a source where the traffic is directly tunneled to GigaVUE V Series nodes without deploying GvTAP Agents or G-vTAP controllers.
NOTE: Select the Traffic Acquisition Method as Customer Orchestrated Source if you wish to use Observability Gateway (AMX) application.
Traffic Acquisition Tunnel MTU
Use FM to Launch Fabric Connections
The Maximum Transmission Unit (MTU) is the maximum size of each packet that the tunnel endpoint can carry from the G-vTAP Agent to the GigaVUE V Series node.
For VXLAN, the default value is 1450. The G-vTAP Agent tunnel MTU should be 50 bytes less than the agent’s destination interface MTU size.
Select Yes to Configure GigaVUE Fabric Components in GigaVUE-FM or select No to Configure GigaVUE Fabric Components in Azure.
NOTE: You can add multiple connections in a monitoring domain. Refer to Create Azure Credentials for more information on adding multiple Application ID with Client Secret authentication
Create Monitoring Domain
58
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Field
Description
credentials.
Name Credential
Subscription ID Region Resource Groups
An alias used to identify the connection. Select an Azure credential. For detailed information, refer to Create Azure Credentials. A unique alphanumeric string that identifies your Azure subscription. Azure region for the monitoring domain. For example, West India. Select the Resource Groups of the corresponding VMs to monitor.
NOTE: This field is only available if you select G-vTAP as the Traffic Acquisition Method.
4. Click Save and the Azure Fabric Launch Configuration wizard appears.
Managing Monitoring Domain
You can view the details of the monitoring domain that are created in the list view. The list view details can be viewed based on:
l Monitoring Domain l Connections Domain l Connections Domain l G-vTAP Agents
You can also filter the monitoring domain based on a specified criterion. In the monitoring domain page there are two filter options as follows:
Right filter – Click the Filter button on the right to filter the monitoring domain based on a specific criterion.
Left filter – Click the
to filter the monitoring domain based on the domain and
connections. You can click + to create a new monitoring domain. This filter once
applied also works even when the tabs are swapped.
To edit or delete a specific monitoring domain, select the monitoring domain, click the ellipses .
When you click a monitoring domain, you can view details of it in a split view of the window. In the split view window, you can view the details such as Configuration, Launch Configuration and V Series configuration.
Monitoring Domain
The list view shows the following information in the monitoring domain page:
Managing Monitoring Domain
59
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Monitoring Domain Connections Tunnel MTU Acquisition Method Centralized connection Management Network
NOTE: Click the to select the columns that should appear in the list view.
Use the following buttons to manage your Monitoring Domain:
Button
New Actions
Description
Use to create new connection
You can select a monitoring domain and then perform the following options:
Edit Monitoring Domain- Select a monitoring domain and then click Edit Monitoring domain to update the configuration.
Delete Domain – You can select a monitoring domain or multiple monitoring domains to delete them.
Edit Fabric -You can select one fabric or multiple fabrics of the same monitoring domain to edit a fabric. You cannot choose different fabrics of multiple monitoring domains at the same time and edit their fabrics
Deploy Fabric – -You can select a monitoring domain to deploy a fabric, you cannot choose multiple monitoring domains at the same time to deploy fabrics. This option is only enabled when there is No FABRIC (launch configuration) for that specific monitoring domain and GigaVUE-FM orchestration is enabled.. You must create a fabric in the monitoring domain, if the option is disabled
Upgrade Fabric-You can select a monitoring domain or multiple monitoring domains to upgrade the fabric. You can upgrade the V-Series nodes using this option.
Delete Fabric- You can delete all the fabrics associated with the monitoring domain of the selected Fabric.
Filter
Filters the monitoring domain based on the list view options that are configured: Tunnel MTU Acquisition Method Centralised Connection Management Subnet You can view the filters applied on the top of the monitoring domain page as a button. You can remove the filters by closing the button.
Connections Domain
To view the connection related details for a monitoring domain, click the Connections tab.
Managing Monitoring Domain
60
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
The list view shows the following details: Connections Monitoring Domain Status Fabric Nodes User Name Region
Fabric
To view the fabric related details for a monitoring domain, click the Fabric tab.
The list view shows the following details: Connections Monitoring Domain Fabric Nodes Type Management IP Version Status – Click to view the upgrade status for a monitoring domain. Security groups
G-vTAP Agents
To view all the G-vTAP agents associated with the available monitoring domains click the GvTAP Agents tab.
The list view shows the following details: Monitoring Domain IP address Registration time Last hearbeat time Agent mode Status
Refer to Configure the OpenStack Settings, for information regarding Settings.
Managing Monitoring Domain
61
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Configure GigaVUE Fabric Components in GigaVUE-FM
After configuring the Monitoring Domain, you will be navigated to the Azure Fabric Launch Configuration page.
In the same Azure Fabric Launch Configuration page, you can configure all the GigaVUE fabric components.
Enter or select the required information as described in the following table.
Fields
Connections
Centralized Virtual Network Authentication Type
Description
A connection that you created in the monitoring domain page. Refer to Create Monitoring Domain for more information.
Alias of the centralized VNet in which the G-vTAP Controllers, V Series Proxies, and the GigaVUE V Series nodes are launched.
Select Password or SSH Public Key as the Authentication Type to connect with the Centralized VNet.
NOTE: SSH Public Key is the only supported authentication type for V Series 2 solution.
Configure GigaVUE Fabric Components in GigaVUE-FM
62
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Fields
Description
SSH Public Key Resource Group
Security Groups Enable Custom Certificates
The SSH public key for the GigaVUE fabric nodes.
The Resource Groups created in Azure for communication between the controllers, nodes, and GigaVUE-FM.
The security group created for the GigaVUE fabric nodes.
Enable this option to validate the custom certificate during SSL Communication. GigaVUE-FM validates the Custom certificate with the trust store. If the certificate is not available in Trust Store, communication does not happen, and an handshake error occurs.
NOTE: If the certificate expires after the successful deployment of the fabric components, then the fabric components moves to failed state.
Certificate
Select the custom certificate from the drop-down menu. You can also upload the custom certificate for GigaVUE V Series Nodes, GigaVUE V Series Proxy, and G-vTAP Controllers. For more detailed information, refer to Install Custom Certificate.
Click Yes to configure V Series Proxy for the monitoring domain. Refer to Configure GigaVUE V Series Proxy
To deploy GigaVUE fabric images (V Series nodes, GvTAP Controllers, and V Series Proxies) in GigaVUE-FM, you must accept the terms of the GigaVUE fabric images from the Azure marketplace using the Azure CLI or PowerShell. Example:
az vm image list –all –publisher gigamon-inc –offer gigamon-fm<version> az vm image terms accept –urn gigamon-inc:gigamon-fm-<version>:vseriesnode:<version> az vm image terms accept –urn gigamon-inc:gigamon-fm-<version>:vseriesproxy:<version> az vm image terms accept –urn gigamon-inc:gigamon-fm-<version>:gvtapcntlr:<version>
Refer to the following topics for details:
l Configure G-vTAP Controllers
l Configure GigaVUE V Series Proxy
l Configure GigaVUE V Series Node
Configure GigaVUE Fabric Components in GigaVUE-FM
63
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Configure G-vTAP Controller
A G-vTAP Controller manages multiple G-vTAP Agents and orchestrates the flow of mirrored traffic to GigaVUE V Series nodes.
NOTE: A single G-vTAP Controller can manage up to 1000 G-vTAP Agents. The recommended minimum instance type is Standard_B1s for G-vTAP Controller.
A G-vTAP Controller can only manage G-vTAP Agents that has the same version. To configure the G-vTAP Controllers:
NOTE: You cannot configure G-vTAP Controller for Customer Orchestrated Source as the traffic acquisition method.
In the Azure Fabric Launch Configuration page, Enter or select the appropriate values for the G-vTAP Controller as described in the following table.
Configure GigaVUE Fabric Components in GigaVUE-FM
64
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Fields Controller Version(s)
Management Subnet
Additional Subnet(s) Tag(s)
Description
The G-vTAP Controller version you configure must always be the same as the G-vTAP Agents’ version number deployed in the VM machines. If there are multiple versions of G-vTAP Agents deployed in the VM machines, then you must configure multiple versions of G-vTAP Controllers that matches the version numbers of the G-vTAP Agents.
NOTE: If there is a version mismatch between G-vTAP controllers and G-vTAP Agents, GigaVUE-FM cannot detect the agents in the instances.
To add G-vTAP Controllers: a. Under Controller Versions, click Add. b. From the Image drop-down list, select a G-vTAP Controller image that matches with the version number of G-vTAP Agents installed in the instances. c. From the Size drop-down list, select a size for the G-vTAP Controller. The default size is Standard_B1s. d. In Number of Instances, specify the number of G-vTAP Controllers to launch. The minimum number you can specify is 1.
IP Address Type: Select one of the following IP address types: Select Private if you want to assign an IP address that is not reachable over Internet. You can use private IP address for communication between the G-vTAP Controller instances and GigaVUE-FM instances in the same network. Select Public if you want the IP address to be assigned from Azure’s pool of public IP address. The public IP address gets changed every time the instance is stopped and restarted. On selecting Public IP address type, you must select all the required Public IPs.
Subnet: Select a Subnet for G-vTAP Controller. The subnet that is used for communication between the G-vTAP Controllers and the G-vTAP Agents, as well as to communicate with GigaVUE-FM. Every fabric node (both controllers and the nodes) need a way to talk to each other and GigaVUE-FM. So, they should share at least one management plane/subnet.
NOTE: Some instance types are supported in Azure platform. Refer to Microsoft Azure documentation to learn on supported instance types.
(Optional) If there are G-vTAP Agents on subnets that are not IP routable from the management subnet, additional subnets must be specified so that the G-vTAP Controller can communicate with all the G-vTAP Agents. Click Add to specify additional data subnets, if needed. Also, make sure that you specify a list of security groups for each additional subnet.
(Optional) The key name and value that helps to identify the G-vTAP Controller instances in your Azure environment. For example, you might have G-vTAP Controllers deployed in many regions. To distinguish these G-vTAP Controllers based on the regions, you can provide a name that is easy to identify such as us-west-2-gvtap-controllers. To add a tag:
a. Click Add. b. In the Key field, enter the key. For example, enter Name. c. In the Value field, enter the key value. For example, us-west-2-gvtap-controllers.
Configure GigaVUE Fabric Components in GigaVUE-FM
65
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Configure GigaVUE V Series Proxy
GigaVUE V Series Proxy can manage multiple GigaVUE V Series Nodes and orchestrates the flow of traffic from GigaVUE V Series nodes to the monitoring tools. GigaVUE-FM uses one or more GigaVUE V Series Proxies to communicate with the GigaVUE V Series nodes.
NOTE: A single GigaVUE V Series Proxy can manage up to 100 GigaVUE V Series nodes. The recommended minimum instance type is Standard_B1s for V Series Proxy.
To configure the GigaVUE V Series Proxy: 1. In the Azure Fabric Launch Configuration page, Select Yes to Configure a V Series Proxy and the GigaVUE V Series Proxy fields appears. 2. Enter or select the appropriate values for the V Series Proxy. Refer to the G-vTAP Controller field descriptions for detailed information.
Configure GigaVUE Fabric Components in GigaVUE-FM
66
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Configure GigaVUE V Series Node
GigaVUE V Series node is a visibility node that aggregates mirrored traffic from multiple GvTAP Agents. It applies filters, manipulates the packets using GigaSMART applications, and distributes the optimized traffic to cloud-based tools or backhaul to GigaVUE Cloud Suite for Azure using the standard VXLAN tunnels.
To launch a GigaVUE V Series node:
In the Azure Fabric Launch Configuration page, enter or select the appropriate values for the GigaVUE V Series Node.
Fields
Description
Image Size
Disk Size (GB)
From the Image drop-down list, select a GigaVUE V Series Node image.
From the Size down-down list, select a size for the GigaVUE V Series Node. The default size for V Series 2 configuration is Standard_D4s_v4.
The size of the storage disk. The default disk size is 30GB.
NOTE: When using Application Metadata Exporter, the minimum recommended Disk Size is 80GB.
IP Address Type Select one of the following IP address types:
Configure GigaVUE Fabric Components in GigaVUE-FM
67
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Fields
Management Subnet Data Subnet(s) Tag(s)
Min Instances
Max Instances
Description
Select Private if you want to assign an IP address that is not reachable over Internet. You can use private IP address for communication between the GigaVUE V Series Node instances and GigaVUE-FM instances in the same network.
Select Public if you want the IP address to be assigned from Azure’s pool of public IP address. On selecting Public IP address type, you must select the number of Public IPs defined in the Maximum Instance.
Subnet: Select a management subnet for GigaVUE V Series. The subnet that is used for communication between the G-vTAP Agents and the GigaVUE V Series Nodes, as well as to communicate with GigaVUE-FM. Every fabric node (both controllers and the nodes) need a way to talk to each other and GigaVUE-FM. So, they should share at least one management plane/subnet.
The subnet that receives the mirrored VXLAN tunnel traffic from the G-vTAP Agents. Select a Subnet and the respective Security Groups. Click Add to add additional data subnets.
NOTE: Using the Tool Subnet checkbox you can indicate the subnets to be used by theGigaVUE V Series to egress the aggregated/manipulated traffic to the tools.
(Optional) The key name and value that helps to identify the GigaVUE V Series Node instances in your Azure environment. For example, you might have GigaVUE V Series Nodes deployed in many regions. To distinguish these GigaVUE V Series Nodes based on the regions, you can provide a name that is easy to identify. To add a tag:
a. Click Add. b. In the Key field, enter the key. For example, enter Name. c. In the Value field, enter the key value.
The minimum number of GigaVUE V Series Nodes to be launched in the Azure connection. The minimum number of instances that can be entered is 1.
NOTE: Nodes will be launched when a monitoring session is deployed if GigaVUE-FM discovers some targets to monitor. The minimum amount will be launched at that time. The GigaVUE-FM will delete the nodes if they are idle for over 15 minutes.
The maximum number of GigaVUE V Series Nodes that can be launched in the Azure connection. When the number of instances per V Series node exceeds the max instances specified in this field, increase the number in the Max Instances to Launch. When additional V Series nodes are launched, GigaVUE-FM re-balances the instances assigned to the nodes. This can result in a brief interruption of traffic.
Click Save to complete the Azure Fabric Launch Configuration.
A monitoring domain is created, and you can view the monitoring domain and fabric component details by clicking on a monitoring domain name in theMonitoring Domain page.
Configure GigaVUE Fabric Components in GigaVUE-FM
68
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Configure Role-Based Access for Third Party Orchestration
Before deploying the fabric components using a third party orchestrator, we must create users, roles and the respective user groups in GigaVUE-FM. The Username and the Password provided in the User Management page will be used in the registration data that can be used to deploy the fabric components in your orchestrator.
Configure Role-Based Access for Third Party Orchestration
69
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Users
The Users page lets you manage the GigaVUE-FM and GigaVUE-OS FM users. You can also configure user’s role and user groups to control the access privileges of the user in GigaVUEFM.
Add Users
This section provides the steps for adding users. You can add users only if you are a user with fm_super_admin role or a user with either read/write access to the FM security Management category.
IMPORTANT: It is recommended to create users through GigaVUE-FM: You cannot view or manage users created in GigaVUE-FM CLI using GigaVUE-FM. You cannot view changes made to the users in GigaVUE-FM CLI in GigaVUE-FM. NOTE: Monitor and operator users are not available in GigaVUE-FM. However, if you upgrade from a previous version in which monitor/operator users have been mapped in map default user, then after upgrade: In AAA: Users authenticated through the external servers will be assigned the fm_user role. In LDAP: Remote group based DN entry will not be migrated.
To add users perform the following steps:
1. On the left navigation pane, click and select Authentication > GigaVUE-FM User Management > Users. The User page is displayed.
Figure 1 FM Users Page
2. Click New User. In the Add User wizard that appears perform the following steps.
Add Users
70
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Figure 2 Create User
a. In the Add User pop-up box, enter the following details: o Name: Actual name of the user o Username: User name configured in GigaVUE-FM o Email: Email ID of the user o Password/Confirm Password: Password for the user. Refer to the Change Your
Password section. o User Group: User group
NOTE: GigaVUE-FM will prompt for your password.
b. Click Ok to save the configuration.
The new user is added to the summary list view.
You can also assign users to roles and user groups that set the access permissions. Refer to the following sections for details:
l Create Roles l Create Groups.
Add Users
71
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
NOTE: If you have logged in as a user with fm_super_admin role or a user with either read/write access on FM security Management category, then click on the ellipsis to:
Assign User Group: Assign user group to users. Edit: Edit the user details. Delete: Delete a user. Unlock: Unlock a locked user.
Add Users
72
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
How to Unlock User Account
To unlock a locked user, you must be a user with fm_super_admin role or a user with either read/write access on FM security Management category.
To unlock: 1. Select the required user whose account you want to lock. 2. Click on the ellipses and select Unlock. You can also click the Actions drop-down button and select Unlock. 3. A notification message prompts up. Click Unlock to unlock the user.
The user account is unlocked. An event is triggered in the Events page, and an email will be sent if Email Notification settings are configured.
The User name and password provided in this section will be used as the User and Password in the registration data.
After adding User, you must configure roles for third party orchestration.
Add Users
73
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Create Roles
You can associate a rule with user. Under the Select Permissions tab select Third Party Orchestration and provide read/write permissions.
Create Roles
This section describes the steps for creating roles and assigning user(s) to those roles.
GigaVUE-FM has the following default roles:
fm_super_admin — Allows a user to do everything in Fabric Manager, including adding or modifying users and configuring all AAA settings in the RADIUS, TACACS+, and LDAP tabs. Can change password for all users.
fm_admin — Allows a user to do everything in Fabric Manager except add or modify users and change AAA settings. Can only change own password.
fm_user — Allows a user to view everything in Fabric Manager, including AAA settings, but cannot make any changes.
NOTE: If you are a user with read-only access you will be restricted from performing any configurations on the screen. The menus and action buttons in the UI pages will be disabled appropriately.
Starting in software version 5.7, you can create custom user roles in addition to the default user roles in GigaVUE-FM. Access control for the default roles and the custom roles is based on the categories defined in GigaVUE-FM. These categories provide the ability to limit user access to a set of managed inventories such as ports, maps, cluster, forward list and so on.
Refer to the following table for the various categories and the associated resources. Hover your mouse over the resource categories in the Roles page to view the description of the resources in detail.
Category All
Infrastructure Management
Associated Resources
Manages all resources
A user with fm_super_admin role has both read and write access to all the resource categories.
A user with fm_user role has only read access to all the resource categories.
Manages resources such as devices, cards, ports and cloud resources. You can add or delete a device in GigaVUE-FM, enable or disable cards, modify port parameters, set leaf-spine topology. The following resources belong to this category:
Create Roles
74
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Category
Associated Resources
Physical resources: Chassis, slots, cards ports, port groups, port pairs, cluster config, nodes and so on
GigaVUE-FM inventory resources: Nodes, node credentials
Device backup/restore: Device and cluster configuration
Device license configuration: Device/cluster licensing
Statistics: Device, port
Tags: Events, historical trending
Device security: SystemTime, System EventNotification, SystemLocalUser, System Security Policy Settings, AAA Authentication Settings,Device User Roles, LDAP Servers, RADIUS Servers, TACACS+ Servers
Device maintenance: Sys Dump, Syslog
Cloud Infrastructure resources: Cloud Connections, Cloud Proxy Server, Cloud Fabric Deployment, Cloud Configurations, Sys Dump, Syslog, Cloud licenses, Cloud Inventory.
NOTE: Cloud APIs are also RBAC enabled.
Traffic Control Management
Manages inline resources, flow maps, GigaSMART applications, second level maps, map chains, map groups. The following resources belong to this category:
Infrastructure resources: IP interfaces, circuit tunnels, tunnel endpoints, tunnel load balancing endpoints, ARP entries
Intent Based Orchestration resources: Policies, rules
GigaSMART resources: GigaSMART, GSgroups, vPorts, Netflow exporters
Map resources: Fabric, fabric resources, flow maps, maps, map chains, map groups, map templates
Application intelligence resources: Application visibility, Metadata, application filter resources
Tag: Flow manipulation – Netflow operations, Statistics – device port
Active visibility
Create Roles
75
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Category
FM Security Management System Management
Forward list/CUPS Management
Third Party Orchestration Device Certificate Management Other Resource Management
Associated Resources
Inline resources: Inline networks, Inline network groups, Inline tools, Inline tool groups, Inline serial tools, Inline heartbeat profile
Cloud operation resources: Monitoring session, stats, map library, tunnel library, tools library, inclusion/exclusion maps.
NOTE: Cloud APIs are also RBAC enabled.
Ensures secure GigaVUE-FM environment. Users in this category can manage user and roles, AAA services and other security operations. Controls system administration activities of GigaVUE-FM. User in this category are allowed to perform operations such as backup/restore of GigaVUE-FM and devices, and upgrade of GigaVUE-FM. The following GigaVUE-FM resources belong to this category:
Backup/restore Archive server License Storage management Image repo config Notification target/email
Manages the forward list configuration. The following resources belong to this category:
GTP forward list SIP forward list Diameter forward list
Used to deploy fabric components using external orchestrator.
Manages device certificates.
Manages virtual and cloud resources
You can associate the custom user roles either to a single category or to a combination of categories based on which the users will have access to the resources. For example, you can create a `Physical Devices Technician’ role such that the user associated with this role can only access the resources that are part of the Physical Device Infrastructure Management.
NOTE: A user with fm_admin role has both read and write access to all of the categories, but has read only access to the FM Security Management category.
Create Roles
76
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
To create a role
1. On the left navigation pane, click Management >Roles.
2. Click New Role.
and select Authentication> GigaVUE-FM User
3. In the New Role page, select or enter the following details:
l Role Name: Name of the role. l Description: Description of the role. l Select Permission: In the Select Permission table, select the required
permission for the various resource categories.
4. Click Apply to save the configuration.
Create Roles
77
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Create User Groups
You can use the user group option to associate the users with Roles and Tags. A user group consists of a set of roles and set of tags associated with that group. When a user is created they can be associated with one or more user groups.
Create User Groups
Starting in software version 5.8.00, you can use the user group option to associate the users with Roles and Tags. A user group consists of a set of roles and set of tags associated with that group. When a user is created they can be associated with one or more user groups.
The following user groups are available by default in GigaVUE-FM. You will not be able to edit or change these groups in the system.
User Group Super Admin Group Admin Group
View only user
Tag Key and Tag Value
Tag Key = All Tag Value = All Tag Key= All Tag Value = All Tag Key = All Tag Value = All
Permission Group with privileges of fm_super_adminrole. Group with privileges of fm_admin role. Group with privileges of fm_user role.
By creating groups and associating to tags and roles, you can control the users of the following:
l The category of resources which the user can access, such as the clusters, ports, maps and so on. This is defined using the Roles option. Refer to the Roles section for more details.
l The physical and logical resources that the user can access, such as the ports in a cluster that belong to a specific department in a location. This is defined using the Tags option.
Refer to the following flow chart to see how access control operation occurs when the user accesses a resource:
Create User Groups
78
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
To create a user group:
1. On the left navigation pane, click , and then select Authentication> GigaVUEFMUser Management >User Groups.
2. Click New Group. In the Wizard that appears, perform the following steps. Click Next to progress forward and click Back to navigate backward and change the details.
Create User Groups
79
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
3. In the Group Info tab, enter the following details: l Group Name l Description
4. In the Assign Roles tab, select the required role. 5. In the Assign Tags tab, select the required tag key and tag value. 6. In the Assign Users tab, select the required users. Click Apply to save the
configuration. Click Skip and Apply to skip this step and proceed without adding users.
The new user group is added to the summary list view.
Click on the ellipses to perform the following operations: o Modify Users: Edit the details of the users. o Edit: Edit an existing group.
Configure GigaVUE Fabric Components in Azure
This section provides step-by-step information on how to register GigaVUE fabric components using Azure Portal or a configuration file.
Overview of Third-Party Orchestration
You can use your own Azure Orchestrator to deploy the GigaVUE fabric nodes instead of using GigaVUE-FM to deploy your fabric components.
Configure GigaVUE Fabric Components in Azure
80
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
The third-party orchestration feature allows you to deploy GigaVUE fabric components using your own Azure orchestration system. These fabric components register themselves with GigaVUE-FM using the information provided by the user. Once the nodes are registered with GigaVUE-FM, you can configure monitoring sessions and related services in GigaVUEFM.
You can either manually deploy the fabric nodes using a configuration file or you can use the Azure portal to launch the instances and deploy the fabric nodes using Custom data. Using the Custom data provided by you, the fabric nodes register itself with the GigaVUE-FM. Based on the group name and the sub group name details provided in the Custom data, GigaVUE-FM groups these fabric nodes under their respective monitoring domain and connection name. Health status of the registered nodes is determined by the heartbeat messages sent from the respective nodes.
You can also upload custom certificates to GigaVUE V Series Nodes, , GigaVUE V Series Proxy, and G-vTAP Controller using your own cloud platform when deploying the fabric components. Refer to Install Custom Certificate for more detailed information.
Prerequisites
GigaVUE V Series Node must have a minimum of two Networks Interfaces (NIC) attached to it, a management NIC and a data NIC with Accelerated Networking enabled.
When creating a virtual machine for GigaVUE V Series Node using CLI, Management NIC and Data NIC can be attached at the time of the virtual machine creation. However, if you are using Azure GUI to create the virtual machine for GigaVUE V Series Node, then the data NIC can only be attached after creating the virtual machine. Refer to the following topics for more detailed information on how to create GigaVUE V Series Node with Management and Data NIC Attached using CLI or Azure GUI:
l Create GigaVUE V Series Node with Management and Data NIC Attached using CLI l Create GigaVUE V Series Node with Management and Data NIC Attached using Azure
GUI
Create GigaVUE V Series Node with Management and Data NIC Attached using CLI
Create management NIC:
az network nic create -g <resource group> –vnet-name <VNet Name> –subnet <Subnet name> -n <Mangement NIC Name>
Create data NIC with Accelerated Networking enabled:
az network nic create <resource group> –vnet-name <VNet> –subnet <Subnet> -n <Data NIC> –accelerated-networking true
Configure GigaVUE Fabric Components in Azure
81
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
Create GigaVUE V Series Node virtual machine using the above NICS:
az vm create –resource-group <Resource group> –size <Standard_D4s_v4/Standard_ D8S_V4> –name <GigaVUE V Series Node> –admin-username gigamon –generate-sshkeys –image gigamon-inc:gigamon-gigavue-cloud-suite:vseries-node:6.3 –planname vseries-node –plan-product gigamon-gigavue-cloud-suite –plan-publisher gigamon-inc –nics <Management NIC and Data NIC>
Create GigaVUE V Series Node with Management and Data NIC Attached using Azure GUI
Enable Management NIC when creating the GigaVUE V Series Node virtual machine. Refer to Create virtual machine topic in Azure Documentation for more detailed information on how to create a virtual machine. Follow the steps given below to attach the data NIC:
1. Select the GigaVUE V Series Node virtual machine from the Resources Page. 2. Stop the Virtual Machine using the Stop button. 3. Navigate to Setting > Networking from the left navigation pane. The Networking
page appears. 4. In the Networking page, click Attach network interface. Select an existing network
interface for Data NIC and click OK. 5. To enable accelerated networking, refer to Manage Accelerated Networking through
the portal. 6. Start the Virtual Machine.
Keep in mind the following when deploying the fabric components using third party orchestration in integrated mode:
l When configuring G-vTAP Controller, select G-vTAP as the Traffic Acquisition Method. l When you select Customer Orchestrated Source as your Traffic Acquisition Method, G-
vTAP Agent and G-vTAP Controller registration are not applicable. l When you deploy the fabric components using third party orchestration, you cannot
delete the monitoring domain without unregistering the GigaVUE V Series Nodes or GvTAP Controllers. l Deployment of G-vTAP Controller, GigaVUE V Series Node, and GigaVUE V Series Proxy through a third-party orchestrator is supported only on Linux platform. l Deployment of G-vTAP Agent through a third-party orchestrator is supported on Linux and Windows platforms. Refer to Linux Agent Installation and Windows G-vTAP Agent Installation for detailed information.
To register fabric nodes under Azure monitoring domain:
Configure GigaVUE Fabric Components in Azure
82
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
1. Create a monitoring domain in GigaVUE-FM. Refer to Create a Monitoring Domain for detailed instructions.
2. In the Monitoring Domain Configuration page, select No for the Use FM to Launch Fabric field as you are going to configure the fabric components in Azure Orchestrator.
3. After creating your monitoring domain, you can deploy your fabric components through Azure Portal.
In your Azure Portal, you can configure the following GigaVUE fabric components: l Configure G-vTAP Controller in Azure l Configure G-vTAP Agent in Azure l Configure GigaVUE V Series Node and GigaVUE V Series Proxy in Azure
Configure G-vTAP Controller in Azure
You can configure more than one G-vTAP Controller in a monitoring domain.
To register G-vTAP Controller in Azure Portal, use any one of the following methods. l Register G-vTAP Controller during Virtual Machine Launch l Register G-vTAP Controller after Virtual Machine Launch
Register G-vTAP Controller during Virtual Machine Launch
In your Azure portal, to launch the G-vTAP Controller init virtual machine and register GvTAP Controller using custom data, follow the steps given below:
1. In the Virtual machines page of the Azure Portal, select Create then Virtual machine. Then Create a Virtual Machine Page appears. For detailed information, refer to Create virtual machine topic in Azure Documentation.
Configure GigaVUE Fabric Components in Azure
83
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
2. On the Advanced tab, enter the Custom Data as text in the following format and deploy the virtual machine. Enter the monitoring domain name and the connection name of the monitoring domain created earlier as the groupName and the subGroupName in the Custom Data. The G-vTAP Controller uses this custom data to generate config file (/etc/gigamon-cloud.conf) used to register with GigaVUE-FM. You can also install custom certificates to GigaVUE V Series Node or Proxy, refer to the below table for details:
Field
User Data
User data without custom certificate
#cloud-config write_files: – path: /etc/gigamon-cloud.conf owner: root:root permissions: ‘0644’ content: | Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: <Username> password: <Password> remoteIP: <IP address of the GigaVUE-FM> remotePort: 443
User data with custom certificate
#cloud-config write_files: – path: /etc/cntlr-cert.conf owner: root:root permissions: “0644” content: | —–BEGIN CERTIFICATE—-<certificate content> —–END CERTIFICATE—– path: /etc/cntlr-key.conf owner: root:root permissions: “400” content: | —–BEGIN PRIVATE KEY—-<private key content> —–END PRIVATE KEY—– path: /etc/gigamon-cloud.conf owner: root:root permissions: ‘0644’ content: | Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: <Username> password: <Password> remoteIP: <IP address of the GigaVUE-FM> remotePort: 443
Configure GigaVUE Fabric Components in Azure
84
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
NOTE: User and Password must be configured in the User Management page. Refer to Configure Role-Based Access for Third Party Orchestration for more detailed information. Enter the Userame and Password created in the Add Users Section.
The G-vTAP Controller deployed in your Azure portal appears on the Monitoring Domain page of GigaVUE-FM.
Register G-vTAP Controller after Virtual Machine Launch
To register G-vTAP Controller after launching a Virtual Machine using a configuration file, follow the steps given below:
1. Log in to the G-vTAP Controller. Refer to Default Login Credentials for the G-vTAP Controller default login credentials.
2. Create a local configuration file (/etc/gigamon-cloud.conf) and enter the following custom data.
Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: <Username> password: <Password> remoteIP: <IP address of the GigaVUE-FM> remotePort: 443
NOTE: User and Password must be configured in the User Management page. Refer to Configure Role-Based Access for Third Party Orchestration for more detailed information. Enter the UserName and Password created in the Add Users Section.
3. Restart the G-vTAP Controller service.
$ sudo service gvtap-cntlr restart
Configure GigaVUE Fabric Components in Azure
85
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
The deployed G-vTAP Controller registers with the GigaVUE-FM. After successful registration, the G-vTAP Controller sends heartbeat messages to GigaVUE-FM every 30 seconds. If one heartbeat is missing, the fabric node status appears as ‘Unhealthy’. If more than five heartbeats fail to reach GigaVUE-FM, GigaVUE-FM tries to reach the G-vTAP Controller and if that fails as well then GigaVUE-FM unregisters the G-vTAP Controller and it will be removed from GigaVUE-FM.
Configure G-vTAP Agent in Azure
G-vTAP Agent should be registered via the registered G-vTAP Controller and communicates through PORT 8891.
NOTE: Deployment of G-vTAP Agents through third-party orchestrator is supported on both Linux and Windows platforms. Refer to Linux Agent Installation and Windows Agent Installation for detailed information.
To register G-vTAP Agent in Azure Portal, use any one of the following methods.
l Register G-vTAP Agent during Virtual Machine Launch l Register G-vTAP Agent after Virtual Machine Launch
Register G-vTAP Agent during Virtual Machine Launch
NOTE: Registering G-vTAP Agent during Virtual Machine Launch is not applicable for Windows Agents. You can register your Windows Agents after launching the Virtual machine, using a configuration file.
In your Azure portal, to launch the G-vTAP Agent init virtual machine and register the GvTAP Agent using custom data, follow the steps given below:
1. In the Virtual machines page of the Azure Portal, select Create then Virtual machine. Then Create a Virtual Machine Page appears. For detailed information, refer to Create virtual machine topic in Azure Documentation.
Configure GigaVUE Fabric Components in Azure
86
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
2. On the Advanced tab, enter the Custom Data as text in the following format and deploy the virtual machine. The G-vTAP Agent uses this custom data to generate config file (/etc/gigamon-cloud.conf) used to register with GigaVUE-FM.
#cloud-config write_files: – path: /etc/gigamon-cloud.conf owner: root:root permissions: ‘0644’ content: | Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: <Username> password: <Password> remoteIP: <IP address of the G-vTAP Controller 1>, <IP address of the G-vTAP
Controller 2> remotePort: 8891
NOTE: User and Password must be configured in the User Management page. Refer to Configure Role-Based Access for Third Party Orchestration for more detailed information. Enter the UserName and Password created in the Add Users Section.
Register G-vTAP Agent after Virtual Machine Launch
NOTE: You can configure more than one G-vTAP Controller for a G-vTAP Agent, so that if one G-vTAP Controller goes down, the G-vTAP Agent registration will happen through another Controller that is active.
To register G-vTAP Agent after launching a Virtual Machine using a configuration file, follow the steps given below:
1. Install the G-vTAP Agent in the Linux or Windows platform. For detailed instructions, refer to Linux G-vTAP Agent Installation and Windows G-vTAP Agent Installation.
2. Log in to the G-vTAP Agent. Refer to Default Login Credentials for the G-vTAP Controller default login credentials.
Configure GigaVUE Fabric Components in Azure
87
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
3. Edit the local configuration file and enter the following custom data.
l /etc/gigamon-cloud.conf is the local configuration file in Linux platform. l C:ProgramDatagvtap-agentgigamon-cloud.conf is the local
configuration file in Windows platform.
Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: <Username> password: <Password> remoteIP: <IP address of the G-vTAP Controller 1>, <IP address of the G-vTAP Controller 2> remotePort: 8891
NOTE: User and Password must be configured in the User Management page. Refer to Configure Role-Based Access for Third Party Orchestration for more detailed information. Enter the UserName and Password created in the Add Users Section.
4. Restart the G-vTAP Agent service. l Linux platform:
$ sudo service gvtap-agent restart
l Windows platform: Restart from the Task Manager.
The deployed G-vTAP Agent registers with the GigaVUE-FM through the G-vTAP Controller. After successful registration, the G-vTAP Agent sends heartbeat messages to GigaVUE-FM every 30 seconds. If one heartbeat is missing, G-vTAP Agent status appears as ‘Unhealthy’. If more than five heartbeats fail to reach GigaVUE-FM, GigaVUE-FM tries to reach the G-vTAP Agent and if that fails as well then GigaVUE-FM unregisters the G-vTAP Agent and it will be removed from GigaVUE-FM.
Configure GigaVUE V Series Node and GigaVUE V Series Proxy in Azure
NOTE: It is not mandatory to register GigaVUE V Series Nodes via V Series proxy however, if there is a large number of nodes connected to GigaVUE-FM or if the user does not wish to reveal the IP addresses of the nodes, then you can register your nodes using GigaVUE V Series Proxy. In this case, GigaVUE-FM communicates with GigaVUE V Series Proxy to manage the GigaVUE V Series Nodes.
To register GigaVUE V Series Node and GigaVUE V Series Proxy in Azure Portal, use any one of the following methods.
Configure GigaVUE Fabric Components in Azure
88
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
l Register GigaVUE V Series Node and GigaVUE V Series Proxy during Virtual Machine Launch
l Register GigaVUE V Series Proxy after Virtual Machine Launch
Register GigaVUE V Series Node and GigaVUE V Series Proxy during Virtual Machine Launch
To register GigaVUE V Series Node and GigaVUE V Series Proxy using the custom data in Azure Portal, follow the steps given below:
1. In the Virtual machines page of the Azure Portal, select Create then Virtual machine. Then Create a Virtual Machine Page appears. For detailed information, refer to Create virtual machine topic in Azure Documentation.
Configure GigaVUE Fabric Components in Azure
89
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
2. On the Advanced tab, enter the Custom Data as text in the following format and deploy the virtual machine. Enter the monitoring domain name and the connection name of the monitoring domain created earlier as the groupName and the subGroupName in the Custom Data. he GigaVUE V Series Node and GigaVUE V Series Proxy uses this custom data to generate config file (/etc/gigamon-cloud.conf) used to register with GigaVUE-FM. You can also install custom certificates to GigaVUE V Series Node or Proxy, refer to the below table for details:
Field
User Data
User data without custom certificate
#cloud-config write_files: – path: /etc/gigamon-cloud.conf owner: root:root permissions: ‘0644’ content: | Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: <Username> password: <Password> remoteIP: <IP address of the GigaVUE-FM> or <IP address of the Proxy> remotePort: 443
User data with custom certificate
#cloud-config write_files: – path: /etc/cntlr-cert.conf owner: root:root permissions: “0644” content: | —–BEGIN CERTIFICATE—-<certificate content> —–END CERTIFICATE—– path: /etc/cntlr-key.conf owner: root:root permissions: “400” content: | —–BEGIN PRIVATE KEY—-<private key content> —–END PRIVATE KEY—– path: /etc/gigamon-cloud.conf owner: root:root permissions: ‘0644’ content: | Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: <Username> password: <Password> remoteIP: <IP address of the GigaVUE-FM> or <IP address of the
Proxy> remotePort: 443
Configure GigaVUE Fabric Components in Azure
90
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
l You can register your GigaVUE V Series Node directly with GigaVUE-FM or you can use GigaVUE V Series Proxy to register your GigaVUE V Series Node with GigaVUE-FM. If you wish to register GigaVUE V Series Node directly, enter the remotePort value as 443 and the remoteIP as <IP address of the GigaVUE-FM> or if you wish to deploy GigaVUE V Series Node using GigaVUE V Series Proxy then, enter the remotePort value as 8891 and remoteIP as <IP address of the Proxy>.
l User and Password must be configured in the User Management page. Refer to Configure Role-Based Access for Third Party Orchestration for more detailed information. Enter the UserName and Password created in the Add Users Section.
Register GigaVUE V Series Proxy after Virtual Machine Launch
To register GigaVUE V Series Proxy after launching the virtual machine using a configuration file, follow the steps given below:
1. Log in to the GigaVUE V Series Proxy. Refer to Default Login Credentials for the G-vTAP Controller default login credentials.
2. Create a local configuration file (/etc/gigamon-cloud.conf) and enter the following custom data.
Registration: groupName: <Monitoring Domain Name> subGroupName: <Connection Name> user: <Username> password: <Password> remoteIP: <IP address of the GigaVUE-FM> or <IP address of the Proxy> remotePort: 443
l You can register your GigaVUE V Series Node directly with GigaVUE-FM or you can use V Series proxy to register your GigaVUE V Series with GigaVUE-FM. If you wish to register GigaVUE V Series Node directly, enter the remotePort value as 443 and the remoteIP as <IP address of the GigaVUE-FM> or if you wish to deploy GigaVUE V Series Node using GigaVUE V Series Proxy then, enter the remotePort value as 8891 and remoteIP as <IP address of the Proxy>.
l User and Password must be configured in the User Management page. Refer to Configure Role-Based Access for Third Party Orchestration for more detailed information. Enter the UserName and Password created in the Add Users Section.
Configure GigaVUE Fabric Components in Azure
91
GigaVUE Cloud Suite for AzureGigaVUE V Series 2 Guide
3. Restart the GigaVUE V Series Proxy service. l GigaVUE V Series Node:
$ sudo service vseries-node restart
l GigaVUE V Series Proxy:
$ sudo service vps restart
The deployed GigaVUE V Series Proxy registers with the GigaVUE-FM. After successful registration, the GigaVUE V Series Proxy sends heartbeat messages to GigaVUE-FM every 30 seconds. If one heartbeat is missing, the fabric node status appears as ‘Unhealthy’. If more than five heartbeats fail to reach GigaVUE-FM, GigaVUE-FM tries to reach theGigaVUE V Series Proxy and if that fails as well then GigaVUE-FM unregisters the GigaVUE V Series Proxy and it will be removed from GigaVUE-FM.
Refer Deploying GigaVUE Cloud Suite for Azure using Customer Orchestration for more detailed information.
Keep in mind the following when upgrading the GigaVUE-FM to 6.1.00 (when usin
Documents / Resources
 |
Gigamon GigaVUE Cloud Suite Azure [pdf] User Guide GigaVUE Cloud Suite Azure, Cloud Suite Azure, Suite Azure |
References
-
Gigamon VÃœE Community
-
Gigamon VÃœE Community
-
Gigamon VÃœE Community
-
community.gigamon.com/gigamoncp/s/swdownload
-
docs.gigamon.com/doclib513/513-gigadoc.html#Shared/Documentation_List.html
-
Secure Login
-
Secure Login
-
Deploying GigaVUE Cloud Suite for Azure using V Series with Hybrid architecture (5.13)
-
Deploying GigaVUE Cloud Suite for Azure using Customer Orchestration (5.14)
-
Documentation Library
-
Quickstart - Check access for a user to a single Azure resource - Azure RBAC | Microsoft Learn
-
Configure managed identities on Azure VM using Azure CLI - Managed identities for Azure resources | Microsoft Learn
-
Allow the Azure portal URLs on your firewall or proxy server - Azure portal | Microsoft Learn
-
Deploy resources with Azure portal - Azure Resource Manager | Microsoft Learn
-
Service principal authentication for Microsoft Purview | Microsoft Learn
-
Assign Azure roles using the Azure portal - Azure RBAC | Microsoft Learn
-
Steps to assign an Azure role - Azure RBAC | Microsoft Learn
-
Virtual machines in Azure - Azure Virtual Machines | Microsoft Learn
-
Create a legacy managed image in Azure - Azure Virtual Machines | Microsoft Learn
-
Quickstart - Create a Linux VM in the Azure portal - Azure Virtual Machines | Microsoft Learn
-
Create, change, or delete an Azure network security group | Microsoft Learn
-
Quickstart: Use the Azure portal to create a virtual network - Azure Virtual Network | Microsoft Learn
-
Add, change, or delete a subnet | Microsoft Learn
-
Azure Virtual Network peering | Microsoft Learn
-
Create Azure service principals using the Azure CLI | Microsoft Learn
-
Create an Azure service principal with Azure PowerShell | Microsoft Learn
-
Configure managed identities using the Azure portal - Managed identities for Azure resources | Microsoft Learn
-
Use PowerShell to create a VM with Accelerated Networking | Microsoft Learn
-
Microsoft Azure Government
- User Manual
