Introduction

This document provides instructions for setting up a virtual appliance on AWS and Microsoft Azure.

A virtual appliance is required in every region where you want to mirror traffic. If you have a presence in multiple regions, traffic mirroring can be accomplished using VPC Peering. 

If your secondary regions produce a large volume of traffic, inter-region bandwidth costs may become a concern. If this is the case, a virtual appliance can be configured in each region(s).

This section is separated into two parts:

1. Initial installation and configuration for the virtual appliance.
2. Sample configuration for VPC Traffic Mirroring.

Setting up a Virtual Cloud Appliance (AWS)

This section walks through creating an EC2 instance using the AWS web console. This does not include instructions around the purchasing and configuration of Reserved Instances (for discounted AWS pricing).

1. From your AWS EC2 console, click Launch Instance.

2. Select the latest 64-bit x86 Ubuntu Server 20.04 LTS release. 

3. Select “t3.2xlarge” as the instance type and click Configure Instance Details.

4. For networking, select the appropriate Virtual Private Cloud (VPC) and subnet.

• NOTE: The virtual appliance doesn’t need to be accessible directly from the internet. But the Security Group (SG) does need to allow it to establish a VPN connection out to Field Effect servers, along with normal package update locations.
• NOTE: If VPC traffic mirroring is planned:
  • The virtual appliance either needs to be in the same VPC as the traffic mirror sources, or VPC Peering needs to be configured between the VPCs.
  • The SG needs to allow UDP port 4789 *incoming* from the mirror source(s)
• NOTE: Any endpoint agent connectivity from outside of the local VPC is enabled using a dedicated Field Effect managed relay.

5. Most remaining options should be left as default (Examples: “domain join directory: No directory,” “IAM role: None”).

6. Under the Advanced Details > User data field, select “As text” and paste the provided “cloud init” configuration text in this box.

7. Click Next: Add Storage

8. Set the “Size” to 1500 GiB and change the “Volume Type” to General purpose SSD (gp3)

9. We recommend that you enable EBS encryption using AWS KMS.

10. Click Next: Configure Tags and add any tags used by your organization.

11. Select Next: Configure Security Group. You may use an existing SG or create a new one. If creating a new SG, the key requirements for Field Effect are:

• Inbound: UDP 4789 from Mirror Source IP(s) (if applicable)
• Outbound: All

12. Select Review & Launch and click Launch. At this point, you can select a keypair, or select Proceed without a keypair. The provided cloud-init user data will supersede any SSH key added at this point.

At this point your, the virtual appliance will boot and establish a secure VPN connection to Field Effect operators, who will perform a final configuration.

NOTE: if you will be using VPC traffic mirroring, take a note of the Elastic Network Interface (ENI) associated with your virtual appliance.

Setting up VPC Traffic Mirroring in AWS

Since AWS supports VPC Traffic Mirroring, you can leverage this full network packet capture data to provide greater insight into potential threats. 

A single virtual appliance can act as the mirror target for many mirror sessions, and this section provides walk through for the setup process. We, however, recommend using automated tooling (here’s an example) to configure VPC traffic mirroring across your environment. 

Some important caveats and limitations:

• Despite the name, AWS’s VPC Traffic Mirroring mirrors a single Elastic Network Interface (ENI) at a time, not all VPC traffic.
• Mirror sources must be built on the AWS Nitro system.

The following steps are required to configure traffic mirroring to your virtual appliance.

Create a Traffic Mirror Target

1. From the AWS VPC Dashboard, select Mirror Targets on the left and click Create traffic mirror target. 

2. The “Create traffic mirror target” form will appear on your Screen Set the following parameters: 

   Target settings (optional): 

• Name tag – optional: Field Effect Appliance
• Description – optional: Ingress Traffic to Field Effect

   Choose Target: 

• Target type: Network Interface
• Target: set to the Elastic Network Interface of the virtual appliance created earlier. This can be retrieved from the Instance details section’s Networking tab.

Create a Traffic Mirror Filter

1. From the AWS VPC Dashboard, select “Mirror Filters” from the left and click Create traffic mirror filter. 

2. The “Create traffic mirror filter” form will appear on your screen. On this form, provide Inbound and Outbound rules for the      traffic to be mirrored to the appliance. 

3. To mirror all IP traffic, add “0.0.0.0/0” in the CIDR blocks. The highest priority traffic for Field Effect is “north/south” traffic to and from your EC2 instances/VPC and the internet, so ensure this is added. 

4. Note: Under network services – optional, ‘amazon-dns’ checkbox should be checked. This ensures that DNS traffic is also mirrored.

5. These rules are custom to your environment, but here is an example of the form:

Create a Traffic Mirror Session

1. From the AWS VPC Dashboard, select “Mirror Sessions” on the left and click Create traffic mirror session. The “Create traffic  mirror session” form will appear on your screen.

2. Using the Mirror Target and Mirror Filters created earlier, we can now establish a tagged session to send to the virtual appliance. Here is an example of the form:

3. Once complete, the virtual appliance should now be configured to receive network traffic and will be configured by Field Effect for your organization.

Notes for traffic mirror sessions:

• Only Elastic Network Interfaces (ENI) associated to Nitro type instances can be used as a mirror source. 
• If the virtual appliance has been setup on a different VPC, then a VPC peering relationship must be configured between the two VPCs. See Amazon’s articles What is VPC Peering and Create a VPC Peering Connection for more. 
• Please use VNI 1 as the value for the VXLAN network identifier for the session. The appliance will be configured to capture from VXLAN ID 1 by default.