EC2 and VPC Deployment Guide
Introduction This document describes how to set up Amazon EC2 instances and Amazon VPCs for monitoring with the Observable Networks service. Before starting, you'll need: An Amazon AWS account A trial account with Observable Networks
Deployment options When using an Amazon VPC, you may do one or both of the following: Monitor the VPC with flow logs, which requires no additional software to be installed on the EC2 instances Monitor each EC2 instance by installing the ONA software package. For EC2 instances that aren't inside a VPC, you may: Monitor each instance by installing the ONA software package.
VPC flow logs Amazon VPCs can capture and log data about IP traffic to, from, and within your VPC. Observable Networks can use these flow logs for endpoint modeling. Follow the steps below to set up VPC flow log monitoring: 1. Enable VPC flow logs by following instructions in the AWS Documentation. Make a note of the CloudWatch logs group you select. 2. Follow the Create a security policy instructions below. 3. Follow the Create a new role instructions below. 4. Follow the Observable Networks web portal instructions below.
EC2 instance monitoring If you're not using a VPC you can monitor your EC2 instances by installing the Observable Networks Appliance (ONA) software. Follow the steps below to set up an EC2 instance with the ONA package: 1. Follow the Create a security policy instructions below. 2. Follow the Create a new role instructions below. 3. Follow the Observable Networks web portal instructions below. 4. Follow the Installing the ONA software instructions below.
Create a security policy The security policy document below allows Observable Networks read-only access to descriptions of cloud resources and logging data. From the IAM console create your own policy with: Policy name: obsrvbl_policy Description: This permits Observable Networks access to necessary AWS resources. Document: See the sample on the next page.
Security policy document A text version of the policy document at right is available at this link. You may remove permissions for services you don't use. obsrvbl_policy { } "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:describeregions", "ec2:describeinstances", "elasticache:describecacheclusters", "rds:describedbinstances", "redshift:describeclusters" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:describelogstreams", "logs:getlogevents" ], "Effect": "Allow", "Resource": "*" } ]
Create a new role From the IAM console create a new role with: Role name: obsrvbl_role Role type: Cross-Account Access (Allow IAM user from 3rd party AWS accounts) Establish trust: Account ID: 757972810156 External ID: Use the name of your Observable Networks web portal (the x in x.obsrvbl.com) Require MFA: Leave un-checked Attach policy: Select the obsrvbl_policy from above. After creating the role, make a note of the Role ARN.
Observable Networks web portal Log in to your Observable Networks web portal to configure it to query your AWS resources: Click on the Settings icon. Select the AWS tab. Select the Credentials tab and enter the Role ARN from above. If you're enabling VPC Flow Logs, select the VPC Flow Logs tab and enter the CloudWatch group you set up. If there is a problem with the credentials or log groups you will get an error message after entering them.
Installing the ONA software The links at right are for the latest version of the ONA service for the given platform. Make a note of which one matches your target insance. Contact support@obsrvbl.com if you need to use a different platform. After selecting a package, follow the Launching instances and Enable outbound communication steps below. Ubuntu 12.04 or 14.04: ona-service_ubuntuprecise_amd64.deb RHEL 6.x, including AMI 2015.03: ona_service_rhel_6_amd64.rpm RHEL 7.x: ona_service_rhel_7_amd64.rpm
Launching instances Once you've chosen an ONA software package, you may launch an EC2 instance that uses it. You will need an Observable service key, which is available from your Observable Networks web portal (on the Settings page under the Sensors tab). You may use your normal deployment process to add the package and configure it. You may also use a user-data script see below for a template: #!/bin/bash wget https://s3.amazonaws.com/onstatic/ona-service/master/package_name_goes_here #.deb installation - for Ubuntu images # dpkg -i PACKAGE_NAME_GOES_HERE #.rpm installation - for Amazon Linux and RHEL images # rpm -i PACKAGE_NAME_GOES HERE # Configuration - enter your service key and optionally configure an HTTPS proxy /bin/echo "OBSRVBL_SERVICE_KEY='YOUR_SERVICE_KEY'" >> /opt/obsrvbl-ona/config.local # /bin/echo "HTTPS_PROXY='https://PROXY_IP:PROXY_PORT'" >> /opt/obsrvbl-ona/config.local # Reload with new configuration /bin/kill -TERM $(cat /tmp/ona-supervisord.pid)
Enable outbound communication If your EC2 instances already have Internet access, you may skip this step. If you're running in a VPC, you will need to allow the EC2 hosts with the ONA service to communicate with Observable Networks. If you use a NAT instance in your VPC for Internet access, you'll need to allow HTTPS (TCP port 443) inbound from the Private Subnet's security group. See Amazon's documentation for instructions. If you use bastion hosts for Internet access, you'll need to run a proxy server (like squid). Make sure to un-comment the HTTPS_PROXY variable in the user-data script for each EC2 instance.
Finishing up If everything is set up properly, you'll be able to see sensor data on the Observable web portal (on the Settings page under the Sensors tab). If you have questions or problems with setting things up, please e- mail support@obsrvbl.com for help.