Introduction and requirements

Prerequisites and deployment workflow for an AWS Brain.

Introduction

This document outlines the steps to deploy a Vectra Brain in the customer’s AWS account. The Brain is distributed as an Amazon Machine Image (AMI) with an AWS CloudFormation Template (CFT). The AMI and CFT may be procured via private share to your AWS account or can be purchased from the AWS Marketplace. Please contact your Vectra sales team for details regarding a private offer for the AWS Marketplace option.

AWS Brains can be used in both Respond UX and Quadrant UX deployments. For more detail on Respond UX vs Quadrant UX please see Analyst User Experiences (Respond vs Quadrant). One of the below guides should be the starting point for your overall Vectra deployment:

Deployment Process Overview

The steps involved in deploying the Brain include:

Preparing for deployment

Please ensure you meet all of the following:

Deploying the AMI

This involves deploying the Brain image through a CloudFormation template. It is possible to deploy from the AWS Marketplace, but most customers deploy after receiving the template link from Vectra after their account has been whitelisted so their account can see the private image.

Enabling integrations

Vectra has integrations for HostID, Security Hub, and CloudWatch.

Pairing Sensors or Stream

Sensor appliances must be pairing with your Brain for NDR functionality. Sensors capture network traffic and distill a metadata stream that is analyzed by your Brain appliance.

Vectra Requirements

Whitelisting

Purchases made through the AWS Marketplace do not require whitelisting. Determine the account and region where the Brain will be deployed and provide that information to Vectra. That account will be whitelisted by Vectra so that you will be able to see the Brain image in Amazon EC2 > AMI > Private images. AWS CloudFormation will be used to deploy, and it will need to be able to reach this image from your account. Seeing the image available means that the CFT deployment should be successful.

Provisioning Token

Vectra will provide you with a provisioning token to use for deployments that are not done via the AWS Marketplace.

Brain Sizing

When determining what size Brain should be deployed, this decision should be based on the amount of aggregate traffic that will be captured by the Brain’s paired Sensors that will then be sent as metadata to the Brain for analysis. Vectra currently offers four different sizes of Brains in AWS:

2 Gbps aggregate traffic / 50K IP addresses max, 15 Sensors max - r5d.2xlarge
5 Gbps aggregate traffic / 50K IP addresses max, 25 Sensors max - r5d.4xlarge
15 Gbps aggregate traffic / 150K IP addresses max, 100 Sensors max - r5d.8xlarge
50 Gbps aggregate traffic / 500K IP addresses max, 500 Sensors max – r5.16xlarge (v8.0 and higher only)
- Please note that when deploying the 50 Gbps instance type, extra steps are required to modify the throughput of the /dev/sda1 disk through the AWS management console.
- Please see 50 Gbps Brain Storage Throughput Modification for details.

In some environments, you may wish to start with a smaller Brain instance and then later move to a larger Brain instance to handle additional load (metadata coming from paired sensors or additional paired sensors).

Please see: Resizing Virtual Sensors and Brains for details.

AWS Requirements

The services required for deploying a Vectra Brain are compute (Amazon EC2) with storage (Amazon EBS) and networking (AWS ENI), and identity and access management (AWS IAM) to enable integrations.

VPC and Subnet

You will either need to create a new VPC and Subnet for use with the Brain you are deploying or re-use an existing one. You will choose these when filling out the CloudFormation template. Some AWS documentation is available at the following links:

Security Group

The CloudFormation template will create an empty security group, or you may select an existing security group to use. The security group must allow port 443 and port 22 access from the administrator’s network, from the Vectra vSensor subnets and to the Vectra-hosted services listed in the firewall requirements.

SSH Key Pair

An SSH key pair will need to be created for the Brain to allow an administrator to login to the CLI as the vectra user. The public key will need to be chosen in the CloudFormation template. Guidance for key pair generation is here:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html?icmpid=docs_ec2_console

After the Brain is deployed and registered with Vectra, you can login to the Brain CLI via SSH using the private key:

You may need to make the key readable to you using a command such as:
- chmod 400 VectraBrainPrivateKey.pem
Example login command:
- ssh -i <private key path> vectra@BrainHostnameOrIP

AWS Connectivity Requirements

In addition to all the standard firewall requirements, please note the following that are specific to AWS deployments:

DNS resolution is provided by AWS by default. You do not need to list DNS servers for AWS unless you want to use something other than AWS provided defaults. An example would be when you want to pair by hostname and hostnames are only in your DNS and are not resolvable via AWS’s DNS. More detail about paring by hostname or IP is included in Pairing Sensors or Stream.

NTP defaults to Ubuntu’s servers for all Vectra Brains, but the default can be changed as desired in Configuration → COVERAGE → Network → Data Sources > Network > Brain Setup > NTP Entries.

PreviousAWS Brain NextFirewall requirements

Last updated 2 days ago

Was this helpful?

Good evening

hashtagIntroduction

hashtagDeployment Process Overview

hashtagPreparing for deployment

hashtagDeploying the AMI

hashtagEnabling integrations

hashtagPairing Sensors or Stream

hashtagVectra Requirements

hashtagWhitelisting

hashtagProvisioning Token

hashtagBrain Sizing

hashtagAWS Requirements

hashtagVPC and Subnet

hashtagSecurity Group

hashtagSSH Key Pair

hashtagAWS Connectivity Requirements