Deployment from AWS Marketplace
Step-by-step AWS Marketplace and CloudFormation deployment for AWS vSensors, including key template parameters and post-deploy checks.
Subscribing and Launching CFN
The Sensor software is available as an Amazon Machine Image along with an AWS CloudFormation template that enables easy deployment as follows:
Browse to the AWS Marketplace Subscriptions service on the AWS Management Console.
Click Discover Products and search for Vectra.
Select Vectra Sensor.
Click Continue to Subscribe.
There is no additional cost for this step.
All Vectra licensing is handled by Vectra.
Click Accept Terms.
AWS will process the subscription before enabling next steps.
Once completed, AWS will allow you to Continue to Configuration.
Select the region to deploy the Sensor in.
Click Continue to Launch.
Under Choose Action, select Launch CloudFormation.
You will be presented the AWS CloudFormation screen pre-populated with the Template and Amazon S3 URL for the Vectra Sensor AMI.
Click Next.
Specifying Stack Details
Fill out the Specify stack details screen that is presented using the instructions below the screenshot.
In the Specify stack details screen you will be asked to fill in the following fields:
Stack name - The Stack name must be unique and can contain letters, numbers, and dashes only.
baseName - This name will be prepended to the individual resources that are deployed for the template.
brainIP - The IP address or the Fully Qualified Domain Name (FQDN hostname) of the Vectra Brain.
This address must be reachable from the Sensor’s management subnet over port 22 and 443.
instanceType - Select from the options offered (for options not displayed, contact Vectra).
Please see the Vectra AWS IaaS Best Practices Guide for more information.
r5.large / r5n.large – 1 Gbps
r5.xlarge / r5n.xlarge – 2 Gbps
r5.2xlarge / r5n.2xlarge – 4 Gbps
r5.4xlarge / r5n.4xlarge – 8 Gbps
c5n.18xlarge – up to ~10 Gbps
mgtPrivateIP- Private Management IP address to assume on launch (NoValue to use DHCP)
mgtSecurityGroup - This setting determines what access is permitted for the Sensor.
If left blank, the template will auto-create a security group, and rules must be added after.
If there is an existing security group, add it here.
This security group must allow inbound TCP/22 from the Brain and allow outbound TCP/443 and TCP/22 to the Brain for management.
mgtSubnet - This specifies the subnet which the Sensor will use to communicate with the Brain.
mgtVPC - This specifies the Amazon VPC where the management interface of the Sensor is located.
networkLB - If using a load-balancer deployed in front of the traffic ingestion interface, specify its ARN here.
If left blank, the Sensor will assume no load-balancer.
Without a load-balancer, AWS restricts that a maximum of 10 traffic mirror sessions can feed the mirror destination (Sensor) for all Sensors except the c5n.18xlarge which has a 100 session limit.
Vectra supplies a CloudFormation template to create this load-balancer as an attachment to the AWS vSensor Deployment Guide support article (loadBlanacerTemplate.json). The subnet specified in the load balancer CloudFormation template should be the subnet that will contain your traffic interface.
Please Note: This configuration must be added pre-deployment or the Sensor must be re-deployed.
registrationToken - This token must be copied from the Configuration → COVERAGE → Data Sources > Network > Sensors > Sensor Registration and Pairing page of the Vectra UI. Tokens are valid for 24 hours.
A valid token is required for the Sensor to register with the Brain and become Available for pairing.
Instructions to generate a Sensor registration token are in Sensor Registration Token.
sshKey - AWS recommends use of the Amazon EC2 key pair feature to manage access to the Sensor VM.
This field allows the user to add a public key to the Sensor for SSH to the CLI with the
vectrauser.This key pair should have been created previously.
tenancy - Tenancy attribute for the AWS instance. Controls if this machine should be on a dedicated VM.
Default selection utilizes shared hardware.
trafficPrivateIP - Specify an IP for the traffic capture interface or allow a DHCP address as default.
trafficSecurityGroup - Vectra’s CloudFormation template will create this automatically for you if you leave this at the default of
AWS::NoValue. If creating your own, please keep the following in mind.Typically, this should allow all incoming traffic from your sources (traffic mirrors or packet brokers).
In case of ingesting from a packet broker, ensure that VxLAN traffic is permitted in on UDP/4789.
If deploying a Network Load Balancer in front of the Sensor, inbound TCP/80 must also be permitted from the NLB for the health-check from the load balancer to succeed.
Please note - Direct traffic mirroring bypasses this security group setting. If using a load balancer, make sure to allow traffic from the IP ranges associated with the subnets where the load balancer is placed. Note that load balancer IPs are not fixed.
trafficSubnet - This is the Amazon Subnet in which the traffic ingestion interface is placed.
trafficVPC - This is the Amazon VPC in which the traffic ingestion interface is placed.
Click Next.
All fields in the next screen are optional - You may wish to configure tags as an example.
Click Next.
If one desires to create multiple stacks with mostly identical configuration, click the Quick-create link and use for subsequent stacks.
Click Create Stack.
At this point, the stack creation should proceed through to completion.
Next Steps
Once the deployment is complete, the vSensor will automatically boot up and reach out to the Vectra Brain.
If the Brain is configured for automatic pairing for virtual Sensors, the Sensor will register with the Brain and then attempt to Pair with the Brain and finally will update its software from the Brain.
The Sensor will show up in the Configuration → COVERAGE → Data Sources > Network > Sensors tab of the Vectra UI just like a physical Sensor would.
Once you see the Sensor here and it is current with the Brain’s software version, it is ready for operation.
You can now move on to AWS integrations or if you need more pairing help, please see pairing AWS vSensors.
Last updated
Was this helpful?