Provisioning Simplified Network-Centric Observability in AWS

Today, cPacket announced that our observability with the cCloud Visibility Suite support the Amazon Web Services’ (AWS) Gateway Load Balancer Endpoint (GWLBE) now as a target for its VPC Traffic Mirroring. This blog explains how using the cPacket observability nodes and dashboards with VPC Traffic Mirroring and GWLBE helps IT network and security teams use the solution to gain network-centric observability to reduce service outages, strengthen security, and accelerate incident response.

Observability for AWS

The IT team can only do its job if it has the adequate observability to know what is happening in its infrastructure and what experiences are being realized. Similarly, it is also essential to know why things happen, especially unplanned and undesired things.

This is cPacket raison d’être – knowing what is happening, why, when, and where are fundamental steppingstones for fast and frustration-free resolution. cPacket’s forte is network-centric observability in hybrid-cloud environments.

Network Data is Vital for IT Operations

Since observability is vital, so is what makes it possible – reliable and timely data for IT operations’ consumption. IT teams and the tools they use to secure and manage their AWS cloud infrastructure and their workloads rely on network data. Many data sources are generated by device logs, telemetry, and network packet data. The latter is the focus of this blog and the solution with AWS. More specifically, network packet data can be accessed within AWS in two ways:

  • real-time streaming from a VPC Traffic Mirroring which maybe further replicated through a cPacket cVu®-V packet broker observability node, or
  • historic PCAP files from AWS storage through a cPacket cStor®-V packet capture-to-storage observability node

Digging and Forwarding Network Data in AWS

AWS’s recently launched feature adds the Gateway Load Balancer Endpoint (GWLBE), which interoperates with AWS VPC Traffic Mirroring by making their GWLBE a Traffic Mirroring target. When operating at a large scale, acquiring network packets from thousands of vantage points may be necessary. In those cases, instantiating and turning on and off VPC Traffic Mirroring is not optimal. So, extending VPC Traffic Mirroring adds value by reducing management burden and cost. Just as business applications need to be resilient to operational and security risks, IT data and applications require the same resilience! So, load balancing is necessary for the IT team’s data processing.

In this case, the GWLBE in each VPC exports the traffic flows to one or more centralized VPC or accounts through GWLB, where it can be observed and analyzed. A centralized overlay observability architecture on top of a large, distributed environment with load balancing and multi-tenancy, lets you manage and run your services in the cloud efficiently.

There is More to Observability than Network Data

While network packet acquisition is critical, it’s only one aspect of gaining observability without blind spots needed to detect and respond to outages, performance problems, and cyberattacks The IT team can use above simplified architecture to implement centralized observability to give the team consistent streamed and stored network packet data, analytics, and intelligence needed to do their jobs efficiently. cPacket observability nodes can be added as needed for scale and fault-tolerance; a load balancer will distribute workloads across healthy nodes.

Network data collected from distributed VPCs from a single or multiple customer account can be relayed to a central GWLB, in a customer account or to an outsourced managed service provider (MSP) account. The central GWLB feeds the aggregated network data to a set of load-balanced cPacket cVu-V observability nodes. The cVu-V in turn, can filter and forward the right traffic to the right destination, tenant, target, or tool – such as, cPacket cClear®-V observability and analytics node or a cStor-V capture and forensics observability node.

The former provides the network-centric service health monitoring by observing key service-level indicators (SLI) such as latency, TCP behavior, connection issues, asymmetrical routing, firewall issues, and more.

The latter provides the PCAP file analysis (with or without Wireshark) for network-centric security forensics in case of a breach or incident response.

We recommend using cPacket observability nodes to augment the AWS with these benefits:

  • Subnet monitoring that acquires network packets from necessary vantage points
  • Packet filtering and replication provide cost-effective tailoring of the packet streams and scaling to multiple destinations
  • Packet capture-to-storage that enriches the data with metadata and indexes by time and event tags for efficient querying and analysis
  • Analytics and visualizations provide detailed and actionable network traffic intelligence that complements what’s available with Amazon CloudWatch
  • Direct routing (streaming), querying via API, and direct access to network packet data and analytics results
  • Unified fabric management provides simplified elastic administration of all the above services and functions at scale

The Alternate Way to Gain Per-VPC Observability

AWS VPC Traffic Mirroring provides packets from instance interfaces in the VPC’s infrastructure. To gain complete observability, accessing inter-subnet traffic flows requires instrumenting the VPC with instances of the cPacket cVu-V observability nodes. Prior to launching the GWLB/GWLBE, AWS VPC Traffic Mirroring replicated Elastic Network Interface (ENI) traffic sending the mirrored sessions to cPacket cCloud Visibility Suite. With this approach, for granular or segregated observability, you can deploy cPacket observability nodes on per-VPC bases and forward traffic to them instead of a GWLBE – or both in parallel. We only recommend this approach for small to mid-size deployments.

Summary – Observability is Good

Network-centric observability without intermittent blind spots is critical for reliable and efficient IT operations and having a strong security posture, so the underlying monitoring must be highly available. To implement simplified observability, the IT team can combine AWS VPC Traffic Mirroring and GWLB/GWLBE-based load balancing, with the cPacket cCloud Visibility Suite.

Refer to the following resources to learn more about using the cPacket and AWS solution:
AWS Blog Post
Press Release
Solution Brief – Cloud Observability for AWS
Tech Brief – Strengthen Your Cloud-Native Traffic Mirroring
cCloud Visibility Suite web page