Avi Vantage

Avi Vantage is a multi-cloud application delivery platform that provides load balancing, application security, and network performance services for modern applications. It uses a software-defined approach to application delivery and can run on a variety of cloud infrastructure, including private data centers, public clouds, and edge locations. Avi Vantage provides a traffic cloning feature for creating duplicates or clones of network traffic flows for testing and analysis purposes. This feature allows you to create an exact copy of the incoming traffic and redirect it to a separate testing or monitoring environment, without affecting the original production traffic. In this deployment, the cloned traffic is sent to the Suricata mirroring instance. 

Avi Vantage supports traffic cloning for:

• Public clouds
• Private data centers
• Multicloud environments
• Edge locations

For more information on Avi Vantage's traffic cloning, see Traffic Cloning.

The process to configure mirroring for Avi Vantage consists of the following two steps:

1. Deploy Traceable Platform agent
2. Configure mirroring in Avi Vantage

Before you begin

Make a note of the following points before configuring mirroring for Avi Vantage:

• Save Traceable agent token. Navigate to Traceable's platform and navigate to Administration () → Account → Agent Token. Copy and save the token. It would be required in the Traceable agent installation process.
• If you have your deployment on AWS, then:
  • Make sure that Traceable Platform agent allows ingress traffic on port 80.
  • SourceDestCheck must be disabled.
    Information

    SourceDestCheck is a setting in AWS that determines whether the source and destination IP addresses in the network packets are validated. By default, AWS EC2 instances have this setting enabled, which means that the instance cannot be used as a router and can only send and receive traffic within its subnet.

    If you want to use an EC2 instance as a router, you need to disable the SourceDestCheck setting. When the setting is disabled, the instance can send and receive traffic from other subnets, allowing it to act as a router. This can be useful in certain network configurations, such as for network address translation (NAT), VPN, or firewall scenarios.

• Reasonable knowledge about Avi Vantage. For more information, see Avi Vantage documentation.

Step 1 – Deploy Traceable Platform agent

Complete the following steps to deploy Traceable Platform agent with mirroring:

1. Launch a CentOS 7 virtual machine (VM) that is in the same VPC and subnet as the Avi Service Engine that you wish to mirror. In the following steps, the Traceable agent is installed on a CentOS 7 VM. You can choose to install on Amazon Linux 2 or Ubuntu as well. For more information, see Virtual Machine topic.
   
   Information

   Avi Service Engine is a component of the Avi Vantage platform that provides load balancing, application acceleration, and application security services for modern applications. The Avi Service Engine runs on virtual machines (VMs) or bare-metal servers and integrates with the underlying infrastructure to provide a complete application delivery solution. For more information, see Service Engine Groups.
2. Log into the VM that you launched in the previous step.
3. Download the install.sh installation script from Traceable's download site. Navigate to install > traffic-mirroring > linux > latest.
4. Execute the downloaded script. The script installs Traceable Platform agent and Suricata.
   Note

   Make sure you mirror the correct interface.

   sudo ./install.sh mirror -i eth0 -e avi -s avi -f "tcp" -r api.traceable.ai

   You can identify the correct interface by running the ifconfig command. In the following output, eth0 is the interface.

   [ec2-user@ip-10-0-0-7 ~]$ ifconfig
   eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
           inet 10.0.0.7  netmask 255.255.255.0  broadcast 10.0.0.255
           inet6 fe80::1b:57ff:fe88:8e09  prefixlen 64  scopeid 0x20<link>
           ether 02:1b:57:88:8e:09  txqueuelen 1000  (Ethernet)
           RX packets 212327  bytes 281794338 (268.7 MiB)
           RX errors 0  dropped 0  overruns 0  frame 0
           TX packets 126905  bytes 30304416 (28.9 MiB)
           TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

5. Make sure that Traceable and Suricata are running. Enter the following command:
   ActionScriptActionScript

   sudo systemctl status suricata
   sudo systemctl status traceable

6. Add the Traceable agent token that you had saved in the Before you begin section. Enter the following command:
   ActionScriptActionScript

   sudo vi /etc/traceable/agent/token

7. Restart the Traceable agent service. Enter the following command:
   ActionScriptActionScript

   sudo systemctl restart traceable

8. Make sure that no error logs present and a Started metric exporter message appears in the traceable.log file. Enter the following:
   ActionScriptActionScript

   cat /var/traceable/log/traceable.log

Step 2 – Configure traffic mirroring in Avi Vantage

Complete the following steps to configure traffic mirroring in Avi Vantage:

1. Log into Avi Vantage and navigate to Templates → Profile → Traffic Clone.
2. Click on the Create button.
3. In the Traffic Clone window, configure the Network, Subnet, and IP address of the Traceable Platform agent.

Apply traffic clone to a virtual service

You need to apply the traffic clone that you have created to a virtual service. Select Edit on a virtual service and then navigate to Advanced tab. You would find the traffic clone policy. Select the Traceable policy that you had created and then click on Save. Send some traffic through the Virtual Service and then check the data in Traceable Platform to verify a successful installation.