<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

How does Garland Prisms work with AWS?

January 30, 2020

The advantages of public cloud computing can’t be beat. Companies around the world are taking advantage of the cost-saving measures associated with public cloud to help scale their infrastructure, provide disaster recovery services, elastic storage, and hosted services. As public cloud became more popular over the last few years, leaders quickly developed in the space. According to a recent Gartner report, Amazon Web Services (AWS) is by far the leading public cloud infrastructure platform, owning 47.8% of the market share. After AWS there is a big drop down to the next leaders: Microsoft Azure holds 15.5% of the market, Alibaba owns 7.7%, and Google Cloud has just 4%.

In this new, three part blog series, I’ll explore AWS, Azure, and Google Cloud, describe some of the benefits and limitations of each platform, and how Garland Prisms can work within the platforms to provide additional value to customers by providing packet level visibility in the public cloud

One of the reasons that AWS is the leading public cloud service provider is that it is the most mature option on the market. Being the first to market, gave them an advantage to taking a large portion of the market share upfront. AWS provides global, enterprise-friendly products, with the configuration, monitoring, and security features they require to meet the complex network architecture needs of those organizations. It’s an open and flexible product that can be adjusted to meet the changing IT needs of any organization. 

There’s no denying that AWS is a powerful tool for companies looking to add public cloud resources. There is however, one major challenge related to public cloud; how can you deliver packet level data to a monitoring tool, whether in the cloud or in an on-prem data center?

Making the Case for Packet Visibility in the Cloud

So why would you want to have packet level visibility into your cloud workloads? Getting access to the packets in your network provides IT teams with the ability to detect network and security anomalies within a VPC and then route those packets to a security tool for analysis. This provides security teams the ability for quicker threat detection and response over tools that are using log or flow based data. With better visibility comes the ability to make better decisions about the network for your organization. You can perform internal testing and troubleshooting to make sure that your network is architected correctly to meet changing operational needs. 

AWS recognized the need for network monitoring in the cloud to keep an eye on unusual traffic patterns that could be indicators of a hack or data breach, and in 2019, they launched VPC Traffic Mirroring to address some of those issues. VPC Traffic Mirroring is a new feature unique to AWS that allows users to capture and inspect network traffic within an existing Virtual Private Cloud. VPC traffic mirroring can be easily compared to what a Fiber TAP does in a physical environment, providing the user with direct access to packets flowing through the VPC. 

>> Read Now: How to Overcome Packet Capture Challenges in the Cloud [Free Whitepaper]

AWS VPC Traffic Mirroring

Similar to physical network TAPs, VPC Traffic Mirroring allows users to capture all packets in the VPC, or use filters based on protocols and CIDR blocks, to only capture specific information of interest to the tool that the traffic is going to be mirrored to. AWS built their VPC Traffic Mirroring to work across multiple VPCs in an AWS environment, capturing traffic where the VPC is located and then mirroring that traffic back to one VPC for inspection by an analysis tool. 

Garland Prisms and AWS

AWS is a solid product. There’s a lot of great features and benefits it can provide, and for some customers the VPC Traffic Mirroring will be robust enough to provide packet level visibility into these workloads in the public cloud. However, there are still limitations to what VPC Traffic Mirroring can do, and that’s where Garland Prisms comes in. Garland Prisms is a host-based cloud TAP that can mirror any traffic, whether north-south or east-west, from containers and virtual machines in any cloud environment. Prisms is a compliment and is primarily used to augment the features of AWS. VPC Traffic Mirroring is limited in what it can do for a customer in the fact that there is no agent, it only works in nitro instance types, there is no container support, and most importantly, supports only 1:1 replication. As a cloud-native tool, Prisms addresses all of these limitations.

One of the greatest benefits to Prisms is that it provides support for 1:many tool replication. In today’s complex IT infrastructures it is very common for traffic to be inspected by multiple tools for security and monitoring analysis. Each tool may be used by different teams, and for different purposes, but it is important for all of them to get access to the packets they need. Having a way for the packets to get to multiple tools, whether it’s in a traditional, physical environment, or in the cloud, is critical to overall network performance and security strategies. 

Looking to add visibility to your cloud deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do!

Cloud visibility solutions packet capture garland technology

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES