Overview
Network flows provide valuable insights into dependencies among application workloads and the underlying Hybrid IT infrastructure. Understanding these dependencies is essential for:
Identifying risks and threats across the network.
Application migration planning, cost, and performance optimization.
Enhancing security by ensuring network flows are only allowed among predefined application, service, and infrastructure components.
OneIQ Pulse supports the following network flow protocols in cloud and datacenter environments:
IPFIX
JFlow 5-7, 9
NetFlow 5-7, 9
Datacenter
To capture network flows in the datacenter, they should be sent to the host running the OneIQ Pulse for Datacenter connector to the port specified in the Network Flow Collector Settings.
Once OneIQ Pulse starts receiving network flows:
Status will be
Collecting
Total Sources will be positive
By default, OneIQ Pulse is configured to receive network flows on port 9995.
Best Practices
Verify that the Total Sources in Network Flow Collector Settings is incremented after each new network flow source is added.
Before increasing the sampling rate on network flow sources,
Check that the CPU and memory utilization of the OneIQ Pulse host is below 60%.
Double the sampling rate (4096, 2048...256,128)
Ensure that sampling rates from all network flow sources are consistent.
Enabling NetFlow on a VMware vSphere Distributed Switch
To capture flows passing through a VMware vSphere Distributed Switch:
Click Networking and navigate to the distributed switch.
From Actions menu, select Settings > Edit NetFlow.
Collector Type the IP of the host running OneIQ Pulse and specify port in the OneIQ Pulse Network Flow Collector Settings.
By default, the Sampling rate should be set to 4096.
Save settings.
Note: The Windows Firewall may block incoming UDP packets on specified port. Create a firewall rule to allow communication: New-NetFirewallRule -DisplayName 'NetFlow' -Direction Inbound -Protocol UDP -LocalPort 9995 -Action Allow
Note: Besides configuring the NetFlow receiver configuration on the dvSwitch make sure to enable NetFlow on a per port group basis.
Related Articles
For additional information on configuring NetFlow settings on a VMware vSphere Distributed Switch, please see the following VMware articles:
Cloud
Enabling network flows in AWS
OneIQ Pulse for AWS captures flow logs for Amazon Virtual Private Cloud (VPC), VPC subnets, or Elastic Network Interfaces (ENIs). To enable them, please follow the VPC Flow Logs – Log and View Network Traffic Flows article from AWS.
Enabling network flows in Azure
OneIQ Pulse for Azure uses the Traffic Analytics feature in Azure Network Watcher to capture flow logs for Virtual Networks (VNets), subnets, and network interfaces (NICs). Here are the steps to enable them:
Navigate to the Azure Management Console.
Azure Network Watcher should be enabled by default. If it is disabled, enable it.
Create flow logs for network security groups (NSGs) of interest.
Enable Traffic Analytics for VNets, subnets, and NICs.