Endace has announced a new offering that can capture packets inside your public cloud deployments. Called EndaceProbe Cloud, the offering is available for AWS and Azure public clouds. It can also be deployed in VMware-based private clouds.
Why capture packets in the cloud? Endace says the top two customer drivers are security and performance monitoring. IT teams have limited control over public cloud infrastructure, which can make it harder to get visibility into security or performance issues. Endace’s new offering gives customers packet-level data they can use to investigate incidents or look for root causes of problems.
EndaceProbe Cloud is software that customers can spin up inside an AWS VPC or Azure VNet. Captured packets are stored locally within that VPC/VNet. Endace leverages direct-attached storage from the cloud providers, and says customers can store up to 250TB per instance of the probe. If customers want to store more packets, they can spin up multiple instances and use a third-party load balancer to spread packets across those instances. Endace can also compress the packet files to extend storage capacity. Note that customers are responsible for paying for the storage; the cost isn’t covered by an Endace license.
When it comes to packet analysis, Endace makes its Investigation Manager software available in the cloud. Network and security engineers can analyze packets within the VPC/VNet, which means customers don’t have to pay egress charges to pull those captured packets down from the cloud; the captured packets will remain in the VPC/VNet. Investigation Manager has built-in tools including Wireshark and other tools, making it easier to start your analysis directly from the Investigation Manager interface.
The company also partners with third-party security and monitoring software including Splunk, Darktrace, Vectra and others. Endace can share captured packets and packet metadata with these tools for further analysis.
Endace says Investigation Manager can run across multiple probes, be they in separate regions within a single provider or across multiple clouds or on premises. Investigation Manager supports role-based access control, letting customers define access for teams and individual engineers.
Multi-tenancy support is also available for large customers with separate departments or agencies, or for managed service providers serving many customers.
Cloud On Tap
Before you can capture packets, you need a source. Endace says it partners with Gigamon, Ixia, and others for packet broker agents that run in public clouds. Customers can also use services offered by the cloud provider; for instance, AWS has a traffic mirroring service for VPCs on EC2 instances powered by Nitro. Endace supports this service. Packet brokering or mirroring is an additional charge on top of the capture capability.
Another option is a virtual span port. Endace partners with F5’s Web load balancer, which can provide an output port to the Endace capture service. Endace says F5 also has the ability to decrypt traffic for customers that want this option.
While it’s smart of Endace to add cloud-based packet capture capabilities, it’s no secret that the cloud providers tend to add such features as native offerings. For example, Azure Network Watcher includes a packet capture capability. I’m sure Endace will argue that this capability is not as full-featured as the EndaceCloud Probe, and that this isn’t a multi-cloud solution. I think those arguments are valid, but customers considering a cloud-based packet capture solution should understand all their options.
