Partner Technical Training

Arbor APS Virtual Deployment (vAPS)

Partner • Sales • Engineering

APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY Release 5.12
Objectives

At the conclusion of this unit you should understand how

to:
• Deploy Virtual Arbor APS (vAPS) on KVM & VMware
Hypervisors
• Deploy Virtual Arbor APS (vAPS) on Amazon Web Services
AWS

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

vAPS DEPLOYMENT
OVERVIEW VMware & KVM

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 3

VMware Hypervisor Installation
• Arbor vAPS on VMware requires the following software:
• VMware vSphere Hypervisor, version 5.5 or later
• VMware vSphere Client, version 5.5 or later
• Arbor vAPS OVA file (Arbor-vAPS-5.11.0-HEDK-x86_64.ova)

• Creating the Arbor vAPS virtual machine on VMware

• Deploy the virtual template (OVA) as follows:
1. Open the VMware vSphere Client and log in, using the credentials
for the VMware server.
2. Select File > Deploy OVF Template.
In the Source window of the Deploy OVF Wizard, select the OVA file that
you downloaded, and then click Next.
Note: Arbor recommends that you deploy the OVA file from the computer on which the
VMware client is installed. If you deploy an OVA file from a remote location, the VMware
client may time out.
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 4
VMware Interfaces

VMware Source Network Interface Description

virtual_mgt0 mgt0 Management Interface
virtual_mgt1 mgt1 Management Interface
virtual_ext0 ext0 External Interface
virtual_int0 int0 Internal Interface

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 5

KVM Installation (1 of 2)
• Download the Arbor-vAPS-5.11.0-HEDK-x86_64.qcow2 image file to
a suitable location under the managed storage pool on the host server
• The default location is /var/lib/libvirt/images/ Arbor-vAPS-5.11.0-HEDK-
x86_64.qcow2
Note: The .qcow2 file must be saved under the managed storage pool or an error will occur
and the vAPS will not start

• Start the installer

~/# sudo virt-install --connect qemu:///system \
• On the command line, enter the following command options, press ENTER
after each command

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 6

KVM Installation (2 of 2)
• Start the installer
~/# sudo virt-install --connect qemu:///system \
• Enter the following command options, press ENTER after each
Command Description
-n VM_hostname \ Hostname of the virtual machine
-r 12288 \ Allocates 12 GB RAM to the virtual machine
Specifies the number of virtual CPUs allocated to the
--vcpus=4,sockets=1,cores=4,maxvcpus=4 \
virtual machine
--arch=x86_64 \ Indicates the virtual machine uses a 64-bit architecture
--os-type linux \ Specifies the operating system type
--import \ Indicates the use of a disk image
--disk path=filepath/Arbor-vAPS-5.8.0-xxxx Indicated the path and file name of the disk image and
.qcow2,device=disk,bus=virtio,size=100,format=qcow2 \ the size and bus type of the image
--network bridge=vmbr0,model=e1000 \
--network bridge=vmbr1,model=e1000 \ Assigns the virtual bridges to the virtual machine and
--network bridge=vmbr2,model=virtio \ assigns the virtual network
--network bridge=vmbr3,model=virtio \
Allows virtual network computing (VNC) access to the
--vnc –noautoconsole
virtual machine console
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 7
KVM Interfaces
KVM Source Physical
vAPS Interface Description
Network Interface
Management
vmbr0 eth0 mgt0
Interface
Management
vmbr1 eth1 mgt1
Interface
vmbr2 eth2 ext0 External Port
vmbr3 eth3 int0 Internal Port

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 8

vAPS Support on KVM and VMware
• Does not support the following features and functions:
• Shell access
• Appliance based licensing
• Hardware bypass
• NTP
• NTP is not supported for VMware vAPS
• VMware VMs synchronize time with the hypervisor

Note: When using NTP with KVM vAPS, NTP should also be configured on the KVM hypervisor

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 9

vAPS DEPLOYMENT
OVERVIEW - Amazon Web
Services

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 10

Amazon Web Services (AWS)
  Overview
• Secure cloud services platform
• Offers compute power, database management, content delivery and
other functionality
• Ability to build applications with increased flexibility, scalability and
reliability

© Arbor Networks 2017 11

vAPS on AWS (Overview)
• vAPS can be deployed in the AWS Elastic Compute Cloud (EC2)
environment
• EC2-Classic is not supported
• Intended to protect virtual servers in AWS EC2 or other clouds
• Deployed in Inline Routed mode
• AWS Virtual Private Cloud (VPC) supports only IP networks and interfaces
• Minimum Requirements
• AWS EC2
• AWS VPC
• Three subnets

© Arbor Networks 2017 12

vAPS on AWS (Operational Differences)
• AWS only supports Amazon Machine Images (AMI)
‒ vAPS AMI is shared with the customer directly
‒ vAPS image is not available in the Amazon Marketplace
• Uses AWS RedHat Kernel instead of Arbos
• NO upgrade support
• NO package support
• Reboot/Shutdown no longer available via CLI
• Now managed by AWS

© Arbor Networks 2017 13

vAPS on AWS (Operational Differences)
• Single management interface
• IP configuration and access rules are managed by AWS
• No longer managed via the APS CLI
• Inline Routed deployment mode only
• All interface names are eth* on AWS
• Not mgt*, ext*, int* as on APS appliances

© Arbor Networks 2017 14

 NAT Instance
  Routing Difficulty
• External IP on Protected Service
• AWS routes traffic directly to the service
• External IP on APS External Interface
• APS cannot rewrite & forward traffic

NAT is needed to force traffic through APS

• DNAT for forwarding packets to the webserver
• Static Route to force packets into APS
• SNAT to rewrite packets going back on the internet

© Arbor Networks 2017 15

vAPS on AWS (Additional Resources)
• Please refer to the vAPS Installation Guide for more information on
installing vAPS on Amazon Web Services
• For an example of the vAPS installation on Amazon Web Services
please refer to the following e-learning video series on the Arbor
Learning Center:
• DDS-ETU-4004 - Arbor APS 5.12 Partner Technical Update Training
• Arbor vAPS on Amazon Web Services (Optional)
• Due to the complexity of AWS environments, please consult your Arbor
Channel CE for more information on vAPS installations on AWS

© Arbor Networks 2017 16

vAPS INSTALLATION
OVERVIEW –
CLOUD BASED LICENSING

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 17

Virtual APS Cloud-based Licensing
• Enables horizontal Cloud DDoS Service
deployment of Arbor Cloud License Server or Backbone
Scrubbing Center
APS across multiple
customers, remote CLOUD
offices, etc. … 500M License Arbor SP / TMS SIGNALING

• Cloud Based 100M License 1G License

Licensing: Leverage
bulk purchase of Total vAPS vAPS vAPS
Mitigation License License:
Pool and deploy, up 10 Gbps
to 1Gbps, as needed.

Customer Site Customer Site

Data Center

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 18

Virtual APS License Configuration in the UI

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 19

Configure Access to Cloud-Based License
Server

Click the
Edit button

Enter License Server

ID received in email
from Arbor when
license was purchased

Configure License Server Proxy settings

if required.
Note: These proxy settings apply to
License Server communications only.

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 20

Request Throughput Limit

Enter Requested
Throughput Limit
number and specify
Mbps or Gbps

Current Throughput
Limit, AIF Level and
Expirations will be
Select
displayed once a valid
Requested AIF
licensing request has
Level
been completed.

Press Save button.

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 21

Cloud-Based Licensing

• Request a license for a specified amount of throughput to be inspected

• vAPS downloads local copies of cloud-based licenses
• Requires regular contact with the cloud-based license server
• HTTPS port 443
• If communication is lost for a period of 10 days local licenses will expire
• If local licenses expire, Arbor APS will no longer inspect traffic
• AIF Licensing
• Configure access to the cloud-based license that corresponds to the
subscription level (Standard or Advanced) that was purchased
Note: Cloud-based licensing is available for Arbor vAPS only. Arbor APS hardware
appliances are licensed via the CLI system license commands

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 22

Arbor Networks vAPS Installation Guide

• Detailed instructions
on how to install vAPS
• Overview of each
vAPS installation type

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 23

Lab Exercise

• Preview Lab 1
• Installation of Arbor APS
• Upgrade of Arbor APS
• Perform Lab 1
• Estimated Time 90 Minutes
• Review Lab Questions

https://portal.training.arbor.net

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 24

Unit Summary

In this unit we have learned how to:

• Deploy Virtual Arbor APS (vAPS) on KVM & VMware Hypervisors
• Deploy Virtual Arbor APS (vAPS) on Amazon Web Services AWS

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 25

Q&A / THANK YOU

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 26