Cloud: Major Aug/Sept 2021 Update
The months of August and September 2021 are synonymous of a large feature dump in the Cloud section ! While there's too much in it for a comprehensive summary, read the full details below to get your monthly fix of Cloud features.
Security Group & Network ACL Visibility in Kentik Map
Further burnishing our credentials as the cloud network engineers’ tool of choice for troubleshooting connectivity issues in AWS, we’ve just added a new sidebar feature to the Kentik Map, Security Groups & Network ACLs.
This sidebar enhancement enables network engineers to find traffic that is currently being dropped by AWS security groups or network ACLs applied to the selected VPC or subnet. The component analyzes the selected VPC or subnet for denied traffic into or out of the network environment and then crawls through the company’s AWS metadata to allow users to determine exactly what traffic has been dropped. The component also helps users understand which security group or network ACL policies caused the traffic to be dropped.
The system works by running a query of the flow logs to or from the selected VPC or subnet to find any traffic that had been marked by AWS as REJECTED. It then analyzes the direction of the traffic to provide an at-a-glance view of these traffic flows, as well as a convenient method for searching through the traffic to find a particular source or destination.
If a user wants to find more information about why particular traffic was dropped, they only need to click on the row to open an analysis window:
The system highlights rows that contributed to the specific traffic being dropped, making it easy to determine what policy needs to be updated and even which rule could be modified in order to rectify a misconfiguration.
Users can also view these access control policies directly from within the map — a very cumbersome task using only the AWS console and/or CLI. Kentik Cloud users now need only click on View Security Groups or View Network ACLs buttons in the sidebar and the system will open up a dialog showing exactly which policies are applied to the selected object and allow the user to browse the rules associated with each policy.
Support for New AWS Dimensions
Several months ago, AWS introduced support for the following dimensions in AWS flow logs:
- Source/Destination Packet Address: Network traffic is often encapsulated — think of NAT gateways and GRE. AWS surfaced this dimension to help users determine the original source or destination of traffic and gain a deeper understanding of how traffic flows through a cloud environment.
- Source/Destination AWS Service: Traces traffic to or from AWS services, even if the traffic is tunneled. This new dimension maps the traffic based on the packet address.
- Traffic Path: This dimension shows the path that egress traffic takes towards its destination.
- Flow Direction: Marks the direction of traffic from source to destination as ingress or egress.
ENI Tagging and Dimensions
Flows are generated from network interfaces that attach infrastructure to the network. In AWS parlance, these interfaces are called ENIs (elastic network interfaces). Mapping flows based on ENIs provides an opportunity to add new dimensions to group and filter by ENI type, as well as group or filter traffic by source and destination ENI. These new dimensions allow our users to construct super-precise flow queries that don’t double count traffic to or from instances, through gateway and load balancers as well as special infrastructure like Lambdas. This is an important advantage for Kentik Cloud users.
Cloud-Native Views for Kentik Map
We also created a more welcoming experience in the Kentik Map for cloud-native/cloud-only customers. Our previous version of the map assumed that users always had an on-prem network (or would soon be adding one). The result was that the cloud infrastructure was tucked away in the Cloud Block, while the large on-prem block remained a bare focal point on the map.
No longer! Now, when single cloud users without an on-prem network register their clouds in Kentik, the map will open up either directly in their cloud’s most appropriate view — and multi-cloud users without an on-prem network will be presented with a new multi-cloud view in the center of the map. If and when users decide to add on-prem network devices to Kentik, their experience will go back to what we are used to today (an on-prem centric view of the Kentik map).
Improvements in Sidebar Traffic Queries
Did you know that sites don’t need to be directly connected to each other in order to show traffic lines in the Kentik Map? Several quarters ago, we introduced a feature called “Draw Links Using…” which enabled users to select an option to draw links based on BGP Ultimate Exit as well as Site IP addresses configured in the site architecture dialog. This enables “island” networks (networks without a backbone) or SD-WAN networks to configure their sites and easily run traffic queries between sites.
These lines are drawn by queries using new dimensions called Source/Dest Site by IP and Site Type by IP. Because we’d heard that some new business was based on this, we’ve responded by adding these dimensions into the sidebar for convenient analysis in the map.
Another quick but important usability improvement was to create a new sidebar section titled “Details.” This prevents map objects (subnets, VPCs, gateways) with lots of metadata from making the sidebar unusable.
Azure Updates
A major improvement we’ve added for Azure is the ability for companies that centralize the collection of NSG flow logs into a single storage account to create “metadata-only” exports for resource groups within the same region. To make this work, simply disable the slider called “Enable Flow Logs for this Export” on any resource groups that don’t have their own storage account associated.
We’ve also implemented some improvements to our Azure services based on customer feedback as well as added infrastructure resiliency and backend code improvements. Stay tuned for more improvements this and next quarter as we continue to round out our cloud offerings.
New Cloud Tour in Demo Mode
We’ve added a sixth tour to Kentik’s Demo Mode, which walks users through a troubleshooting scenario involving connectivity problems between AWS resources and an on-premise database. The new tour highlights the difficulty of conducting this kind of troubleshooting in complex cloud environments with existing tools, and makes very clear Kentik’s strength in helping solve these issues.
New Weather Map
This month we are excited to announce beta availability for our new Weather Map — a new core feature of Kentik Maps.
Our new Weather Map shows network engineers how their network looks so that network architectures and the current traffic patterns can be understood at a glance. This feature was one of the most requested enhancements to Kentik Maps since we went live, and we’ve only begun to scratch the surface in terms of what we plan to do here.
Today, the Weather Map is simple. It renders a company’s sites over a geo-political map, using the customer’s configured site addresses to translate to latitude and longitude coordinates. We also cluster groups of sites within the same region to declutter the map; as users zoom towards these clusters, the cluster breaks open, revealing the sites positions on the map below. Between sites (and clusters) of sites, we’ll draw links using the connected interfaces so customers can view their backbone network utilization and click on links for easy traffic analysis.
We’ve got an amazing roadmap of features coming out for Kentik maps this quarter, so stay tuned for future updates to Weather Map, AWS map and site maps in Q4.
Historical Queries
Another great new feature enhancement is our ability to rewind the clock and show users how their AWS network (and associated traffic) looked in the past, using historical metadata.
When we launched the Kentik Map for AWS, we began with a metadata service that only stored metadata describing the current state of the user’s network. However, if a user adjusted the time window to find specific flows, we assumed that the AWS architecture was the same during the specified query window as it was when the query was actually run. We knew this would eventually require historical support, which took time to design and implement.
However, that day is here! Users can change the to/from dates in the Kentik Map and we will update the map to show the user what the environment looked like during that time. If we took multiple “snapshots” of metadata during the specified time, we will show the most current we have for the time window.
This means that if traffic used to flow through a gateway that was subsequently deleted, we’ll show that gateway on the map. If traffic entered a subnet that only existed for a day or an hour — we’ll draw that subnet on the map.
Clickable Lines in the Kentik Map for AWS
We’ve added the ability to click on a line within AWS and get instantaneous traffic details for the line! In prior versions of the Map for AWS, users could only click on Map elements such as Subnets, Gateways, etc. Understanding and analyzing traffic between elements was left as an exercise for the user to construct queries using the Data Explorer. Now users can click on lines between subnets (“Show Connections”), lines between gateways, and lines to and from internet ASNs.
NAT Gateways and Transit Gateways
We also improved upon the way that the Kentik Map rendered traffic to and from gateway objects. Previous versions of the Kentik Map couldn’t determine the amount of traffic entering a subnet from a gateway. Now that we’ve switched our flow enrichment over to using network interfaces rather than only IP addresses, we can indeed show traffic from this infrastructure entering your customer’s environments.