By Jay Hong, Sr. Solution Consultant – NETSCOUT
By Byungho Lee, Solutions Architect – AWS

Connect with NETSCOUT-1

The NETSCOUT APM (Application Performance Management) solution provides end-to-end visibility on application workloads and their dependencies on compute, network, and storage infrastructure in hybrid cloud environments.

Additionally, NETSCOUT’s nGeniusONE service assurance platform provides insights into the performance characteristics of data, voice, and video service delivery to help manage the availability and quality of the user experience.

The service shortens the time required to solve network and application performance issues by providing a common set of metadata for service visibility across network elements, applications, and devices to address the needs of network and IT operations teams.

In this post, we will discuss visibility for service performance management. We’ll also explain how to implement visibility for service performance management and security management in a holistic approach based on NETSCOUT APM using VPC traffic mirroring and AWS Gateway Load Balancer (GWLB).

NETSCOUT is an AWS Specialization Partner and AWS Marketplace Seller with Competencies in Networking, Security and Migration and Modernization. NETSCOUT is a leading provider of service assurance, security, and business analytics solutions that delivers consistent, high-resolution, real-time visibility into on-premises and cloud environments.

What is Visibility?

Visibility provides detailed insights into the service flows and usages that occur on a network and the applications that run on it. This allows users to identify and manage performance degradations that would otherwise be difficult to detect.

The cloud is constantly evolving, and a big focus for enterprises is optimizing the performance and scalability of distributed services in a cloud environment. In addition, the complexity of managing multiple AWS accounts and data center environments cannot be avoided.

Visibility into these environments is essential to reduce the time to operate and troubleshoot network and application services, and to gain insights that simplify complexity.

The NetOps team requires constant availability and performance for all users, accessing applications from anywhere in hybrid cloud environments.

NETSCOUT APM provides solutions for these situations:

  • Troubleshooting capabilities for faster Mean Time to Repair (MTTR) in hybrid environments.
  • Evaluation of application dependencies pre- and post- cloud migration.
  • Monitored co-working app for availability and performance.
  • Monitor employee digital experience to ensure productivity, regardless of location.

You Can’t Manage What You Can’t See

We have discussed the importance of cloud visibility. Now, let’s look at what’s needed for cloud visibility and explore some of the challenges.

Network-based visibility requires a way to collect traffic, but installing an agent on every Amazon Elastic Compute Cloud (Amazon EC2) instance is not the best way to collect traffic data. There are several challenges with this approach:

  • Cost of installing and maintaining agents on a large number of instances.
  • Performance impact of agents on instances.
  • Need to collect traffic from different data sources (multiple virtual private clouds, for example).

NETSCOUT and AWS integrated solutions offer a cost-effective way to collect traffic from different data sources, such as virtual private clouds (VPCs) and subnets, without installing an agent on every Amazon EC2 instances.

There are two AWS networking services that can be used to improve visibility: VPC traffic mirroring and traffic through AWS Gateway Load Balancer. These technologies can be combined to provide a comprehensive view of network traffic, which can be used to improve performance and security in agentless monitoring environment.

NETSCOUT collects network traffic data (packets) to create key performance indicators (KPIs) for performance management and threat indicators for threat hunting. This helps detect and analyze security threats and provide insights into service performance.

NETSCOUT provides a single pane of glass for application and network services on the cloud, enabling a variety of service management and threat hunting capabilities through a single data source.

Omnis Cyber Intelligence: Integration with nGeniusONE APM

Omnis Cyber Intelligence (OCI) is a network detection and response (NDR) solution that integrates with nGeniusONE to provide a single view of security threats and service performance. This provides visibility of your security threats and performance issues in one place, making it easier to identify and resolve them.

OCI integrates threat intelligence from a variety of sources, including NETSCOUT’s own Threat Intelligence Platform, to provide a more complete view of the threat landscape. This means you’ll be more confident you are detecting and responding to all of the latest threats.

  • Identify malicious traffic: OCI can be used to identify malicious traffic, such as distributed denial of service (DDoS) attacks or malware downloads.
  • Detect vulnerable hosts: OCI can be used to identify vulnerable hosts that may be susceptible to attack.
  • Provide threat intelligence: OCI provides threat intelligence that can be used to improve your security posture.

NETSCOUT’s solutions also provide comprehensive visibility and insights into network traffic, helping organizations identify and mitigate security threats. NETSCOUT can be integrated with AWS Security Hub, which allows organizations to consolidate security data from multiple sources into a single view. The integration also provides automated threat detection and response capabilities.

Indeed, enterprise IT organizations harness the actionable intelligence made possible by NETSCOUT solutions to secure and optimize service performance, enabling them to take full advantage of the AWS environment simultaneously.


Figure 1 – Integrated AWS with NETSCOUT security and performance visibility.

Solution Deployment Architecture

In order to have centralized observability in multi-account or multi-VPC inspection architecture, you use GWLB endpoint (GWLBE) as a target for VPC traffic mirroring.

With this feature, customers can mirror the traffic from the spoke VPC’s elastic networking interface (ENI) to the centralized VPC’s monitoring appliance without needing to connect using VPC peering or AWS Transit Gateway. Furthermore, you can build end-to-end visibility with consolidating traffics from inspection VPC, spoke VPC and on-premises.


Figure 2 – Centralized traffic monitoring architecture.

In Figure 2 above, the centralized monitoring architecture with NETSCOUT appliances in multi-account environment. We demonstrated NETSCOUT’s observability by decoding multiple encapsulated packet with GENEVE (RFC 8926) header and VXLAN (RFC 7348) header.

In the production account, we route to the GWLB endpoint in the edge VPC to control ingress/egress traffic. This GWLB endpoint will be the inspection point between internet gateway and public resources, and it’s attached to the endpoint service for GWLB in the inspection VPC of the security account.

In the security account, stateful appliances are deployed behind GWLB to inspect north-south and east-west traffic. When we enable traffic mirroring at each appliance’s ENI level, we can mirror the traffic to the another GWLB endpoint which is attached to the endpoint service for the GWLB in the monitoring VPC (note that traffic mirroring quotas and limitations must be considered beforehand).

A South Korean digital services company uses nGeniusONE APM in its data center and AWS environments to monitor both north-south in the network and east-west traffic within the application server environments including third-party applications. nGeniusONE leverages logical workflows from dashboards to session analysis and service dependencies to quickly ascertain the real cause of issues.

Leveraging their full implementation of NETSCOUT technology is helping the NetOps and application teams maintain the quality application performance and end-user experience necessary for their business needs including network performance.

For hybrid architecture, NETSCOUT APM has configured a single pane of glass that provides integrated analysis of application service composition, performance, errors, and usage based on the service flow of transactions. This allows customers to analyze the correlation between end-user transactions and cloud, data center, and external application services, quickly detecting and resolving errors.


Figure 3 – Hybrid cloud performance management with NETSCOUT APM.

With this solution, you can centralize mirrored traffic to monitoring appliance from any account or VPC with private connectivity using a GWLB endpoint. As GWLB manages deployment, scalability, availability of appliances, it enables you to focus on network observability over appliance management to network administrator, system operator, and NetSecOps engineer.

In Figure 3 below, you can see that collecting traffic data from different network segments and analyzing Transmission Control Protocol (TCP) sessions to trace end-user application use. It easily identifies problems in specific network segments and provides detailed analysis features through a web graphical user interface (GUI).


Figure 4 – Hybrid cloud monitoring with multiple network segments.

This analysis capability ultimately provides a foundation for multi-VPC or hybrid cloud analysis and visibility. In Figure 4 above, you can see how NETSCOUT provided visibility and problem analysis solutions for multiple network segments of a digital services company in Korea.


Figure 5 – AWS traffic monitoring and analysis.

In Figure 5 above, an nGeniusONE analysis screen from NETSCOUT is used to collect traffic data from VPC traffic mirroring and GWLB. The screen also provides decoding functionality for GWLB and VxLAN, which supports accurate traffic visibility and analysis solutions.

NETSCOUT’s monitoring visibility allows users to analyze traffic from multiple VPCs simultaneously, even traffic that has passed through multiple GWLBs and VPC traffic mirroring.


Figure 6 – Network monitoring with VxLAN decoding.

Analyzing AWS encapsulation data provides insights into network segments, applications, transactions, and end users.

Figure 6 shows the monitoring of performance and usage for each network segment, requiring accurate decapsulation of encapsulated traffic such as VxLAN and GENEVE. This technology should be used to provide comprehensive visibility into network and application performance, usage, and problems through dashboards.


IT organizations migrating services and applications to the cloud need visibility before, during, and after migration.

With NETSCOUT nGenius Enterprise Performance Management, organizations are able to understand all application and service dependencies and performance issues throughout the process, thus ensuring successful migration and performance levels are maintained.

NETSCOUT helps customers solve problems and issues before they impact the bottom line by turning traffic data into NETSCOUT Smart Data. This is done at the source using cloud-native services such as AWS Gateway Load Balancer endpoints as a target for VPC traffic mirroring.

You can learn more about NETSCOUT in AWS Marketplace.


NETSCOUT – AWS Partner Spotlight

NETSCOUT is an AWS Specialization Partner and leading provider of service assurance, security, and business analytics solutions that delivers consistent, high-resolution, real-time visibility into on-premises and cloud environments.

Contact NETSCOUT | Partner Overview | AWS Marketplace