Many enterprises migrate to AWS for agility, but as a cloud platform that consists mostly of managed services, it doesn't offer all the features a business might need. And this can be the case with VPCs.
Amazon Virtual Private Cloud has fairly restricted network visibility, and VPC Flow Logs -- which analyzes IP traffic -- also has limitations. As a result, some AWS customers turn to third-party tools, such as VMware Network Insight, for a detailed look into their network traffic across their IT architectures, and to simplify network operations.
VMware Network Insight
VMware Network Insight, a network and security analysis service, is one of the bevy of third-party options for enterprises to monitor their traffic. It provides network traffic details for workloads that run on the AWS public cloud and on a software-defined data center through VMware Cloud on AWS. Unlike vRealize Network Insight, which is deployed within an on-premises data center, Network Insight is a SaaS product.
When used with AWS, Network Insight collects VPC Flow Logs information, which contains metrics on security groups, EC2 instances, tags and more. For VMware on AWS environments, it collects IP flow information exports, as well as flow traffic from the vSphere Distributed Switch. Network Insight also gathers other details, such as routing tables, configurations and performance metrics. The service collects and analyzes data every 10 minutes to produce a granular view of network traffic distribution and patterns.
This information provides insight into application dependencies, and administrators can use it to monitor, audit and troubleshoot for network security. It also makes recommendations on potential security rules.
However, the service does have some drawbacks for AWS environments. VMware Network Insight is limited to what the VPC flow logs provide, so admins can't see traffic involving Amazon DNS servers or dynamic host configuration protocol, and results at a big disadvantage for troubleshooting certain security issues. Also, if multiple IP addresses are attached to a network interface, only the primary IP will be included in the logs as the destination address -- something that could limit visibility into networking patterns.
Search-driven network insights
VMware Network Insight is completely search-driven, so users can enter a query in the search bar and get insights about the desired resources. For example, an AWS instances or VMware virtual machines search would return a list along with the corresponding information about each group. Admins can filter queries using specific criteria to zero in on factors, such as the flow of data between two instances. This search functionality can be particularly helpful to troubleshoot connectivity issues, either locally or between remote locations.
For AWS customers, this tool can help pinpoint network issues, strengthen security or isolate application dependencies. Moreover, for VMware Cloud on AWS, Network Insight will provide information about packets dropped on NSX Edge Gateway, or NSX Edge high-availability status.
VMware Network Insight charges for hourly consumption, with some options for long-term commitments; it is currently available only in the U.S.