Hyperglance Guide for AWS

This guide brings together various articles and information for you to deploy Hyperglance into your AWS cloud.

Why Choose Hyperglance?

✔️ Automatic diagrams & inventory
✔️ Cost optimization & alerting
✔️ Security & compliance monitoring
✔️ Automatic policy enforcement

 

Hyperglance can be deployed in only 10 minutes from the AWS Marketplace using a CloudFormation template.

What you need to get started:

  • AWS Account to launch the Hyperglance instance into
    • With a VPC and Subnet to launch the instance into.
  • Any additional AWS Accounts you want Hyperglance to monitor.
  • Some knowledge of IAM to setup account access and CloudFormation. But don't worry we'll walk you through it in our step by step guides (see below).

Get Started Guides

> Get Started Step by Step Guide

> Setup Additional Accounts Access

> More about deployment options & deployment architecture diagrams

> Product Architecture Diagram

Security

Tip: Use a non-root IAM User.

It is best security practice not to use your AWS account's root user to manage resources and deployments. You should use a non-root IAM User at all times.

IAM Policies & Roles

Hyperglance needs an IAM role/policy to access the AWS APIs in order to gather inventory, create diagrams, and evaluate cost-saving, compliance, and security rules.

Find our latest up-to-date recommended policy permissions here:

By the principle of least privilege we provide multiple policy options: Read-only vs read-write as well as fine-grained detailed permissions.

A cross-account Role (with the above policy attached) is required in each account that you wish to connect to Hyperglance. Hyperglance will connect to your accounts using STS AssumeRole.

Read More: How To Add AWS Accounts To Hyperglance

Public Resources?

Hyperglance does NOT deploy any public resources (such as public S3 buckets) by default.

The CloudFormation template does provide the option to allocate a Public IP Address (see deployment options).

Stored Secrets

As shown in our Product Architecture Diagram Hyperglance comprises a PostgreSQL database that is stored on a 'data' EBS Volume (that YOU control).

On this volume Hyperglance will store:

  • All IAM Roles you add to connect into accounts using STS AssumeRole.
  • Any Access/Secret keys you add to connect into accounts (encrypted)
    • Note: This does NOT apply to AWS Marketplace deployments where Hyperglance only permits assume

    EBS Volume Encryption

    You control the EBS Volumes that Hyperglance uses and can activate Encryption-At-Rest.

    Network Configuration

    The Hyperglance CloudFormation stack will create the following network components:

    • EC2 Instance
      • With a single default ENI
      • Optionally with a Public IP (according to the AssignPublicIP parameter of the CloudFormation stack).
    • EC2 Security Group
      • Allowing Ingress on ports 443 and 22 from the CIDR ranges provided as parameters to the CloudFormation stack.

    The stack asks for a VPC ID and a Subnet ID (which must belong to that VPC) so you must create the following components yourself before deploying the stack:

    • A VPC
    • A Subnet (with an optional Network ACL)
    • A RouteTable
    • Optional:  Network ACL to control ingress/egress from Subnet (see deployment option 2)
    • Optional: Additional Subnet and NAT Gateway (see deployment option 3)
    • Access to the AWS APIs via either:

    > See our deployment options.

    Costs & Pricing Model

    There are a few different Hyperglance tiers in the AWS Marketplace. You choose the tier that corresponds best with the number of cloud resources that Hyperglance will monitor.

    The cost per hour depends on the number of resources you need. For example, if you run a 500 resource Hyperglance instance in AWS for 20 hours in a month the cost would be 1.23 * 20 = $24.60 (plus any cloud vendor charges).

    Hyperglance is comprised only of EC2 services (EC2 Instance & EBS) so you will only incur platform changes on those resources plus any data-transfer costs in/out of regions.

    > See Current Pricing

    > What Does Hyperglance Count as a Resource?

    Instance, Volume & RAM Sizing

    Our CloudFormation templates have defaults set to a typically suitable EC2 instance size and EBS Volume size (10GB).

    If you ingest large amounts of Cost data or if you find performance is poor then you may need to increase the amount of RAM allocated to the internal Java process.

    > Recommended Instance/VM Sizes

    > How to increase Java memory allocation

    Backup

    The Hyperglance EBS volumes can be snapshotted and backed up to preserve all configuration and custom created rules (or other user content).

    > How to create backups using the AWS Console

    > Automate backups using AWS Backup 

    > Automate backups using the AWS CLI or SDK

    Recovery

    In the case of instance or AZ failure you will need to:

    1) Relaunch the Hyperglance CloudFormation stack

    2) Create EBS volumes from your snapshot backups

    3) Replace the stock EBS volume(s) with your restored volume(s)

    Recovery-Time-Objective: Fastest possible recovery time is 10 minutes. So we recommend an RTO of 1 hour.

    Recovery-Point-Objective: A low-frequency backup is sufficient if configuration changes and custom rules are not infrequently made. So we suggest an RPO of 24 hours.

    Routine Maintenance

    You should regularly rotate your user login password.

    You should regularly check our release notes for updates and apply updates.

    Tip: Setup automatic updates with Cron.

    Emergency Maintenance

    If you need to restart Hyperglance for any reason simply stopping and starting the instance will suffice. This will restart all the Docker containers running in the instance.

    Restarting the containers can also be achieved by running:

    sudo docker-compose -f /etc/docker-compose.yml down && sudo docker-compose -f /etc/docker-compose.yml up -d

    If you need to completely reset the entire setup then can also delete the CloudFormation stack and redeploy it from the AWS Console.

    Service Health Check

    To implement a health-check of the Hyperglance instance:

    • Hyperglance is typically active & well if it responds with a login page on HTTPS port 443 at the root URL '/' with HTTP code 200.

    To check for other issues:

    • Check for any errors in the top-right corner of the Hyperglance UI (a little warning triangle icon/button).
    • Check for any errors in the browser or server (see "Features or functionality are not behaving correctly" under Troubleshooting section below).

    Troubleshooting

    To troubleshoot Hyperglance you must first work out what sort of an issue you are facing:

    • Unable to access Hyperglance instance
      • Check your AWS Security Group configuration - does it allow your IP to reach HTTPS/SSH?
    • Log-in issue (can't get past login-screen)
      • Check your password is correct (password defaults to the instance-id)
        DO: Use the copy-to-clipboard button in the AWS Console next to the instance-id
        DO NOT: Highlight the instance-id text and copy. (This will often add bad characters to the clipboard).
    • Errors are displayed in Hyperglance UI
      • For permissions issues: Check you are using the right IAM permissions.
      • For connectivity issues: Check that Hyperglance has access to the AWS APIs.
      • For critical/unknown errors: Click the "Send to Hyperglance" button, enter your email and one of our team will review the errors and reach out to you.
    • Hyperglance is slow or intermittently unresponsive
    • Features or functionality are not behaving correctly
      • In the browser press F12 and look at the Console tab to check for any red error messages from the UI.
      • Download the server logs via the UI or find them on-disk at /var/lib/data/logs and look for any Java stacktrace exceptions. Or send these logs to Hyperglance support and we will review them for you.

    API Throttling

    The various AWS APIs have different limits, when reached, cause throttling. See here for an explanation and a table showing these limits. If you see these errors, Hyperglance enables you to set the time between collections to reduce the number of API calls. To set this, go to menu/settings and find the 'Refresh Data' box in the top right of the UI. Click on the clock icon and you can set the time between collection cycles.

     

    Support

    Support is manned 9-5 GMT. If you require support please email support@hyperglance.com or raise a ticket and a support engineer will be in touch to help you resolve any issues. We aim to respond within 24 hours and usually within 1-2 hours.