This guide brings together various articles and information for you to deploy Hyperglance into your AWS cloud.
Why Choose Hyperglance?
✔️ Automatic diagrams & inventory
✔️ Cost optimization & alerting
✔️ Security & compliance monitoring
✔️ Automatic policy enforcement
Hyperglance can be deployed in only 10 minutes from the AWS Marketplace using a CloudFormation template.
What you need to get started:
- AWS Account, with a VPC & subnet, to launch the Hyperglance instance into
- Any additional AWS Accounts you want Hyperglance to monitor
- Some knowledge of IAM to set up account access and CloudFormation (don't worry we'll walk you through it in our step-by-step guides, see below).
Get Started Guides
Tip: Use a non-root IAM User.
It is best security practice not to use your AWS account's root user to manage resources and deployments. You should use a non-root IAM User at all times.
IAM Policies & Roles
Hyperglance needs an IAM role/policy to access the AWS APIs in order to gather inventory, create diagrams, and evaluate cost-saving, compliance, and security rules.
Find our latest up-to-date recommended policy permissions here:
By the principle of least privilege we provide multiple policy options: Read-only vs read-write as well as fine-grained detailed permissions.
A cross-account Role (with the above policy attached) is required in each account that you wish to connect to Hyperglance. Hyperglance will connect to your accounts using STS AssumeRole.
Read More: How To Add AWS Accounts To Hyperglance
Hyperglance does NOT deploy any public resources (such as public S3 buckets) by default.
The CloudFormation template does provide the option to allocate a Public IP Address (see deployment options).
As shown in our Product Architecture Diagram Hyperglance comprises a PostgreSQL database that is stored on a 'data' EBS Volume (that YOU control).
On this volume Hyperglance will store:
- All IAM Roles you add to connect into accounts using STS AssumeRole.
- Any Access/Secret keys you add to connect into accounts (encrypted)
- Note: This does NOT apply to AWS Marketplace deployments where Hyperglance only permits assume
- SAML configuration
- SMTP configuration
- Any rules / advanced-searches that you save (including their search queries and alert configuration).
EBS Volume Encryption
You control the EBS Volumes that Hyperglance uses and can activate Encryption-At-Rest.
The Hyperglance instance has root disabled by default. The default SSH user is ec2-user.
The Hyperglance CloudFormation stack will create the following network components:
- EC2 Instance
- With a single default ENI
- Optionally with a Public IP (according to the AssignPublicIP parameter of the CloudFormation stack).
- EC2 Security Group
- Allowing Ingress on ports 443 and 22 from the CIDR ranges provided as parameters to the CloudFormation stack.
The stack asks for a VPC ID and a Subnet ID (which must belong to that VPC) so you must create the following components yourself before deploying the stack:
- A VPC
- A Subnet (with an optional Network ACL)
- A RouteTable
- Optional: Network ACL to control ingress/egress from Subnet (see deployment option 2)
- Optional: Additional Subnet and NAT Gateway (see deployment option 3)
- Access to the AWS APIs via either:
- An Internet Gateway, or
- Virtual Private Cloud Endpoint (VPCEs) (see deployment option 4)
Costs & Pricing Model
There are a few different Hyperglance tiers in the AWS Marketplace. You choose the tier that corresponds best with the number of cloud resources that Hyperglance will monitor.
The cost per hour depends on the number of resources you need. For example, if you run a 500 resource Hyperglance instance in AWS for 20 hours in a month the cost would be 1.23 * 20 = $24.60 (plus any cloud vendor charges).
Hyperglance is comprised only of EC2 services (EC2 Instance & EBS) so you will only incur platform changes on those resources plus any data-transfer costs in/out of regions.
Instance, Volume & RAM Sizing
Our CloudFormation templates have defaults set to a typically suitable EC2 instance size and EBS Volume size (10GB).
If you ingest large amounts of Cost data or if you find performance is poor then you may need to increase the amount of RAM allocated to the internal Java process.
The Hyperglance EBS volumes can be snapshotted and backed up to preserve all configuration and custom created rules (or other user content).
In the case of instance or AZ failure you will need to:
1) Relaunch the Hyperglance CloudFormation stack
Recovery-Time-Objective: Fastest possible recovery time is 10 minutes. So we recommend an RTO of 1 hour.
Recovery-Point-Objective: A low-frequency backup is sufficient if configuration changes and custom rules are not infrequently made. So we suggest an RPO of 24 hours.
You should regularly rotate your user login password.
If you need to restart Hyperglance for any reason simply stopping and starting the instance will suffice. This will restart all the Docker containers running in the instance.
Restarting the containers can also be achieved by running:
sudo docker-compose -f /etc/docker-compose.yml down && sudo docker-compose -f /etc/docker-compose.yml up -d
If you need to completely reset the entire setup then can also delete the CloudFormation stack and redeploy it from the AWS Console.
Service Health Check
To implement a health-check of the Hyperglance instance:
- Hyperglance is typically active & well if it responds with a login page on HTTPS port 443 at the root URL '/' with HTTP code 200.
To check for other issues:
- Check for any errors in the top-right corner of the Hyperglance UI (a little warning triangle icon/button).
- Check for any errors in the browser or server (see "Features or functionality are not behaving correctly" under Troubleshooting section below).
To troubleshoot Hyperglance you must first work out what sort of an issue you are facing:
- Unable to access Hyperglance instance
- Check your AWS Security Group configuration - does it allow your IP to reach HTTPS/SSH?
- Log-in issue (can't get past login-screen)
- Check your password is correct (password defaults to the instance-id)
DO: Use the copy-to-clipboard button in the AWS Console next to the instance-id
DO NOT: Highlight the instance-id text and copy. (This will often add bad characters to the clipboard).
- Check your password is correct (password defaults to the instance-id)
- Errors are displayed in Hyperglance UI
- Hyperglance is slow or intermittently unresponsive
- You may need to increase the amount of RAM allocated to the Java process.
- Features or functionality are not behaving correctly
- In the browser press F12 and look at the Console tab to check for any red error messages from the UI.
- Download the server logs via the UI or find them on-disk at /var/lib/data/logs and look for any Java stacktrace exceptions. Or send these logs to Hyperglance support and we will review them for you.
The various AWS APIs have different limits, when reached, cause throttling (See here for an explanation and a table showing these limits).
If you see these errors, Hyperglance enables you to set the time between collections to reduce the number of API calls.
To set the time between collection cycles, go to Settings, find the Refresh Data button and select the clock icon.
Support is manned 9-5 GMT. If you require support please email firstname.lastname@example.org or raise a ticket and a support engineer will be in touch to help you resolve any issues.
We aim to respond within 24 hours and usually within 1-2 hours.