Documentation
      Back to home
      1. Venari Hub
      2. Documentation

      How to Install a Venari Sensor on AWS Using CloudFormation

      This guide explains how to deploy a Venari Sensor on AWS using CloudFormation. The sensor monitors mirrored traffic from a selected EC2 instance and sends encrypted metadata to the V-Comply platform.

      Overview: What Does the Sensor Do?

      The Venari Sensor is designed to observe mirrored (copied) network traffic from EC2 instances in your AWS environment. It does not interfere with live traffic. The captured traffic undergoes an initial local analysis on the sensor, and only metadata is sent securely to the Venari platform for further and deeper analysis.

      How Does Traffic Mirroring Work?

      Using AWS Traffic Mirroring, you can configure an EC2 instance's network interface (ENI) to send a copy of its network traffic to another EC2 instance — in this case, the Venari Sensor — over a VXLAN tunnel.

      • The source ENI (the monitored EC2) mirrors traffic to the sensor’s capture interface (eth1)

      • Mirrored traffic is encapsulated in VXLAN over UDP, using a configurable port and VNI

      • This method is non-intrusive and doesn’t affect the source instance’s performance or behavior

       

      All necessary AWS resources — including the EC2 instance, security groups, network interfaces, IAM roles, and traffic mirroring configuration — will be automatically created and configured by the CloudFormation template. You do not need to manually set up any of these components. Simply provide the required parameters outlined in the prerequisites section, and the stack will handle the rest of the deployment process for you.
      The only manual step you may need to perform is if you want to monitor an additional EC2 instance. In that case, you must manually configure a traffic mirror session using the ENI of the additional EC2 instance as the source and the traffic mirror target created by the CloudFormation stack as a target for that session.

      Prerequisites

      Before deploying the CloudFormation stack, gather the following inputs. Here's how to obtain each one.

      1. Generate the Sensor Token in V-Comply

      1. Log in to V-Comply

      2. Go to V-Configure > Sensor Profile

      3. Click Configure Sensor Profile

      4. Fill in:

        • Sensor Type: AWS

        • Hostname: Choose a unique name (e.g. dubai-sensor-01)

        • Domain Name: e.g. yourcompany.com → full FQDN: dubai-sensor-01.yourcompany.com

        • Capture Interface: eth1

        • VXLAN Port: 4789 (default)

        • VXLAN VNI: 7777777

        • Venari Admin Password: Define a secure password for SSH access

      5. Click ADD PROFILEScreenshot from 2025-07-14 12-38-21

      6. Copy the token and keep it for later use during the CloudFormation stack creation

      What is VXLAN Port (UDP 4789)?
      This is the port used to encapsulate mirrored traffic inside UDP packets. It allows AWS to deliver mirrored traffic to the sensor instance.

      What is VXLAN VNI (Virtual Network Identifier)?
      A unique ID that identifies a mirrored traffic stream inside the VXLAN overlay. It's like a VLAN tag but for virtual networks.

      2. Your Public IP Address (in /32 CIDR format) to Access the Sensor via SSH

      Your home or office IP will be allowed to SSH into the sensor.

      1. Visit https://checkip.amazonaws.com/

      2. Note your IP and append /32
        Example: 203.0.113.42/32

      Important: A CIDR suffix (such as /32 for a single IP or a broader range like /24) is required — omitting it will cause CloudFormation to fail.

      3. Source Network Interface ID (ENI) to Mirror

      1. Go to the EC2 Console

      2. Select the EC2 instance to monitor

      3. In the Networking tab, find Network interfaces

      4. Copy the ENI ID (e.g. eni-0abc123456789def)

      4. Venari Sensor AMI

      The AMI (Amazon Machine Image) is a private sensor image provided by Venari. The correct AMI ID will be shared with you upon request by the Venari Support team.

      • Example (for illustration only): ami-0abcd1234e5f67890

      • Once shared with your AWS account, it will appear in the EC2 Console > AMIs > Private Images

      If you haven’t received the AMI yet, please contact support@venarisecurity.com to request access.
      Make sure to include:

      • Your AWS Account ID

      • The AWS Region where you plan to deploy the sensor

      5. VPC and Subnet Info

      Get these from the AWS VPC console:

      • VPC ID: e.g. vpc-0123abcd

      • VPC CIDR Block: e.g. 10.31.0.0/16

      • Subnet ID: Where the sensor will be launched (should have Internet access)

      6. Choose EC2 Instance Type

      Must be a Nitro-based instance (T3, M5, C5, etc.) and sized based on expected traffic.

      CPU Memory Max Throughput
      4 Cores 16 GB 250 Mbps
      8 Cores 32 GB 500 Mbps
      16 Cores 64 GB 1 Gbps

      Deploy the CloudFormation Stack

      1. Go to AWS CloudFormation Console

      2. Click Create Stack > With new resources (standard)

      3. Upload the CloudFormation template file you received from the Venari Support.

      4. Click Next

      If you haven’t received the CloudFormation template yet, please contact support@venarisecurity.com to get the file.

      Fill in the Parameters

      Use the information gathered earlier:

      Parameter Example Value
      ClientOfficeOrHomeIP 203.0.113.42/32
      VenariToken aHR0cHM6Ly9hcGkt...
      SourceNetworkInterfaceId eni-0abc123456789def
      VenariSensorAMI ami-0abcd1234e5f67890
      SubnetID subnet-0a1b2c3d4e5f67890
      InstanceType t3a.large (or another Nitro-based instance type, depending on throughput)
      VpcID vpc-0123abcd
      VpcCIDR 10.31.0.0/16
      VXLANPort 4789
      VirtualNetworkId 7777777

      Screenshot from 2025-07-14 13-01-56Click Next, leave the rest as default, and acknowledge IAM changes when prompted. Then click Create Stack.

      Wait for Stack Creation

      Monitor progress in the CloudFormation Console. After a few minutes, the status should be:

      CREATE_COMPLETE

      After Deployment

      The sensor instance is now running. It has:

      • A management interface for SSH, updates, and communicating with the V-Comply backend and servers.

      • A capture interface to receive VXLAN mirrored traffic

      The auto-install script will automatically run using your token, setting up the sensor and registering it with V-Comply.

      Access the Sensor (Optional)

      To connect via SSH:

      ssh venariadmin@<sensor-public-ip>

      • Use the Venari Admin Password you configured in V-Comply during the first step.

      Final Step – Send Sensor Public IP to Venari

      To enable communication with the V-Comply backend, you must send the sensor's public IP to the Venari Support team: support@venarisecurity.com

      1. Go to the EC2 Console

      2. Select the sensor instance

      3. Copy the IPv4 Public IP

      4. Email it to Venari's support team

      Why?
      For security, only whitelisted sensor IPs are allowed to send data to the V-Comply backend. Without this step, the sensor won’t work, and V-Comply won't show any data.

      Deletion

      This is not a step in the installation process.
      Only perform this action if you intentionally want to remove the sensor and all associated AWS resources.

      If you wish to delete the sensor setup:

      1. Go to CloudFormation Console

      2. Select your stack

      3. Click Delete

      This will remove all associated resources, including the EC2 instance and network components.

      Need Help?

      We're here to help. Please visit this page for more information on how to get in touch with Venari's Support team

      Thank you for securing your network with Venari.
      Your sensor is now actively monitoring encrypted traffic metadata for actionable insights.