locked
ATA Center in Azure and typical Gateway upload traffic levels RRS feed

  • Question

  • Hi, I am in the early stages of planning an ATA deployment. We will largely be using lightweight gateways (approx 20 DCs), but for several of our busiest DCs we will be using port mirroring to a full gateway. I am also considering running my ATA Center VM in Azure.

    1) Is there any guidance document regarding running ATA Center in Azure? Several old postings on this forum mention that one was being considered.

    2) Is there a table/formula anywhere that gives an approximate ratio of the traffic forwarded from each gateway to ATA Center compared to the volume of traffic captured/mirrored? I want to be sure that my existing Expressroute has sufficient bandwidth available, or if not, have an idea of what type of increase I need to plan for.

    Thank you

    Tuesday, July 18, 2017 2:06 PM

All replies

  • Running the ATA Center on Azure IaaS is supported since 1.7.2.

    When sizing an ATA Center on Azure, please follow the regular sizing guidance to determine the amount of resources required (CPU, Memory, Disk), and then choose the relevant Azure VM.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-capacity-planning

    For 1.7.2

    All the performance tests were performed on Azure Dv2 and DSv2 series VMs, VMs that comply with ATA’s strict performance requirements,  so these are the recommended VM series for running ATA Center.

    in 1.8, Center performance greatly improved, so it might perform even better.


    Tuesday, July 18, 2017 7:01 PM
  • Hello,

    ATA Center can be deployed on any IaaS vendor including Azure. The important thing is that the VM need to meet the performance requirements. To plan the deployment of ATA, you should use the sizing tool for determining capacity requirements. You can refer to the following article for ATA capacity planning.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-capacity-planning

    For measuring the bandwidth requirements, I would recommend to use the network monitoring tool for calculating the throughput between ATA center and gateways.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 20, 2017 8:08 AM
  • Hi, 

    Thanks for both of those replies. My problem is that I cannot run Netmon analysis to determine traffic levels between ATA gateways and ATA Center until they are already deployed! I need to have a pretty good idea of potential traffic levels before I start deploying, especially when I am considering running ATA Center in Azure. I cannot afford to swamp my Expressroute connection. If overall traffic volumes are likely to be too high then I will be forced to deploy the Center on-prem instead.

    1) Do the gateways forward ALL captured traffic direct to ATA Center, or is any form of analysis done on the gateways to determine what is or isn't relevant? If there is some filtering/triage done, is there an approximate % figure for typical proportion of overall traffic that is sent to ATA Center?

    2) The sizing tool only talks about numbers of packets, rather than their total size. For calculation purposes can I just multiply the peak number of packets by the maximum possible IP packet size to generate a 'worst case' MB/s figure for each gateway, then simply add this value for all gateways to determine total MB/s that will need to be sent to ATA Center?

    3) If all captured traffic from every gateway gets sent to ATA Center, then presumably a Netmon analysis of peak MB/s for each DC, will when added together, provide my answer for maximum MB/s to be sent to the Center?

    Thanks

    Richard Adams


    Tuesday, July 25, 2017 12:48 PM
  • 1) Traffic is considerably reduced at the gateway level and filtered before it is forwarded to the Center.
    I can't say exactly bu how much, because it depends of the type and mix of traffic. we only forward what we consider "interesting" while you can in extreme cases have only interesting traffic or even mostly not interesting.

    I have seen cases where 10 Megabytes of traffic to and from the domain controllers the ATA Gateway will send around 100s of kilobytes to the ATA Center, but it doesn't mean you will have the same result..

    2) Yes, if you calculate this way, you will get a top limit , which is very conservative... usually when we try to estimate , we multiply packets by average size and not max size.

    3) Yes, in theory plus some during the first hours while we do the initial AD sync. Giving that the network capacity is not changing over time...

    Tuesday, July 25, 2017 1:02 PM
  • Hello,

    To measure the bandwidth usage correctly, you can deploy ATA Center on-premises first, and run it for one week. During the time, you can monitor the traffic between ATA Center and Gateways.

    After you figure out the exact bandwidth usage, you can migrate ATA Center to Azure.

    To ease the migration, you can deploy the ATA Center on the Hyper-V host.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 27, 2017 8:08 AM