Move your VMware and KVM applications to the cloud without making any changes

  • June 23, 2015

Splunk demo, PoC, training environments with L2 networking on Google & AWS

Splunk is a SIEM market leader with an active ecosystem of resellers, application developers, partners, customers – all of which need a Splunk lab for sales demos, customer PoCs, training and development testing. Ravello's Network & Security SmartLab presents an option to set up Splunk labs on public cloud - Google & AWS at costs starting $0.14/hour.

Splunk – a SIEM market leader

Gartner has identified Splunk as a market leader in Security Information & Event Management (SIEM) segment which has seen a phenomenal growth (16% Y/Y) in recent years. The key reasons for this growth –  an increase in disparate machine data present in enterprises, and recent cyber attacks & data breaches. Enterprises are struggling piece together machine data, logs, events from multiple sources to gain meaningful insights into the state of their systems, network and security. Integrating with multiple third-party technologies, this is where Splunk shines. By analyzing everything from customer clickstreams and transactions to security events and network activity from a wide variety of nodes and network & security appliances, Splunk paints a holistic picture for IT Ops.

Everyone needs Splunk environments

Splunk has a large ecosystem of loyal customers, resellers, partners and application developers. Many network, security, and information system ISVs integrate with Splunk’s solution. Splunkbase – Splunk’s App Repository – reveals 762 specialized applications that cover a wide range of functions ranging from Application Management, IT Ops, Security & Compliance, Business Analytics to Internet of Things. Each of these application developers/ISVs require a fully functional Splunk environment comprising of multiple appliances, LAN hosts, network nodes (log/event sources), complete with Splunk Enterprise & Data Collection Machines for their sales demo and development test environments. Splunk resellers and partners also need environments to deploy multi-tier, multi-node hosts to showcase the power of Splunk in a ‘real-world-like’ setting. Customers looking to purchase SIEM tools also need PoC environments where they can evaluate the capabilities of the Splunk in a production-like environment before making a buying decision.

Where can I setup my Splunk lab for demos, PoCs, training?

ISVs, resellers, enterprises have explored provisioning their data-centers to run these transient workloads for sales demo, PoC, training, upgrade & development test environments, and have experienced a sticker shock – it is expensive! In addition, it takes weeks to months to procure, provision the hardware, and get the environment running, and then there are opportunity costs associated when the environment is not being used.

Public clouds, such as AWS and Google are ideal for such transient workloads – providing the flexibility to move to a usage-based pricing to avoid these opportunity costs. Splunk has an AMI (Amazon Machine Image) that allows it to run on AWS. And while it is excellent choice for ‘cloud native’ deployments, it doesn’t lend itself very well to mocking-up a production datacenter environment –  a requirement for Splunk demos, customer PoCs, application development & testing use-cases. AWS networking limitations (e.g. lack of support for Layer 2 networking, multicast and broadcast etc.) make it impossible to mirror data-center environments on public cloud natively.

A nested virtualization platform with software defined networking overlay – such as Ravello – brings together the financial benefits of moving to cloud while avoiding technological limitations. Running workloads on Ravello Network & Security SmartLab brings all the benefits of running in datacenter  – one can use the same VMware and KVM VMs with networking interconnect. And, since Ravello is an overlay cloud running on top of AWS & Google, one also reaps the economic and elastic benefits of Tier 1 public cloud. In essence, using Ravello, Splunk and its ecosystem of application developers/ISVs and customers can run sales demos, PoCs, training environments in datacenter-like environments without investing in hardware resources.

Steps to create Splunk environment on Ravello

I used 3 VMs to create a representative Splunk environment on Ravello – first Windows 2012 to install Splunk Enterprise (indexer), second Windows 2012 to install Splunk forwarder for data collection, and a third VMware Data Collection Node (DCN) node.

Uploading the 3 VMs to my Ravello Library using Ravello Import Tool was simple.

Ravello VM uploader gave me multiple options - ranging from directly uploading my multi-VM environment from vSphere/vCenter to uploading OVFs or VMDKs or QCOW or ISOs individually. I chose to upload my Windows VMs and DCN as an OVF.  
Verifying settings
1. Verification started by asking for a VM name for the Windows VMs
2. Clicking ‘Next’, I validated the amount of resources (VCPUs and Memory) that I wanted my vSRX to run on.
3. Clicking ‘Next’, I was taken to the Disk tab. It was already pre-populated with the right disk-size and controller.  
4. Next I verified network interface for the Windows 2012 Server. I chose it to have a DHCP address. Ravello’s networking overlay provides an inbuilt DHCP server.  
5. Clicking ‘Next’, I was taken to the Services tab. Ravello’s network overlay comes with a built-in firewall that fences the application running inside. Creating “Services” opens ports for external access. Here, I created “Services” on ports 3389 and 8000 to open ports for RDP and Web access to Splunk web interface
6. I went through the steps 1-6 for the other VMs


Publishing the environment to AWS
1. With my application canvas complete, I clicked ‘Publish’ to run it on AWS. I was presented with a choice of AWS Regions to publish it in, and I chose AWS Virginia. My environment took roughly 5 minutes to come alive.  
2. Once my VMs were published, I installed Splunk Enterprise on first Windows 2012 and Splunk Forwarder on second Windows 2012. Upon installation, I could login to the Splunk interface to be able to configure my data sources and get Splunk forwarder to send data to Splunk indexer  
3. Once Splunk had finished indexing, I was able to see dashboards and execute searches.  


Ravello’s Network & Security SmartLab offers an unique and simple way to create data center representative Splunk environments (without hardware investments) on AWS & Google. Just sign up for a free Ravello trial, and drop us a line. Since we have gone through the setup recently, we will be glad to help you create your own Splunk lab on Ravello.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.