Production Deployments of Netagent - Scaling & Upgrading
Best practices and tips to manage Banyan Netagent in large-scale environments
- Updated on Apr 19, 2023
Deploying Netagent
Netagent is deployed on every host you run workloads on, collects L3-L7 network data in real-time and enforces security policies on your workloads. Netagent is very flexible and is configured on a host-by-host basis, so you can achieve the optimal performance-features trade-off based on your use case.
1. Ensure Netagent has enough resources on every host to manage TLS encryption and enforce security policies
Netagent will use very little resources (<10% of 1 CPU core) in typical Datacenter and Cloud environments. However, on hosts that are under high load or high traffic you should ensure Netagent has adequate resources.
On a Microsoft Azure’s (relatively) low-performance vCPUs, we record the following Netagent performance data. Since network and application characteristics can vary dramatically, please use the specific sizing numbers below as guidance only.
| 1 vCPU core | |
|---|---|
| TLS Throughput | >1 Gb/s |
| TLS Transactions Per Second | ~1500 |
| Concurrent Sessons (1) | >10,000 |
Note 1: Concurrent Sessions require high enough ulimit settings
2. Adjust Netagent settings based on the visibility data you need and host type
The default Netagent settings are designed to work optimally for the majority of cases. However, you can adjust the settings in the table below to optimize data collection and Netagent performance on your hosts.
| Setting | Default Setting & Behavior | Alternative Setting & Behavior | Use Case |
|---|---|---|---|
all_processes |
true - monitors all processes | false - monitor only Docker containers | Hosts where all workloads are in Docker containers |
disable_L7 |
true - no L7 statistics | false - capture L7 stats | HTTP & MySQL Services that need L7 visibility |
ignore_traffic |
curl,haproxy - ignore some procs | “consul” - ignore consul traffic | Ignore gossip-protocol and chatty workloads |
cpu_limit (2) |
{blank} - dont limit CPU | 1-100 - limits CPU used by Netagent | Load-balancer nodes (HAProxy, Nginx, etc) that see spikes in network throughput and connections. |
Note 2: If you set the cpu_limit on nodes where you are enforcing security policies, you will start seeing performance degradation (typically latency increases) as you reach the limit.
3. Ensure Netagent port doesn’t conflict with any running processes’ port on a host
Netagent listens on a local address (default value is 127.0.0.1:9999) and transparently redirects traffic to this location to enforce security policies. If you have another process listening on this address, it will cause port conflicts. You can change the listen_port parameter on Netagent to remedy the conflict.
Upgrading Netagent on Linux Hosts
To upgrade a running Netagent with a new version, follow these steps.
-
Make a note of the files used by Netagent
Files used by Netagent Purpose config.yamlNetagent configs and Shield address -
Download new Netagent, untar it and copy over files and settings
We often add new settings to Netagent, so please take note of those.
Copy over the files and settings used by current running Netagent to the new Netagent version.
-
Setup the new version of Netagent
cd $new_netagent_path ./setup.shThe
setup.shscript will automatically stop the currently running Netagent and start up the new version.