// Add steps as necessary for accessing the software, post-configuration, and testing. Donâ€™t include full usage instructions for your software, but add links to your product documentation for that information.
//Should any sections not be applicable, remove them

== Postdeployment steps

=== Configure networking

If your Darktrace appliance is behind a firewall, you must grant access to the appliance to the IP addresses of your NAT gateways. For a new VPC deployment, use the *NatGatewayEIPs* on the *Outputs* tab of the stack in the https://console.aws.amazon.com/cloudfront/home?[AWS CloudFormation console^]. For an existing VPC deployment, use the IP addresses of the existing NAT gateways.

//TODO: I don't see *NAT Gateway Elastic IPs* in cfn_outputs.png. I don't need a new screen shot, just confirm that if I say "For a new VPC deployment, use the Elastic IPs of the NAT gateway on the *Outputs* tab of the stack in the AWS CloudFormation console," this is correct. // DT: Main Template corrected to add them.

=== Configure traffic mirroring

To add your existing EC2 instances to be mirrored and monitored, configure a traffic mirror session. For more information, see https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-session.html[Traffic mirror sessions^]. When doing this, use the traffic mirror target and filter IDs on the *Outputs* tab of the stack in the https://console.aws.amazon.com/cloudfront/home?[AWS CloudFormation console^]. You can automate the process of adding your existing EC2 instances to this deployment. For more information, contact your Darktrace representative for scripts and guidance to do this.

VPC Traffic Mirroring is only supported on AWS Nitro-based EC2 instance types and some non-Nitro instance types. For more information, see https://aws.amazon.com/about-aws/whats-new/2021/02/amazon-vpc-traffic-mirroring-supported-select-non-nitro-instance-types[Amazon VPC Traffic Mirroring is now supported on select non-Nitro instance types^]. 

To monitor EC2 instance types that do not support VPC Traffic Mirroring, configure them with Darktrace osSensors. When doing this, use the DNS name of the Network Load Balancer on the *Outputs* tab of the stack in the https://console.aws.amazon.com/cloudfront/home?[CloudFormation console^]. For more information about configuring osSensors, visit the https://customerportal.darktrace.com/login[Darktrace Customer Portal^].

NOTE: osSensor 6.0 and above is required to correctly mirror traffic for this Quick Start. Installation instructions are available on the https://customerportal.darktrace.com/login[Darktrace Customer Portal^].

=== Test the deployment

After deployment, verify that all vSensors are listed in the *Probes* section of the *System Config* screen in the https://www.darktrace.com/en/threat-visualization/[Darktrace Threat Visualizer^]. After adding the Traffic Mirror Sessions of EC2 instances that you wish to monitor, or configured osSensors to communicate with the vSensors, verify that they display in the Threat Visualizer.

//TODO: Please review wording here^. DT: Done.


== Security
// Provide post-deployment best practices for using the technology on AWS, including considerations such as migrating data, backups, ensuring high performance, high availability, etc. Link to software documentation for detailed information.

=== Network security
This deployment follows AWS security best practices for network security. The vSensor instances are deployed in private subnets. They are only accessible from the internet using SSH to connect to bastion hosts in the private subnets. For existing VPC deployments, it is important that security groups only allow SSH access from trusted sources. It is not recommended to allow direct SSH access to vSensors from the internet. For more information, see https://aws.amazon.com/architecture/security-identity-compliance/?cards-all.sort-by=item.additionalFields.sortDate&cards-all.sort-order=desc&awsf.content-type=*all&awsf.methodology=*all[Best Practices for Security, Identity, & Compliance^].

=== OS security

To gain root access to vSensor instances, use the `ubuntu` user name and the EC2 key pair link:#_parameter_reference[parameter] you entered during deployment as the private key path. Then sudo to root. The EC2 key pair is also required to access `ec2-user` of the bastion hosts. For more information, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html[Connect to your Linux instance using SSH^].

The bastion hosts deployed by this Quick Start are set to update automatically. The deployed vSensors are configured to receive the latest security and product updates daily from Darktrace and Ubuntu package repositories.

== Additional resources

*AWS services*

- AWS CloudFormation

* https://aws.amazon.com/documentation/cloudformation/[AWS CloudFormation Documentation^]

* https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-helper-scripts-reference.html[CloudFormation helper scripts reference^]

- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/[What is Amazon EC2?^]

- https://aws.amazon.com/documentation/s3/[Amazon Simple Storage Service Documentation^]

- https://aws.amazon.com/documentation/vpc/[Amazon Virtual Private Cloud Documentation^]

- https://aws.amazon.com/blogs/networking-and-content-delivery/using-vpc-traffic-mirroring-to-monitor-and-secure-your-aws-infrastructure/[Using VPC Mirroring to monitor and secure your AWS infrastructure]



*Darktrace*

- https://darktrace.com[Darktrace^]

- https://customerportal.darktrace.com[Darktrace Customer Portal^]