reference deployment

Nubeva TLS Decrypt on the AWS Cloud

Deploy the Nubeva TLS Decrypt solution for visibility into modern encryption

This Quick Start provides step-by-step instructions for deploying the Nubeva Transport Layer Security (TLS) Decrypt platform on the Amazon Web Services (AWS) Cloud. It includes the open-source tools Moloch, Ntop, Suricata, Wireshark, and Zeek.

  • Wireshark is a free, open-source packet analyzer.
  • Ntop is a free, open-source packet analyzer.
  • Moloch is a large-scale, open-source, indexed packet-capture-and-search system.
  • Zeek is a powerful network analysis framework that is different from a typical IDS.
  • Suricata is a high-performance engine that comprises a network intrusion detection system (IDS), an intrusion prevention system (IPS), and network security monitoring (NSM).

This Quick Start is for users who want to identify malicious activity, insider threats, and data leakage within their virtual private cloud (VPC) and Amazon Elastic Compute Cloud (Amazon EC2) instances.


This Quick Start was created by Nubeva in collaboration with AWS. Nubeva is an APN Partner.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • The Quick Start sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • Elastic Load Balancing (ELB) for each open-source tool, to provide scaling for the tool operation itself and for inbound packet mirroring using Amazon VPC traffic mirrors or internal replication.
    • Amazon Elasticsearch Service (Amazon ES) for the open-source tools that require Elasticsearch, Moloch, or for managing the logs of Zeek and Suricata.
    • An Amazon Simple Storage Service (Amazon S3) bucket for Moloch packet capture (PCAP) storage.
    • Amazon VPC Traffic Mirroring targets connected to each open-source load balancer.
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the subnets.*
      • A bastion host for all inbound connectivity.*
    • In the private subnets:
      • A source instance in an Auto Scaling group (of size 2). This is a sample instance you can use to monitor TLS traffic. After deployment, use the Nubeva SaaS console to add more instances to monitor.
      • Wireshark packet analysis in an Auto Scaling group (of size 2).
      • Ntop network analysis in an Auto Scaling group (of size 2).
      • Moloch packet capture in an Auto Scaling group (of size 2).
      • Zeek anomaly detection in an Auto Scaling group (of size 2).
      • Suricata signature detection in an Auto Scaling group (of size 2).

    * The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy the Nubeva TLS Decrypt environment, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign in to your account.
    2. Prepare your Nubeva account.
    3. Launch the Quick Start. You can choose from the following two options:
    4. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • The deployment requires an account on the Nubeva SaaS console, as described in the deployment guide.

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will use. Prices are subject to change.

    Tip   After you deploy the Quick Start, we recommend that you enable the AWS Cost and Usage Report to track costs associated with the Quick Start. This report delivers billing metrics to an S3 bucket in your account. It provides cost estimates based on usage throughout each month, and finalizes the data at the end of the month. For more information about the report, see the AWS documentation.