IBM Cloud Docs
Detailed design

Detailed design

The following diagram and descriptions provide information about the RiskForesight™ application components.

Application components
Application components

  • Graphical user interface - The web interface that you can use to access the RiskForesight application.
  • Central Collector - Collects different types of data payload that come from the plug-ins and make it available in the messaging store. RiskForesight supports the following types of payloads:
    • Scan
    • Logs
    • Netflow
    • Software
    • Workload metadata
  • Central Router - Manages all integration touch points with the VMware® Orchestration layer. All the RiskForesight plug-ins must communicate with the Central Router to get authorized to communicate with the RiskForesight ecosystem.
  • Application Routing Server - Is the REST endpoint middleware that connects the GUI and the backend data stores. Also, it validates the user access requests and manages the RBAC.
  • vCenter Data Collector - The plug-in extracts the virtual machine (VM) details from vCenter. The generic plug-in uses the VMware APIs to connect to vCenter and extracts workload-relevant information. After the information is available, the plug-in packages the payload and sends it to the Central Collector.
  • vCD Data Collector - The plug-in extracts the VM details from the VMware Cloud Director. The generic plug-in uses the VMware APIs to connect to the VMware Cloud Director and extracts the workload-related information. After the information is available, the plug-in packages the payload and sends it to the Central Collector.
  • vCD Network Data Collector - The plug-in extracts Netflow details from the VMware vCD. The generic plug-in uses the VMware APIs to connect to the VMware NSX and extracts Network, FW, Security Rules, and Security Groups. After the information is available, the plug-in packages the payload and send it to the Central Collector.
  • Network Data Collector - A plug-in that extracts Netflow details from the VMware vCenter. The generic plug-in uses VMware APIs to connect to VMware NSX and extracts network, firewall, security rules, and security groups information. After the information is available, the plug-in packages the payload and sends it to the Central Collector.
  • Remote Collector - Located in the tenant environment or another location where it has network access to the tenant VMs. It handles all compliance and cyberrisk scanning.
  • Relational Datastore - Maintains the following types of metadata:
    • Cloud Service Provider
    • Tenant
    • Assets
    • Scan Results
    • Software
    • Daily or weekly aggregated data set
  • Messaging Datastore - RiskForesight uses persistent messaging queue to provide zero data loss and offload-back pressure to the components.
  • Index Datastore - It indexes and stores the incoming raw data for each tenant for further analysis to support the multitenant capability.
  • Plug-ins – Located in the Application Routing server. Plug-ins include the setup and integration with VMware components to synchronize all VMs along with their tenant information.

The following table shows the ports and protocols that are required for each component.

Ports and protocols
Component Port numbers
UI 443
API 443, 1337
RiskForesight 8082, 8083, 8084
Central collector (cluster) 8080
Remote collector 8081
Relational datastore primary or secondary 5432
Messaging datastore cluster 9092
Index datastore primary nodes 9200, 9300, 5601, 443

You are responsible for managing the IP address space for the Caveonix portable private subnet. If needed, you can scale out from the all-in-one deployment model, through the partially distributed model, and to the fully distributed model.

The IP Subnet, VLAN assignments are described in the following table.

VLAN and subnets
VLAN Subnet type Description
Public Primary Assigned to physical hosts for public network access. Not used upon initial deployment.
Public Portable Assigned for uplink and NAT usage on customer-nsx-esg.
Public Portable Assigned for uplink NAT usage on mgmt-nsx-esg.
Public Portable Assigned for uplink NAT usage on hcx-mgmt-esg.
Private A Primary Assigned to physical hosts assigned by IBM Cloud®. Used by the management interface for vSphere management traffic.
Private A Portable Assigned to VMs that function as management components.
Private A Portable Assigned to NSX VTEP.
Private A Portable Assigned to HCX for internal usage.
Private A Portable Assigned for uplink usage on the customer-nsx-esg.
Private A Portable Assigned to HCX.
Private A Portable Assigned to Zerto VRAs, if the Zerto option is selected.
Private A Portable Assigned for Caveonix RiskForesight, if the Caveonix option is selected.
Private B Primary Not used upon initial deployment.
Private B Portable Assigned for vSAN, if in use.
Private B Portable Assigned for NAS, if in use.
Private B Portable Assigned for vMotion.