Automated end to end
Discovery, bootstrap, install, register. One command, one playbook run, zero per-instance steps.
Deploy CloudLens sensors to your EC2 instances in 5 to 10 minutes (small deployments) or 30 to 60 minutes (thousands of instances). A full 3-component stack (vController + KVO + vPB) was launched live in AWS us-east-1 and reached CREATE_COMPLETE. Linux, Windows, fully automated.
Deploy them from AWS Marketplace in one click before running sensor deployments.
One CloudFormation stack. Provisions vController + KVO + vPB into a shared VPC with purpose-built mgmt, data, and tool subnets. About 15 minutes from click to ready.
Or deploy each product separately:
Central management for sensors. Required for any sensor deployment.
t3.xlarge, ready in about 15 minuteshttps://<vcontroller-ip>admin / Cl0udLens@dm!n (change on first login)Optional. Centralizes the vPB fleet and automates AWS VPC Traffic Mirroring.
c5.2xlarge (Marketplace-fixed)ssh -p 9022 admin@<kvo-ip> (port 9022, not 22)https://<kvo-ip>admin / admin (change on first login)Optional. For inline traffic processing and VXLAN aggregation.
t3.xlarge, multi-ENI layoutssh -p 9022 admin@<vpb-ip> (NOT port 22)sudo vpb ready on first SSHsudo vpb (works the moment you SSH in)After vController finishes initializing (about 15 minutes), open the UI, create a project, copy the project key, then return here to run the sensor deployment.
vController, KVO, and vPB are all available as Terraform modules in deploy/terraform. The stack module composes all three; the per-component modules deploy them individually: clms (vController), kvo, vpb. Same Marketplace AMIs, IaC-friendly for pipelines and repeatable deployments. The CloudFormation equivalents live in deploy/cloudformation.
cd deploy/terraform/stack
terraform init
terraform apply -var key_name=my-keypair -var deploy_kvo=true -var deploy_vpb=true
vController, KVO, and vPB plus sensors. End to end. From a single paste.
curl -sSL https://raw.githubusercontent.com/Keysight-Tech/cloudlens-ansible-aws/main/deploy/deploy-stack.sh | bash
Prompts for region and key pair, accepts Marketplace terms, deploys vController, waits for initialization, optionally adds KVO and vPB, then chains to sensor deployment. Run from AWS CloudShell or any machine with the AWS CLI.
One paste, end to end. Best for: trying it the first time, or onboarding a new customer.
Single command, vController plus KVO and vPB. Best for: IaC pipelines and repeatable infra.
cd deploy/terraform && terraform init && terraform apply \
-var key_name=my-keypair -var deploy_kvo=true -var deploy_vpb=true
Executive-friendly PDF guide. Best for: customer CTO, procurement, training.
Download RunbookFor SE demos or first-call verification: stand up 3 throwaway workload EC2 instances (Ubuntu 22.04 + RHEL 9 + Windows Server 2022) tagged with a discovery tag, then run the stack with the matching tag flags. Proves sensors install on every supported OS in one pass.
# 1. Stand up the 3 test workload instances (default tag: cloudlens=yes)
curl -sSL https://raw.githubusercontent.com/Keysight-Tech/cloudlens-ansible-aws/main/scripts/deploy-test-workload-vms.sh | bash
# 2. Deploy the CloudLens stack, then run sensor deployment against the tagged instances
curl -sSL https://raw.githubusercontent.com/Keysight-Tech/cloudlens-ansible-aws/main/deploy/deploy-stack.sh | bash
# 3. Cleanup when done
aws cloudformation delete-stack --stack-name cloudlens-test-vms --region us-east-1
The fixture launches three instances tagged cloudlens=yes with an os tag per platform. The sensor deployment installs on all three and they register with vController. Total round trip: about 25 to 30 minutes. Override the tag pair with TESTVMS_TAG_KEY / TESTVMS_TAG_VALUE environment variables if you want to mirror a customer's existing convention.
Pinned image with Ansible, the AWS SDKs, and pywinrm. Works from your laptop, a CI runner, or any container host.
docker run --rm -it \
-v $(pwd)/customer_input.yaml:/work/customer_input.yaml \
-v $HOME/.ssh:/root/.ssh:ro \
-e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY \
-e AWS_DEFAULT_REGION \
ghcr.io/keysight-tech/cloudlens-ansible-aws:latest
AWS credentials are passed via environment variables (use scripts/setup_aws_creds.sh to configure a profile). Same behavior as the CloudShell quickstart, just packaged for CI/CD or repeat customer deployments.
Image is published to GitHub Container Registry on every push to main: ghcr.io/keysight-tech/cloudlens-ansible-aws.
Prefer to build your own image instead of pulling? The Dockerfile is in the repo root.
git clone https://github.com/Keysight-Tech/cloudlens-ansible-aws.git
cd cloudlens-ansible-aws
docker build -t cloudlens-ansible-aws .
Drop the same docker run into GitHub Actions, GitLab CI, Jenkins, or CodeBuild. Mount your customer_input.yaml as a build artifact.
Most deployments under 50 instances complete in 5 to 10 minutes.
You need these in place before deploying:
If you do not have vController deployed yet, use the Launch vController button above.
The deployment discovers instances by tag. Apply these to every target instance:
| Tag | Value |
|---|---|
cloudlens | yes |
os | ubuntu or rhel or windows |
env | prod (or dev, qa) |
Tag a single instance:
aws ec2 create-tags --resources i-0123456789abcdef0 \
--tags Key=cloudlens,Value=yes Key=os,Value=ubuntu Key=env,Value=prod
Use the wizard below to fill the fields and download customer_input.yaml.
Tip: the wizard shows the YAML rendering live as you type. Each field has inline help so you know exactly what to enter.
Place your downloaded customer_input.yaml in your working directory, then pick one of the three deploy paths.
One click. No local tools. Best for: trying it for the first time.
Launch StackAlready authenticated. One curl command. Best for: most customers.
curl -sSL https://raw.githubusercontent.com/Keysight-Tech/cloudlens-ansible-aws/main/quickstart.sh | bash
Reproducible. Pinned versions. Best for: CI or repeat deployments.
docker run --rm -it -v $(pwd)/customer_input.yaml:/work/customer_input.yaml ghcr.io/keysight-tech/cloudlens-ansible-aws:latest
Open your vController web UI and confirm:
Stuck? See the troubleshooting section below or the full troubleshooting docs.
Customers told us deploying CloudLens at scale on AWS felt manual. We made it boring.
Discovery, bootstrap, install, register. One command, one playbook run, zero per-instance steps.
Ubuntu, RHEL, Rocky, Alma, Windows Server. Public IP, jumpbox, SSM Session Manager, or CloudShell.
Auto tunes Ansible forks based on inventory size. Sharded execution past 2,000 instances, AWX beyond 10,000.
Fill in four fields. Download the file. Run quickstart. That is the whole flow.
A single Ansible control point authenticates to AWS, discovers EC2 instances by tag, and routes each host to the right OS lane. The CloudLens sensor on each EC2 instance mirrors traffic (mirror / VXLAN) to the vPB, which forwards to your monitoring tool. Every sensor self registers with vController on first start.
Flow: CloudLens sensor on EC2 to mirror / VXLAN to vPB to monitoring tool. The dotted line shows sensor registration traffic back to vController.
Drag the slider to see the estimated deployment time for your fleet size.
A full 3-component stack was launched via CloudFormation in us-east-1 and reached CREATE_COMPLETE, July 2026.
| Component | Result | Instance type |
|---|---|---|
| CloudLens vController (control plane) | CREATE_COMPLETE | t3.xlarge |
| Vision Orchestrator (KVO) | CREATE_COMPLETE | c5.2xlarge |
| Virtual Packet Broker (vPB) | CREATE_COMPLETE | t3.xlarge |
| Full stack (stack.yaml) | 3/3 live in us-east-1 | Shared VPC |
Once CloudFormation or Terraform finishes, configure the Keysight products via their web UIs. One-time setup, about 15 minutes end to end. vController was formerly named CLMS.
KVO blocks all access, including the API, until the EULA is accepted in the browser. Open https://<kvo-ip>, read the Keysight Software EULA, click Agree, then log in with admin / admin.
Navigate to Settings, Product Licensing, Activate. Three licenses must be enabled: vPB Advanced, CloudLens Enterprise, and KVO perpetual. If the license server is unreachable, copy the offline activation key from your Keysight portal.
From KVO: Inventory, CloudLens Manager, Discover. Enter the vController private IP (the 10.0.1.x address from the stack Outputs) and the admin credentials (admin / Cl0udLens@dm!n). Status must turn CONNECTED before proceeding.
SSH to the vPB on port 9022 (not 22), then run sudo vpb and:
configure terminal
kvo
ip <kvo-private-ip>
port 443
enable
monitored
end
write memory
Back in KVO, the vPB shows up under Inventory, Devices. Adopt it with Control the adopted device enabled (default).
On KVO: Cloud Fabric, Cloud Configs, New, AWS. Paste the IAM access key and secret (from the stack Outputs), click Connect, pick the target region and VPC, set the deployment instance type to c5.2xlarge, choose the subnets, and commit. KVO auto-deploys collector Service VMs.
Skip this if you used the disposable test fixture, those instances are already configured. Deploying sensors to existing customer EC2 instances? Prep them with the included script in scan-then-fix mode.
Auto-fix: Yes
Each instance needs AmazonSSMManagedInstanceCore attached to its instance profile. The prep script creates a CloudLens-SSM-Role and attaches it for you. If the instance already has an IAM role, the script adds the SSM policy to it instead of replacing.
Auto-fix: Mostly
Pre-installed on Amazon Linux, Ubuntu 16.04+, Windows Server 2016+. Must be installed manually on RHEL/CentOS, commands below.
Auto-fix: Yes
The script auto-detects each instance OS and applies cloudlens=yes plus the correct os tag (ubuntu, rhel, or windows).
Run scan-only mode to see what is missing before changing anything:
./scripts/deploy.sh --region us-east-1 --profile customer --scan-only
Once you have reviewed the scan, run with --auto-fix to remediate every gap in one shot:
./scripts/deploy.sh --region us-east-1 --profile customer --auto-fix
Omit --auto-fix for interactive mode, the script prompts before each change.
sudo snap install amazon-ssm-agent --classic
sudo systemctl enable snap.amazon-ssm-agent.amazon-ssm-agent.service
sudo systemctl start snap.amazon-ssm-agent.amazon-ssm-agent.service
sudo dnf install -y \
https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
# SSM Agent is pre-installed on Windows Server 2016+
# If it is not responding, restart it:
Restart-Service AmazonSSMAgent
aws ssm describe-instance-information --region us-east-1Push CloudLens sensors to every tagged EC2 instance at fleet scale over SSH, SSM, or WinRM, with outbound HTTPS from each instance back to vController.
Apply the marker tag cloudlens = yes and an os tag to every target instance. Without these the deployment skips the host.
| OS | Tag os |
|---|---|
| Ubuntu / Debian | ubuntu |
| RHEL / CentOS / Amazon Linux | rhel |
| Windows Server 2016+ | windows |
Each instance needs the managed policy AmazonSSMManagedInstanceCore attached to its instance profile for the SSM connection path. The included prep step can attach this for you and verify the SSM Agent is running.
Each instance must reach ssm.<region>.amazonaws.com, ec2messages.<region>.amazonaws.com, and ssmmessages.<region>.amazonaws.com on 443 outbound, or have a VPC endpoint to those services.
# Deploy to ALL tagged targets in the region
bash quickstart.sh
# Or run the playbook directly with your customer_input.yaml
ansible-playbook deploy.yaml -e @customer_input.yaml
The playbook invokes the CloudLens sensor installer on every matching instance in parallel, Docker or Podman on Linux, MSI on Windows. Sensors register with vController on first start.
KVO natively manages AWS VPC Traffic Mirroring. It auto-deploys collector Service VMs, creates mirror filters, targets, and sessions, and auto-scales by tapped-interface count.
CloudFormation and Terraform provision an IAM user with the CloudLens mirroring policy, scoped with the cloudlens:monitored:vpcid condition tag. Includes EC2, Traffic Mirror, Auto Scaling, and Launch Template permissions.
Optional Lambda plus EventBridge rules fire on RunInstances, CreateTags, and instance state changes. New EC2 instances in watched VPCs are tagged for mirroring, and KVO starts mirroring instantly, no polling.
In vController, open Sensors. Each tagged instance should appear as connected and reporting, with your custom tags visible. This is the fastest end-to-end confirmation the pipeline is healthy.
In KVO: Cloud Fabric, Monitoring Policies, New. Pick the source (tag-based), the tool (vPB plus downstream analytics), and KVO deploys collector Service VMs, configures the mirror sessions, and routes packets.
Clean removal of sensors and infrastructure. Always run in this order, sensors first, infrastructure second.
# Remove sensors from all tagged targets
bash cleanup.yaml
# Or via the playbook
ansible-playbook cleanup.yaml -e @customer_input.yaml
Terraform path:
cd deploy/terraform
terraform destroy
CloudFormation path:
aws cloudformation delete-stack \
--stack-name cloudlens-stack \
--region us-east-1
aws cloudformation wait stack-delete-complete \
--stack-name cloudlens-stack \
--region us-east-1
Default credentials, network topology, and Marketplace AMIs. Keep this open in a tab during deployment.
| Product | Username | Password |
|---|---|---|
| KVO | admin | admin |
| vController | admin | Cl0udLens@dm!n |
| vPB SSH (port 9022) | ec2-user | key pair |
Change these on first login. Default passwords are not for production.
| Subnet | CIDR | Purpose |
|---|---|---|
| Management | 10.0.1.0/24 | SSH, HTTPS, REST API |
| Data | 10.0.2.0/24 | Sensor traffic (mirror / VXLAN) |
| Tool | 10.0.3.0/24 | Processed traffic to tools |
CIDRs are configurable in the CloudFormation parameters.
| Product | Instance |
|---|---|
| vController (CLMS_6.12.x) | t3.xlarge |
| KVO (2.13.x) | c5.2xlarge only |
| vPB-KVO (3.13.x) | t3.xlarge |
KVO has an AWS Marketplace instance-type restriction and cannot be changed.
If something does not work, check these first.
Use the Launch vController button at the top of this page, or launch the full stack with the Launch CloudLens Stack button above. vController comes from AWS Marketplace, deploys in about 15 minutes, and is ready before you start tagging your instances. While you are there, also deploy KVO if you want centralized fleet orchestration across multiple vPB instances.
The vPB image uses port 9022 for SSH, NOT the default port 22. Keysight CloudLens OS (KCOS) binds sshd only to 9022 on the public interface. Connections to :22 time out forever even after the instance is fully booted.
What to do: wait 10 to 15 minutes after deploy succeeds for KCOS to initialize, then:
ssh -p 9022 admin@<vpb-public-ip> # OS shell
sudo vpb # vPB CLI
Security group rule: make sure the security group on the vPB management ENI allows inbound TCP on port 9022. The stack template opens this automatically; if you deployed via a custom path, add the rule manually.
Same vController note: the web UI on port 443 is usually ready within 60 seconds, but full system initialization (registry and project creation) takes around 15 minutes.
Cause: tags missing or misspelled.
Fix: verify with aws ec2 describe-tags --filters "Name=resource-id,Values=i-0123...". The cloudlens, os, and env tags must all be present.
Cause: your key pair is not on the target instance, or the wrong SSH user.
Fix: use ubuntu for Ubuntu and ec2-user for RHEL/Amazon Linux, and confirm ssh_key_path in customer_input.yaml points at the right .pem. For no-key targets, use the SSM connection path instead.
Cause: for the SSM path, the SSM Agent is not registered or the instance lacks the SSM IAM role; for the WinRM path, ports 5985/5986 are closed.
Fix: prefer windows_connection: "ssm", attach AmazonSSMManagedInstanceCore, and confirm the instance appears in aws ssm describe-instance-information.
Cause: wrong project key, or sensor cannot reach vController on the network.
Fix: double-check the project key from the vController UI. Verify the instance can reach vController on port 443.
1 to 50 instances: 5 to 10 minutes.
50 to 500 instances: 15 to 30 minutes.
500 to 2000 instances: 30 to 60 minutes.
Thousands: sharded automatically, 30 to 60 minutes for up to 10K.
Open an issue on GitHub, or contact your Keysight account team for direct engineering support.
Everything you need to deploy with confidence.
Every port, password, SSH gotcha, KVO adoption step, and security group rule. Read this before filing a support ticket.
Scenarios, architecture, scaling, and troubleshooting on GitHub.
Printable customer-ready guide with screenshots and checklists.
Copy-paste handoff message for your account team.
Bug reports and feature requests, handled by Keysight engineering.