Architecture
The overall architecture of this integration involves the following components:- Customer Grafana
- Customer Prometheus
- CryptoTunnel Guardian
- Prometheus Proxy
- Futurex Prometheus
VirtuCrypt CryptoTunnels
In the VirtuCrypt world, trust is a two-way street. The CryptoTunnel uses three components to establish trust, starting with a private key local to your device. When you generate the PKI, which creates the private key, the system signs the key under a VirtuCrypt CA tree, the second component. The VirtuCrypt CA tree that signed the key is the authority that establishes trust between the server and the client. After the CA tree signs the private key, it becomes a signed certificate, the final component. When you send the signed certificate through the CryptoTunnel, the server knows the certificate is signed under the VirtuCrypt CA tree and thus is authentic. That is how the server establishes trust in the application. To establish trust in the opposite direction, from the application to the server, the server sends the server-side signed certificate to the application. The application client then validates the server identity, establishing the trusted relationship with mutual authentication. After this handshake, you can encrypt all the data, satisfying PCS-DSS compliance requirements.Prometheus
Prometheus is an open-source systems monitoring and alerting toolkit. Originally developed by SoundCloud in 2012, it is now a graduated project of the Cloud Native Computing Foundation, which is part of the Linux Foundation and also hosts projects like Kubernetes and Fluentd. The following list describes the main features of Prometheus:- Multi-dimensional data model: Prometheus stores all data as time series, and each time series is uniquely identified by its metric name and a set of key-value pairs, also known as labels.
- PromQL (Prometheus Query Language): Prometheus provides a flexible query language to leverage its dimensional data model. PromQL allows you to select and aggregate time series data in real time.
- No reliance on distributed storage: The Prometheus main unit of reliability is the individual node, which is fully standalone and does not depend on network storage or other remote services.
- Collection happens through a pull model: Prometheus collects metrics from monitored targets by scraping HTTP endpoints on these targets. However, it also supports an intermediary gateway for scenarios where a pull model is unsuitable.
- Targets are discovered through service discovery or static configuration: Prometheus employs various service discovery mechanisms to identify scrape targets dynamically.
- **Multiple modes of graphing and dashboarding support:**While Prometheus provides a built-in expression browser for exploring metrics, it also seamlessly integrates with the graphical dashboard builder s such as Grafana for advanced visualization.
- Alerting functionality: Prometheus has a highly flexible alerting system. It enables you to define alerting rules for your metrics, and if those conditions are met, it sends alert notifications through its Alertmanager component.
Grafana
Grafana is a popular open-source tool for visualizing large-scale measurement data. It provides a powerful and elegant way to create, explore, and share dashboards and data with your team and the world. Grafana commonly helps visualize time series data for infrastructure and application analytics, but you also use it in other domains, including industrial sensors, home automation, weather, and process control. It supports various data sources, including but not limited to Prometheus, InfluxDB, Elasticsearch, AWS CloudWatch, MySQL, and PostgreSQL. The following list describes some key features of Grafana:- Dashboard and Visualizations: Grafana provides a feature-rich data-modeling interface for creating dashboards. These dashboards can contain a variety of visualization widgets or panels (such as graphs, tables, single stats, gauges, maps, and so on). You can easily switch the visualization type to compare different visual formats of the same data.
- Data Source Support: Grafana supports many databases and data sources, from time-series databases to relational databases and cloud services. You can create dashboards that pull data from multiple sources for a unified view.
- Alerting: Grafana provides robust alerting functionality. You can define alert rules for your data and get notified via several channels when an alert is triggered.
- Annotations: Grafana enables you to annotate graphs with rich events when something noteworthy happens. This function helps correlate the insights between different events and metrics.
- Dashboard Sharing: You can share a dashboard as a link, a snapshot, a PDF, or by embedding it in other web pages. This makes it easy to collaborate with your team.
- Teams and Authentication: Grafana supports user authentication, allowing you to control access to your dashboards. It also has a multi-tenant architecture, so you can set up and manage multiple independent organizations, each with its own users, dashboards, and data sources.
- Plugins: Grafana features a plug-in architecture and offers various plugins that enable you to extend and customize the Grafana capabilities.
VirtuCrypt monitoring metric reference
This section provides a reference for VirtuCrypt metrics and mappings.V2 monitoring
The following table shows V2 monitoring metrics:| Metric Name | Type | Description | Labels |
|---|---|---|---|
vcctmax_connections | Gauge int | CT Instance max allowed connections | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str) |
vcctconnected_clients | Gauge int | CT Instance current connected client count | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str) |
vcctrun_status | Gauge int | CT Instance run status (“status active” → 1 or “status inactive” → 0) | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str), status |
vcctenabled_status | Gauge int | CT Instance enabled (“enabled” → 1 or “disabled” → 0) | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str) |
vcctanonymous_status | Gauge int | CT Instance allows anonymous TLS (“allows anonymous” → 1 or “does not allow anonymous” → 0) | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str) |
vctlscert_expiry | Gauge int (days) | CT Instance number of days until certificate expiry | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str) |
vctlsversion_info | Gauge float | CT Instance TLS version (e.g., 1.2, 1.1) | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str) |
vcprobesuccess | Gauge int | CT Instance port probe (“connection success” → 1 or “connection failed” → 0) | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str) |
vcprobeduration_seconds | Gauge float (s) | CT Instance number of seconds required for connection creation | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str) |
vcechoduration_seconds | Gauge float (s) | CT Instance echo latency in seconds | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str), phase (str) |
vcconnectionerror_counter | Gauge int | CT Instance connection errors | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str), error_type (str) |
vctlshandshake_duration | Gauge float (s) | CT Instance TLS Handshake Latency | tunnel_id (str), company_name (str), host (str), port (int), api_type (str), port_header (str), guardian_host (str), error_type (str), discovery_error_code (str), discovery_error_description (str), outgoing_host (str), outgoing_port (str) |
Metric usage
The following table shows metric usage metrics: Format:example_metric{label_1=0, label_2=us-east}
| Metric Name | Type | Description | Labels |
|---|---|---|---|
ctinstanceport_status | Gauge int | CT Instance Port Status (open -> 1 or closed -> 0) | company_name (str), host (str), region (str), tunnel_name (str) |
ctinstanceapi_type | Gauge int | CT Instance API Type (refer to API Type Mappings table below) | company_name (str), host (str), region (str), tunnel_name (str) |
ctinstanceservice_enabled | Gauge int | CT Instance Service Enabled (True -> 1, False -> 0) | company_name (str), host (str), region (str), tunnel_name (str) |
ctinstanceservicelatencyms | Gauge int | CT Instance Service Latency in ms | company_name (str), host (str), region (str), tunnel_name (str) |
ctinstanceaccepting_connections | Gauge int | CT Instance Accepting Connections (True -> 1, False -> 0) | company_name (str), host (str), region (str), tunnel_name (str) |
ctinstancecertificate_validity | Gauge int | CT Instance Certificate Validity (refer to Certificate Validity Mappings table below) | company_name (str), host (str), region (str), tunnel_name (str) |
ctinstanceclientsconnectedtotal | Gauge int | Total clients connected to CT instance | company_name (str), host (str), region (str), `tunnel_name (str) |
API-type mappings
The following table shows API-type mappings:| Value | Mapping |
|---|---|
| 0 | ”None” |
| 1 | ”International” |
| 2 | ”Excrypt” |
| 3 | ”JSON” |
Certificate validity mappings
The following table shows certificate validity mappings:| Value | Mapping |
|---|---|
| 1 | ”Max Validity” |
| 2 | ”Under 90 Days” |
| 3 | ”Under 60 Days” |
| 4 | ”Under 30 Days” |
| 5 | ”Under 7 Days” |
| 6 | ”Expired” |