# Install Network Flow Monitor agents on EC2 and self-managed Kubernetes instances
To provide performance metrics for network flows in your AWS workloads, Network Flow Monitor relies on *agents* that you install, which send the metrics to Network Flow Monitor. You install Network Flow Monitor agents on your instances, and then set the correct permissions for the agents so that they can send metrics to the Network Flow Monitor backend.
An agent is a lightweight software application that you install on your resources, such as your VPC EC2 instances. Agents send performance metrics to the Network Flow Monitor backend on an ongoing basis. Then, you can view the metrics on the **Workload insights** page in the Network Flow Monitor console. You can also track detailed metrics for a specific network flow, or set of flows, by creating a monitor.
The steps that you follow to deploy agents in your instances depend on the type of instance: Amazon EKS Kubernetes instances, VPC EC2 instances, or self-managed (non-EKS) Kubernetes instances.
+ For information about working with Amazon EKS, including installing agents on EKS, see [Work with EKS](CloudWatch-NetworkFlowMonitor-work-with-eks.md).
+ For information about installing agents on VPC EC2 instances and self-managed Kubernetes instances, see the sections in this chapter.
You can establish a private connection between your VPC and Network Flow Monitor agents by using AWS PrivateLink. For more information, see [Using CloudWatch, CloudWatch Synthetics, and CloudWatch Network Monitoring with interface VPC endpoints](cloudwatch-and-interface-VPC.md).
**Topics**
+ [Linux versions supported for Network Flow Monitor agents](CloudWatch-NetworkFlowMonitor-agents-versions.md)
+ [Install and manage agents for EC2 instances](CloudWatch-NetworkFlowMonitor-agents-ec2.md)
+ [Install agents for self-managed Kubernetes instances](CloudWatch-NetworkFlowMonitor-agents-kubernetes-non-eks.md)
# Linux versions supported for Network Flow Monitor agents
The instances that you install agents on must be running supported versions and distributions of Linux. Network Flow Monitor supports agents to run only on Linux, and the Linux kernel version must be 5.8 or later. The following Linux distributions are supported. Note that agents are tested to run on the latest versions of these distributions.
+ Amazon Linux
+ Ubuntu
+ Red Hat
+ Suse Linux
+ Debian distributions for both x86 and aarch64
# Install and manage agents for EC2 instances
Follow the steps in this section to install Network Flow Monitor agents for workloads on Amazon EC2 instances. You can install agents by using SSM or by downloading and installing prebuilt packages for the Network Flow Monitor agent by using the command line.
Regardless of the method that you use to install agents on EC2 instances, you must configure permissions for the agents to enable them to send performance metrics to the Network Flow Monitor backend.
**Topics**
+ [Configure permissions for agents](CloudWatch-NetworkFlowMonitor-agents-ec2-permissions.md)
+ [EC2 instance agents with SSM](CloudWatch-NetworkFlowMonitor-agents-ec2-install-ssm.md)
+ [Download and install the agent](CloudWatch-NetworkFlowMonitor-agents-download-agent-commandline.md)
# Configure permissions for agents
To enable agents to send metrics to the Network Flow Monitor ingestion backend, the EC2 instances that the agents run in must use a role that has a policy attached with the correct permissions. To provide the required permissions, use a role that has the following AWS managed policy attached: [CloudWatchNetworkFlowMonitorAgentPublishPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorAgentPublishPolicy.html). Attach this policy to the IAM roles of the EC2 instances where you plan to install Network Flow Monitor agents.
We recommend that you add the permissions before you install agents on the EC2 instances. You can choose to wait until after you install agents, but the agents won't be able to send metrics to the service until the permissions are in place.
**To add permissions for Network Flow Monitor agents**
1. In the AWS Management Console, in the Amazon EC2 console, locate the EC2 instances that you plan to install Network Flow Monitor agents on.
1. Attach the [CloudWatchNetworkFlowMonitorAgentPublishPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorAgentPublishPolicy.html) to the IAM role for each instance.
If an instance doesn't have an IAM role attached, choose a role by doing the following:
1. Under **Actions**, choose **Security**.
1. Choose **Modify IAM role**, or create a new role by choosing **Create new IAM role**.
1. Choose a role for the instance, and attach the [CloudWatchNetworkFlowMonitorAgentPublishPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchNetworkFlowMonitorAgentPublishPolicy.html) policy.
# Install agents on EC2 instances with SSM
Network Flow Monitor agents provide performance metrics about network flows. Follow the steps in this section to install and work with Network Flow Monitor agents on EC2 instances, by using AWS Systems Manager. If you use Kubernetes, skip to the next sections for information about installing agents with Amazon EKS clusters or self-managed Kubernetes clusters.
Network Flow Monitor provides a Distributor package for you in Systems Manager to use to install or uninstall agents. In addition, Network Flow Monitor provides a document to activate or deactivate agents, by using the Document Type command. Use standard Systems Manager procedures to use the package and the document, or follow the steps provided here for detailed guidance.
For more information in general about using Systems Manager, see the following documentation:
+ [AWS Systems Manager Run Command](https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html)
+ [AWS Systems Manager Distributor](https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor.html)
Complete the steps in the following sections to configure permissions, install, and work with Network Flow Monitor agents.
**Contents**
+ [Install or uninstall agents](#CloudWatch-NetworkFlowMonitor-agents-ec2-install)
+ [Activate or deactivate agents](#CloudWatch-NetworkFlowMonitor-agents-ec2-manage)
## Install or uninstall agents by using Systems Manager
Network Flow Monitor provides a distributor package in AWS Systems Manager for you to install Network Flow Monitor agents: **AmazonCloudWatchNetworkFlowMonitorAgent**. To access and run the package to install agents, follow the steps provided here.
**To install agents in EC2 instances**
1. In the AWS Management Console, in AWS Systems Manager, under **Node Tools**, choose **Distributor**.
1. Under **Owned by Amazon**, locate the Network Flow Monitor package, **AmazonCloudWatchNetworkFlowMonitorAgent**, and select it.
1. In the **Run command** flow, choose **Install one time** or **Install on schedule**.
1. In the **Target selection** section, choose how you want to select your EC2 instances to install agents on. You can select instances based on tags, choose instances manually, or base the choice on resource groups.
1. In the **Commmand parameters** section, under **Action**, choose **Install**.
1. Scroll down, if necessary, and then choose **Run** to start the installation.
If the installation is successful and the instances have permissions to access Network Flow Monitor endpoints, the agent will start collecting metrics and send reports to the Network Flow Monitor backend.
Agents that are active (sending metrics data) incur billing costs. For more information about Network Flow Monitor and Amazon CloudWatch pricing, see Network Monitoring on the [Amazon CloudWatch pricing](https://aws.amazon.com//cloudwatch/pricing/) page. If you don't need metrics data temporarily, you can deactivate an agent. For more information, see [Activate or deactivate agents](#CloudWatch-NetworkFlowMonitor-agents-ec2-manage). If you no longer need Network Flow Monitor agents, you can uninstall them from the EC2 instances.
**To uninstall agents from EC2 instances**
1. In the AWS Management Console, in AWS Systems Manager, under **Node Tools**, choose **Distributor**.
1. Under **Owned by Amazon**, locate the Network Flow Monitor package, **AmazonCloudWatchNetworkFlowMonitorAgent**, and select it.
1. In the **Commmand parameters** section, under **Action**, choose **Uninstall**.
1. Select the EC2 instances to uninstall agents from.
1. Scroll down, if necessary, and then choose **Run** to start the installation.
## Activate or deactivate agents by using Systems Manager
After you install a Network Flow Monitor agent with SSM, you must activate it to receive network flow metrics from the instance where it's installed. Agents that are active (sending metrics data) incur billing costs. For more information about Network Flow Monitor and Amazon CloudWatch pricing, see Network Monitoring on the [Amazon CloudWatch pricing](https://aws.amazon.com//cloudwatch/pricing/) page. If you don't need metrics data temporarily, you can deactivate an agent to prevent ongoing billing for the agent.
Network Flow Monitor provides a document in AWS Systems Manager that you can use activate or deactivate agents that you've installed on your EC2 instances. By running this document to manage the agents, you can activate them to begin receiving performance metrics. Or, you can deactivate them to temporarily stop metrics from being sent,without uninstalling the agents.
The document in SSM that you can use to activate or deactivate agents is called **AmazonCloudWatch-NetworkFlowMonitorManageAgent**. To access and run the document, follow the steps in the procedure.
**To activate or deactivate Network Flow Monitor agents**
1. In the AWS Management Console, in AWS Systems Manager, under **Change Management Tools**, choose **Documents**.
1. Under **Owned by Amazon**, locate the Network Flow Monitor document, **AmazonCloudWatch-NetworkFlowMonitorManageAgent**, and select the document.
1. In the **Target selection** section, choose how you want to select your EC2 instances to install agents on. You can select instances based on tags, choose instances manually, or base the choice on resource groups.
1. In the **Command parameters** section, under **Action**, choose **Activate** or **Deactivate**, depending on the action that you want to take for the agents.
1. Scroll down, if necessary, and then choose **Run** to start the installation.
# Download prebuilt packages of the Network Flow Monitor agent by using the command line
You can use the command line to install the Network Flow Monitor agent as a package in Amazon Linux 2023, or download and install prebuilt packages of the Network Flow Monitor agent.
Before or after you download a prebuilt package, you can optionally verify the package signature. For more information, see [ Verify the signature of the Network Flow Monitor agent package](#CloudWatch-NetworkFlowMonitor-agents-download-agent-commandline-verify-sig).
Choose from the following instructions, depending on the Linux operating system that you're using and the type of installation that you want.
**Amazon Linux AMIs**
The Network Flow Monitor agent is available as a package in Amazon Linux 2023. If you're using this operating system, you can install the package by entering the following command:
`sudo yum install network-flow-monitor-agent`
You must also make sure that the IAM role attached to the instance has the [CloudWatchNetworkFlowMonitorAgentPublishPolicy](security-iam-awsmanpol-network-flow-monitor.md#security-iam-awsmanpol-CloudWatchNetworkFlowMonitorAgentPublishPolicy) policy attached. For more information, see [Configure permissions for agents](CloudWatch-NetworkFlowMonitor-agents-ec2-permissions.md).
**Amazon Linux 2023**
Install the package for your architecture by using one of the following commands:
+ **x86\$164**: `sudo yum install https://networkflowmonitoragent.awsstatic.com/latest/x86_64/network-flow-monitor-agent.rpm`
+ **ARM64 (Graviton)**: `sudo yum install https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.rpm`
Verify that Network Flow Monitor agent is successfully installed by running the following command and verifying that the response shows that the agent is enabled and active:
```
service network-flow-monitor status
network-flow-monitor.service - Network Flow Monitor Agent
Loaded: loaded (/usr/lib/systemd/system/network-flow-monitor.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-04-23 19:17:16 UTC; 1min 9s ago
```
**DEB-based distributions (Debian, Ubuntu)**
Install the package for your architecture by using one of the following commands:
+ **x86\$164**: `wget https://networkflowmonitoragent.awsstatic.com/latest/x86_64/network-flow-monitor-agent.deb`
+ **ARM64 (Graviton)**: `wget https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.deb`
Install the package by using the following command: `$ sudo apt-get install ./network-flow-monitor-agent.deb`
Verify that Network Flow Monitor agent is successfully installed by running the following command and verifying that the response shows that the agent is enabled and active:
```
service network-flow-monitor status
network-flow-monitor.service - Network Flow Monitor Agent
Loaded: loaded (/usr/lib/systemd/system/network-flow-monitor.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-04-23 19:17:16 UTC; 1min 9s ago
```
## Verify the signature of the Network Flow Monitor agent package
The Network Flow Monitor agent rpm and deb installer packages for Linux instances are cryptographically signed. You can use a public key to verify that the agent package is original and unmodified. If the files are damaged or have been altered, the verification fails. You can verify the signature of the installer package using either RPM or GPG. The following information is for Network Flow Monitor agent versions 0.1.3 or later.
To find the correct signature file for each architecture and operating system, use the following table.
| Architecture | Platform | Download link | Signature file link |
| --- | --- | --- | --- |
| x86-64 | Amazon Linux 2023 | https://networkflowmonitoragent.awsstatic.com/latest/x86\$164/network-flow-monitor-agent.rpm | https://networkflowmonitoragent.awsstatic.com/latest/x86\$164/network-flow-monitor-agent.rpm.sig |
| ARM64 | Amazon Linux 2023 | https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.rpm | https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.rpm.sig |
| x86-64 | Debian/Ubuntu | https://networkflowmonitoragent.awsstatic.com/latest/x86\$164/network-flow-monitor-agent.deb | https://networkflowmonitoragent.awsstatic.com/latest/x86\$164/network-flow-monitor-agent.deb.sig |
| ARM64 | Debian/Ubuntu | https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.deb | https://networkflowmonitoragent.awsstatic.com/latest/arm64/network-flow-monitor-agent.deb.sig |
Follow the steps here to verify the signature of the Network Flow Monitor agent.
**To verify the signature of the Network Flow Monitor agent for Amazon S3 package**
1. Install GnuPG so that you can run the gpg command. GnuPG is required to verify the authenticity and integrity of a downloaded Network Flow Monitor agent for an Amazon S3 package. GnuPG is installed by default on Amazon Linux Amazon Machine Images (AMIs).
1. Copy the following public key and save it to a file named `nfm-agent.gpg`.
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGf0b5IBEAC6YQc0aYrTbcHNWWMbLuqsqfspzWrtCvoU0yQ62ld7nvCGBha9
lu4lbhtiwoDawC3h6Xsxc3Pmm6kbMQfZdbo4Gda4ahf6zDOVI5zVHs3Yu2VXC2AU
5BpKQJmYddTb7dMI3GBgEodJY05NHQhq1Qd2ptdh03rsX+96Fvi4A6t+jsGzMLJU
I+hGEKGif69pJVyptJSibK5bWCDXh3eS/+vB/CbXumAKi0sq4rXv/VPiIhn6bsCI
A2lmzFd3vMJQUM/T7m7skrqetZ4mWHr1LPDFPK/H/81s8TJawx7MACsK6kIRUxu+
oicW8Icmg9S+BpIgONT2+Io5P1tYO5a9AyVF7X7gU0VgHUA1RoLnjHQHXbCmnFtW
cYEuwhUuENMl+tLQCZ+fk0kKjOlIKqeS9AVwhks92oETh8wpTwTE+DTBvUBP9aHo
S39RTiJCnUmA6ZCehepgpwW9AYCc1lHv/xcahD418E0UHV22qIw943EwAkzMDA4Q
damdRm0Nud0OmilCjo9oogEB+NUoy//5XgQMH1hhfsHquVLU/tneYexXYMfo/Iu5
TKyWL2KdkjKKP/dMR4lMAXYi0RjTJJ5tg5w/VrHhrHePFfKdYsgN6pihWwj2Px/M
ids3W1Ce50LOEBc2MOKXYXGd9OZWyR8l15ZGkySvLqVlRGwDwKGMC/nS2wARAQAB
tEJOZXR3b3JrIEZsb3cgTW9uaXRvciBBZ2VudCA8bmV0d29yay1mbG93LW1vbml0
b3ItYWdlbnRAYW1hem9uLmNvbT6JAlcEEwEIAEEWIQR2c2ypl63T6dJ3JqjvvaTM
vJX60QUCZ/RvkgIbAwUJBaOagAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAK
CRDvvaTMvJX60euSD/9cIu2BDL4+MFFHhyHmG3/se8+3ibW0g8SyP3hsnq7qN+bm
ZzLAhll7DVoveNmEHI1VC7Qjwb30exgLcyK2Ld6uN6lwjjK0qiGGz943t230pJ3z
u7V2fVtAN+vgDVmD7agE6iqrRCWu3WfcgzFlEkE/7nkhtbWzlaK+NkdEBzNZ+W7/
FmLClzIbMjIBW2M8LdeZdQX0SWljy18x7NGNukWeNTJxmkDsjAeKl+zkXYk9h7ay
n3AVl1KrLZ5P9vQ5XsV5e4T6qfQ3XNY1lm54cpa+eD7NyYcTGRDK+vIxO4xD8i2M
yl1iNf2+84Tt6/SAgR/P9SJ5tbKD0iU9n4g1eBJVGmHDuXTtDR4H/Ur7xRSxtuMl
yZP/sLWm8p7+Ic7aQJ5OVw36MC7Oa7/K/zQEnLFFPmgBwGGiNiw5cUSyCBHNvmtv
FK0Q2XMXtBEBU9f44FMyzNJqVdPywg8Y6xE4wc/68uy7G6PyqoxDSP2ye/p+i7oi
OoA+OgifchZfDVhe5Ie0zKR0/nMEKTBV0ecjglb/WhVezEJgUFsQcjfOXNUBesJW
a9kDGcs3jIAchzxhzp/ViUBmTg6SoGKh3t+3uG/RK2ougRObJMW3G+DI7xWyY+3f
7YsLm0eDd3dAZG3PdltMGp0hKTdslvpws9qoY8kyR0Fau4l222JvYP27BK44qg==
=INr5
-----END PGP PUBLIC KEY BLOCK-----
```
1. Import the public key into your keyring and note the returned value.
```
PS> rpm --import nfm-agent.gpg
gpg: key 3B789C72: public key "Network Flow Monitor Agent" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
```
Make a note of the key value because you need it in the next step. In this example, the key value is `3B789C72`.
1. Verify the fingerprint by running the following command. Be sure to replace *key-value* with the value from the preceding step. We recommend that you use GPG to verify the fingerprint even if you use RPM to verify the installer package.
```
PS> gpg --fingerprint key-value
pub rsa4096 2025-04-08 [SC] [expires: 2028-04-07]
7673 6CA9 97AD D3E9 D277 26A8 EFBD A4CC BC95 FAD1
uid Network Flow Monitor Agent
```
The fingerprint string should be equal to the following:
`7673 6CA9 97AD D3E9 D277 26A8 EFBD A4CC BC95 FAD1`
If the fingerprint string doesn't match, don't install the agent. Contact Amazon Web Services.
After you have verified the fingerprint, you can use it to verify the signature of the Network Flow Monitor agent package.
1. Download the package signature file, if you haven't already done so, based on your instance's architecture and operating system.
1. Verify the installer package signature. Be sure to replace the `signature-filename` and `agent-download-filename` with the values that you specified when you downloaded the signature file and agent, as shown in the table earlier in this topic.
```
PS> gpg --verify sig-filename agent-download-filename
gpg: Signature made Tue Apr 8 00:40:02 2025 UTC
gpg: using RSA key 77777777EXAMPLEKEY
gpg: issuer "network-flow-monitor-agent@amazon.com"
gpg: Good signature from "Network Flow Monitor Agent " [unknown]
gpg: WARNING: Using untrusted key!
```
If the output includes the phrase `BAD signature`, check to make sure that you performed the procedure correctly. If you continue to get this response, contact [AWS Support](https://aws.amazon.com/premiumsupport/) and avoid using the downloaded file.
Note the warning about trust. A key is trusted only if you or someone who you trust has signed it. This doesn't mean that the signature is invalid, only that you have not verified the public key.
Next, follow the steps here to verify the RPM package.
**To verify the signature of the RPM package**
1. Copy the following public key and save it to a file named `nfm-agent.gpg`.
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGf0b5IBEAC6YQc0aYrTbcHNWWMbLuqsqfspzWrtCvoU0yQ62ld7nvCGBha9
lu4lbhtiwoDawC3h6Xsxc3Pmm6kbMQfZdbo4Gda4ahf6zDOVI5zVHs3Yu2VXC2AU
5BpKQJmYddTb7dMI3GBgEodJY05NHQhq1Qd2ptdh03rsX+96Fvi4A6t+jsGzMLJU
I+hGEKGif69pJVyptJSibK5bWCDXh3eS/+vB/CbXumAKi0sq4rXv/VPiIhn6bsCI
A2lmzFd3vMJQUM/T7m7skrqetZ4mWHr1LPDFPK/H/81s8TJawx7MACsK6kIRUxu+
oicW8Icmg9S+BpIgONT2+Io5P1tYO5a9AyVF7X7gU0VgHUA1RoLnjHQHXbCmnFtW
cYEuwhUuENMl+tLQCZ+fk0kKjOlIKqeS9AVwhks92oETh8wpTwTE+DTBvUBP9aHo
S39RTiJCnUmA6ZCehepgpwW9AYCc1lHv/xcahD418E0UHV22qIw943EwAkzMDA4Q
damdRm0Nud0OmilCjo9oogEB+NUoy//5XgQMH1hhfsHquVLU/tneYexXYMfo/Iu5
TKyWL2KdkjKKP/dMR4lMAXYi0RjTJJ5tg5w/VrHhrHePFfKdYsgN6pihWwj2Px/M
ids3W1Ce50LOEBc2MOKXYXGd9OZWyR8l15ZGkySvLqVlRGwDwKGMC/nS2wARAQAB
tEJOZXR3b3JrIEZsb3cgTW9uaXRvciBBZ2VudCA8bmV0d29yay1mbG93LW1vbml0
b3ItYWdlbnRAYW1hem9uLmNvbT6JAlcEEwEIAEEWIQR2c2ypl63T6dJ3JqjvvaTM
vJX60QUCZ/RvkgIbAwUJBaOagAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAK
CRDvvaTMvJX60euSD/9cIu2BDL4+MFFHhyHmG3/se8+3ibW0g8SyP3hsnq7qN+bm
ZzLAhll7DVoveNmEHI1VC7Qjwb30exgLcyK2Ld6uN6lwjjK0qiGGz943t230pJ3z
u7V2fVtAN+vgDVmD7agE6iqrRCWu3WfcgzFlEkE/7nkhtbWzlaK+NkdEBzNZ+W7/
FmLClzIbMjIBW2M8LdeZdQX0SWljy18x7NGNukWeNTJxmkDsjAeKl+zkXYk9h7ay
n3AVl1KrLZ5P9vQ5XsV5e4T6qfQ3XNY1lm54cpa+eD7NyYcTGRDK+vIxO4xD8i2M
yl1iNf2+84Tt6/SAgR/P9SJ5tbKD0iU9n4g1eBJVGmHDuXTtDR4H/Ur7xRSxtuMl
yZP/sLWm8p7+Ic7aQJ5OVw36MC7Oa7/K/zQEnLFFPmgBwGGiNiw5cUSyCBHNvmtv
FK0Q2XMXtBEBU9f44FMyzNJqVdPywg8Y6xE4wc/68uy7G6PyqoxDSP2ye/p+i7oi
OoA+OgifchZfDVhe5Ie0zKR0/nMEKTBV0ecjglb/WhVezEJgUFsQcjfOXNUBesJW
a9kDGcs3jIAchzxhzp/ViUBmTg6SoGKh3t+3uG/RK2ougRObJMW3G+DI7xWyY+3f
7YsLm0eDd3dAZG3PdltMGp0hKTdslvpws9qoY8kyR0Fau4l222JvYP27BK44qg==
=INr5
-----END PGP PUBLIC KEY BLOCK-----
```
1. Import the public key into your keyring.
```
PS> rpm --import nfm-agent.gpg
```
1. Verify the installer package signature. Be sure to replace the `agent-download-filename` with the value that you specified when you downloaded the agent, as shown in the table earlier in this topic.
```
PS> rpm --checksig agent-download-filename
```
For example, for the x86\$164 architecture on Amazon Linux 2023, use the following command:
```
PS> rpm --checksig network-flow-monitor-agent.rpm
```
This command returns output similar to the following.
```
network-flow-monitor-agent.rpm: digests signatures OK
```
If the output contains the phrase `NOT OK (MISSING KEYS: (MD5) key-id)`, check to make sure that you performed the procedure correctly. If you continue to get this response, contact [AWS Support](https://aws.amazon.com/premiumsupport/) and don't install the agent.
# Install agents for self-managed Kubernetes instances
Follow the steps in this section to install Network Flow Monitor agents for workloads on self-managed Kubernetes clusters. After you complete the steps, Network Flow Monitor agent pods will be running on all of your self-managed Kubernetes cluster nodes.
If you use Amazon Elastic Kubernetes Service (Amazon EKS), the installation steps to follow are in the following section: [Install the EKS AWS Network Flow Monitor Agent add-on](CloudWatch-NetworkFlowMonitor-agents-kubernetes-eks.md).
**Topics**
+ [Before you begin](CloudWatch-NetworkFlowMonitor-agents-kubernetes-before-you-begin.md)
+ [Download Helm charts and install agents](CloudWatch-NetworkFlowMonitor-agents-kubernetes-install-agents.md)
+ [Configure permissions for agents to deliver metrics](CloudWatch-NetworkFlowMonitor-agents-kubernetes-permissions.md)
# Before you begin
Before you start the installation process, follow the steps in this section to make sure that your environment is set up to successfully install agents on the right Kubernetes clusters.
**Ensure that your version of Kubernetes is supported**
Network Flow Monitor agent installation requires Kubernetes Version 1.25, or a more recent version.
**Ensure that you have installed required tools**
The scripts that you use for this installation process require that you install the following tools. If you don’t have the tools installed already, see the provided links for more information.
+ The AWS Command Line Interface (CLI). For more information, see [Installing or updating to the latest version of the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the AWS Command Line Interface Reference Guide.
+ The Helm package manager. For more information, see [Installing Helm](https://helm.sh/docs/intro/install/) on the Helm website.
+ The `kubectl` command line tool. For more information, see [Install kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) on the Kubernetes website.
+ The `make` Linux command dependency. For more information, see the following blog post: [ Intro to make Linux Command: Installation and Usage](https://ioflood.com/blog/install-make-command-linux/). For example, do one of the following:
+ For Debian based distributions, such as Ubuntu, use the following command: `sudo apt-get install make`
+ For RPM-based distributions, such as CentOS, use the following command: `sudo yum install make`
**Ensure that you have valid, correctly configured KubeConfig environment variables**
Network Flow Monitor agent installation uses the Helm package manager tool, which uses the kubeconfig variable, `$HELM_KUBECONTEXT`, to determine the target Kubernetes clusters to work with. Also, be aware that when Helm runs installation scripts, by default, it references the standard `~/.kube/config` file. You can change the configuration environment variables, to use a different config file (by updating `$KUBECONFIG`) or to define the target cluster you want to work with (by updating `$HELM_KUBECONTEXT`).
**Create a Network Flow Monitor Kubernetes namespace**
The Network Flow Monitor agent's Kubernetes application installs its resources into a specific namespace. The namespace must exist for the installation to succeed. To ensure that the required namespace is in place, you can do one of the following:
+ Create the default namespace, `amazon-network-flow-monitor`, before you begin.
+ Create a different namespace, and then define it in the `$NAMESPACE` environment variable when you run the installation to make targets.
# Download Helm charts and install agents
You can download the Network Flow Monitor agent Helm charts from the AWS public repository by using the following command. Make sure that you first authenticate with your GitHub account.
`git clone https://github.com/aws/network-flow-monitor-agent.git`
In the `./charts/amazon-network-flow-monitor-agent` directory, you can find the Network Flow Monitor agent Helm charts and Makefile that contain the installation make targets that you use for installing agents. You install agents for Network Flow Monitor by using the following Makefile target: `helm/install/customer`
You can customize the installation if you like, for example, by doing the following:
```
# Overwrite the kubeconfig files to use
KUBECONFIG= make helm/install/customer
# Overwrite the Kubernetes namespace to use
NAMESPACE= make helm/install/customer
```
To verify that the Kubernetes application pods for the Network Flow Monitor agents have been created and deployed successfully, check to be sure that their state is `Running`. You can check state of the agents by running the following command: `kubectl get pods -o wide -A | grep amazon-network-flow-monitor`
# Configure permissions for agents to deliver metrics
After you install agents for Network Flow Monitor, you must enable the agents to send network metrics to the Network Flow Monitor ingestion APIs. Agents in Network Flow Monitor must have permission to access the Network Flow Monitor ingestion APIs so that they can deliver network flow metrics that they've collected for each instance. You grant this access by implementing IAM roles for service accounts (IRSA).
To enable agents to deliver network metrics to Network Flow Monitor, follow the steps in this section.
1. **Implement IAM roles for service accounts**
IAM roles for service accounts provides the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Implementing IRSA is the recommended way to provide all permissions required by Network Flow Monitor agents to successfully access Network Flow Monitor ingestion APIs. For more information, see [IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) in the Amazon EKS User Guide.
When you set up IRSA for Network Flow Monitor agents, use the following information:
+ **ServiceAccount: **When you define your IAM role trust policy, for `ServiceAccount`, specify `aws-network-flow-monitor-agent-service-account`.
+ **Namespace: **For the `namespace`, specify `amazon-network-flow-monitor`.
+ **Temporary credentials deployment: **When you configure permissions after you have deployed Network Flow Monitor agent pods, updating the `ServiceAccount` with your IAM role, Kubernetes does not deploy the IAM role credentials. To ensure that the Network Flow Monitor agents acquire the IAM role credentials that you've specified, you must rolling out a restart of `DaemonSet`. For example, use a command like the following:
`kubectl rollout restart daemonset -n amazon-network-flow-monitor aws-network-flow-monitor-agent`
1. **Confirm that the Network Flow Monitor agent is successfully accessing the Network Flow Monitor ingestion APIs**
You can check to make sure that your configuration for agents is working correctly by using the HTTP 200 logs for Network Flow Monitor agent pods. First, search for a Network Flow Monitor agent pod, and then search through the log files to find successful HTTP 200 requests. For example, you can do the following:
1. Locate a Network Flow Monitor agent pod name. For example, you can use the following command:
```
RANDOM_AGENT_POD_NAME=$(kubectl get pods -o wide -A | grep amazon-network-flow-monitor | grep Running | head -n 1 | tr -s ' ' | cut -d " " -f 2)
```
1. Grep all the HTTP logs for the pod name that you've located. If you've changed the NAMESPACE, make sure that you use the new one.
```
NAMESPACE=amazon-network-flow-monitor
kubectl logs $RANDOM_AGENT_POD_NAME -\-namespace ${NAMESPACE} | grep HTTP
```
If access has been granted successfully, you should see log entries similar to the following:
```
...
{"level":"INFO","message":"HTTP request complete","status":200,"target":"amzn_nefmon::reports::publisher_endpoint","timestamp":1737027525679}
{"level":"INFO","message":"HTTP request complete","status":200,"target":"amzn_nefmon::reports::publisher_endpoint","timestamp":1737027552827}
```
Note that the Network Flow Monitor agent publishes network flow reports every 30 seconds, by calling the Network Flow Monitor ingestion APIs.