1. home icon for breadcrumbs >
  2. Deploy Sensors >
  3. Deploy Virtual Scanner Appliance >
  4. Deployment recommendations for scanner

Deployment Recommendations for Scanner

Qualys recommends deploying scanners based on the network topology and the size of the EC2 instance hosting the scanner appliance.

Instance Size for Hosting Scanner

The maximum supported size for a  Qualys scanner instance deployed with qVSA image version 2.7.45 or older is 16 CPUs and 16 GB RAM. This restriction has been removed for scanners deployed with qVSA image version 3.10 and nonwords.

Qualys Virtual Scanner do not support scanner deployment on ARM-based architecture

To select an instance type based on its scanning capacity (applicable only to versions up to 2.7.45), refer to this article.

To learn more about the scanner appliance capacity required for various scan jobs, refer to this article

Support for ENA Instances

Qualys Virtual Scanner Appliance can also be deployed on instance types that support enhanced networking (ENA) and NVMe SSD Volumes. Refer to the following table for networking and storage features supported by AWS in their current generation instance types from AWS documents.

The Qualys Virtual Scanner Appliance deployed with qVSA image version 2.7.45 or older supports instance types with a maximum of 16 CPUs and 16 GB RAM.

Limitations on Scanning Targets

Scans cannot be launched on targets using t1.micro, m1.small, t2.nano instance types.

Scanner Placement Based on the Network Topology

Amazon Virtual Private Cloud (Amazon VPC) offers a comprehensive set of virtual networking capabilities that provide AWS customers with many options for designing and implementing networks on the AWS cloud. With Amazon VPC, customers can provision logically isolated virtual networks to host their AWS resources. Based upon how you have setup you AWS network, here are some recommendations on how you can place your scanner.

  • Non peered VPCs in a region - Qualys recommends to have one or more scanners per VPC per region if the VPCs are non peered.
  • Peered VPCs in a region - you can have one or more scanners in the central VPC which is peered to other VPC in a region (hub 'n' spoke model). Here is an example for the same.

    deploy_recc 

  • VPCs across regions - you can have one or more scanners in a VPC with VPN or VPC-transit to other regions.

Instance Snapshots or Cloning Not Allowed

Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly prohibited. The new instance does not function as a scanner. All configuration settings and platform registration information is lost. This could also lead to scans failing and errors for the original scanner.

Move or Export Instance Not Allowed

Moving or exporting a registered scanner instance from a virtualization platform (HyperV, VMware, XenServer) in any file format to the AWS cloud platform is strictly prohibited. This breaks scanner functionality, and the scanner permanently loses all its settings.

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.