Qpoint Cloud

This guide covers how to set up and manage Qtap agents using Qpoint's cloud control plane. The cloud-connected approach provides centralized management across all your deployments, real-time updates, and comprehensive monitoring capabilities.

Understanding Cloud-Connected Mode

In cloud-connected mode, your Qtap agents connect to the Qpoint control plane to receive configuration. A key characteristic of this approach is that configuration settings apply globally to all installations within your organization, ensuring consistency across your environment.

Setup Process

Create a Registration Token

Before deploying Qtap agents, you'll need to create a registration token in the Qpoint dashboard:

1. Log in to app.qpoint.io

2. Navigate to Settings → Installations

3. Click the + Installation button

4. Enter a name for your installation (e.g., "Production Cluster", "Development Environment")

5. Save the generated token securely - you'll need it to deploy your agents

Deploy Qtap with the Registration Token

Once you have a token, you can deploy Qtap using your preferred method. The below are examples, see the Installation guides for more thorough details.

Docker

docker run \
  --user 0:0 \
  --privileged \
  --cap-add CAP_BPF \
  --cap-add CAP_SYS_ADMIN \
  --pid=host \
  --network=host \
  -v /sys:/sys \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -e TINI_SUBREAPER=1 \
  --ulimit=memlock=-1 \
  us-docker.pkg.dev/qpoint-edge/public/qpoint:v0 \
  tap \
  --registration-token=YOUR_TOKEN

Kubernetes with Helm

helm install qpoint-tap qpoint/qpoint-tap \
  -n qpoint \
  --create-namespace \
  --set registrationToken=YOUR_TOKEN

Linux Binary

./qpoint tap \
  --log-level=info \
  --registration-token=YOUR_TOKEN

Configuration through the Control Plane

The Qpoint control plane provides a unified interface for configuring all aspects of your Qtap deployments. Remember that all configuration settings are applied globally to all installations in your organization.

Qtap Configuration

Under Settings → Qtap → Config, you can configure basic Qtap behavior:

Key settings include:

• Audit Log Destination: Determines where audit logs are sent (typically Pulse for cloud connected)

• Traffic Direction: Controls what traffic is captured

  • Egress (All): All outbound traffic

  • Egress (External): Only traffic to external networks

  • Egress (Internal): Only traffic within internal networks

  • Ingress: Only inbound traffic

  • All: Both inbound and outbound traffic

Under the Advanced section, you can configure:

• Local Loopback Traffic: Whether to capture local-only traffic on loopback devices

• Capture DNS: Whether to log and capture DNS queries

Qtap Filters

Under Settings → Qtap → Filters, you can control which process groups Qtap monitors:

The interface shows Ignore Process Groups options:

• Kubernetes: Ignores standard Kubernetes processes

• Container Runtimes: Ignores container runtime processes

• Google Kubernetes Engine (GKE): Ignores built-in GKE processes

• Amazon Elastic Kubernetes Service (EKS): Ignores built-in EKS processes

• Qpoint: Ignores Qpoint self auditing

When a toggle is enabled (purple), traffic from that process group will be ignored. This helps reduce noise from infrastructure components.

You can also add Custom Filters to ignore specific processes or patterns.

Data Services

Under Settings → Deploy → Services, you can configure where Qtap stores the data it captures:

Object Stores

Object stores contain actual request/response content (headers and bodies) and may include sensitive information. Options include:

• Qpoint Cloud: Qpoint's managed cloud object store (for preview and testing only)

• MinIO: An S3-compatible object store you host yourself

• S3 Endpoint: Any S3-compatible storage service

• Console Stdout: Logs objects to the console (useful for debugging)

Important: Payloads may contain sensitive data. Configure an object store to ensure your data never leaves your network and is accessible only from those with proper access.

Event Stores

Event stores handle anonymized metadata about connections. Options include:

• Qpoint Cloud: Qpoint's managed cloud event store for analytics and dashboards

• Console Stdout: Logs events to the console

Note: Middleware may send anonymous analytics and metrics for better visibility and realtime alerting. You can run Pulse internally or add custom event store services.

Configuration Updates

When you make changes to your configuration in the control plane:

1. Changes are automatically saved

2. All connected agents will receive the updated configuration

3. Agents apply the new configuration without requiring a restart

4. Changes typically propagate within a minute

Managing Multiple Installations

While configuration settings apply globally to all installations, you can still create multiple installations for different purposes:

1. Create separate installations for different environments (dev, staging, production)

2. Label each installation clearly for identification

This approach allows you to:

• Track which agents are connected in each environment

• Rotate registration tokens separately if needed

Security Considerations

Token Security

Registration tokens provide access to your Qpoint organization and should be treated as sensitive:

• Secure Storage: Store tokens in a secure location (vault, secrets manager)

• Limited Access: Restrict who can view or use tokens

• Periodic Rotation: Create new tokens and retire old ones regularly

• Revocation: If a token is compromised, revoke it immediately in the dashboard

Network Requirements

Cloud-connected mode requires outbound connectivity to:

• Control Plane: api.qpoint.io (TCP 443/HTTPS)

• Event Store: api-pulse.qpoint.io (TCP 443/HTTPS)

Ensure your firewall allows these connections for Qtap agents.