# Install AxoRouter on Kubernetes

To install AxoRouter on a Kubernetes cluster, complete the following steps. For other platforms, see [AxoRouter](../../../docs/axoflow/provisioning/axorouter/index.md).

Note Note that AxoRouter and Axoflow agent collects detailed, real-time metrics about the data-flows – giving you observability over the health of the security data pipeline and its components. Your security data remains in your self-managed cloud or in your on-prem instance where your sources, destinations, Axoflow agents, and AxoRouters are running, only metrics are forwarded to AxoConsole. 

## Prerequisites

Kubernetes version 1.29 and newer 

### Resource requirements

For a deployment that handles up to 1TB/day log traffic (~14500 EPS) even with complex routing and processing configurations, we recommend:

  * 4 vCPU
  * 8 GB memory
  * 45 GB disk / hour. AxoRouter buffers incoming log data on disk if the destination or the network connection to the destination becomes unavailable. With a 1TB/day throughput, you need at least 45 GB of disk buffer per hour to avoid putting backpressure on your sources. This doesn’t include any disk for using AxoStore.



For more details on hardware sizing, [contact our support team](<https://axoflow.com/contact?contact_form_subject=support_request>).

### Network access

The host must be able to access the following domains related to the AxoConsole:

  * When using AxoConsole SaaS:

    * `<your-tenant-id>.cloud.axoflow.io`: HTTPS traffic on TCP port 443, needed to download the binaries for Axoflow software (like Axolet and AxoRouter).
    * `kcp.<your-tenant-id>.cloud.axoflow.io`: HTTPS (mutual TLS) traffic on TCP port 443 for management traffic.
    * `telemetry.<your-tenant-id>.cloud.axoflow.io`: HTTPS (mutual TLS) traffic on TCP port 443, where Axolet sends the metrics of the host.
    * `us-docker.pkg.dev`: HTTPS traffic on TCP port 443, but only if you’re forcing the installation script to pull the container images from the public repository. The Axolet and AxoRouter for Linux installation scripts download the images directly from AxoConsole.
  * When using an on-premise AxoConsole:

    * The following domains should point to AxoConsole IP address to access Axoflow from your desktop and AxoRouter hosts:

      * `your-host.your-domain`: The main domain of your AxoConsole deployment.
      * `authenticate.your-host.your-domain`: A subdomain used for authentication.
      * `idp.your-host.your-domain`: A subdomain for the identity provider.
    * The AxoConsole host must have the following **Open Ports** :

      * Port 80 (HTTP)
      * Port 443 (HTTPS)
  * When installing Axoflow agent for Windows or Linux:

    * `github.com`: HTTPS traffic on TCP port 443, for downloading installer packages.



## Install AxoRouter

  1. Open the AxoConsole.

  2. Select **Provisioning**.

  3. Select the **Host type > AxoRouter > Kubernetes**. The one-liner installation command is displayed.

  4. Open a terminal and set your Kubernetes context to the cluster where you want to install AxoRouter.

  5. Run the one-liner, and follow the on-screen instructions.
```
 Current kubernetes context: minikube
         Server Version: v1.28.3
         Installing to new namespace: axorouter
         Do you want to install AxoRouter now? [Y]
         
```

  6. Register the host.

     1. Reload the **Provisioning** page. There should be a registration request for the new AxoRouter deployment. Select **✓**.

![Provisioning AxoRouter - registration request](/docs/axoflow/img/onboard-hosts/axorouter/linux/provisioning-axorouter-request.png)

     2. Select **Register** to register the host. You can add a description and labels (in `label:value` format) to the host.

![Provisioning AxoRouter - registration details](/docs/axoflow/img/onboard-hosts/axorouter/linux/provisioning-axorouter-request.png)

     3. If the primary IP address (the first IP address shown in the **Network addresses** section on the **Routers** page for each AxoRouter) is not accessible from your edge hosts, set a **Network address override** (IP address or an FQDN) that’s accessible. Otherwise, data forwarding from edge hosts will fail.

     4. Select the **Topology** page. The new AxoRouter instance is displayed.




## Create a flow

  1. If you haven’t already done so, create a new [destination](../../../docs/axoflow/destinations/index.md).
  2. Create a flow to connect the new AxoRouter to the destination.
     1. Select **Flows**.

     2. Select **Add Flow > Flow**.

To create a [fallback flow](../../../docs/axoflow/data-management/flows/index.md#fallback-flow), select **Add Flow > Fallback flow**.

![Add flow](/docs/axoflow/img/data-management/flow-management/flows/add-flow.png)

     3. Enter a name for the flow, for example, `my-test-flow`.

![Create a flow](/docs/axoflow/img/data-management/flow-management/flows/create-flow.png)

     4. In the **Router Selector** field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, `name = my-axorouter-hostname`.

You can use any labels and metadata of the AxoRouter hosts in the Router selectors, for example, the hostname of the AxoRouter, or any [custom labels](../../../docs/axoflow/onboard-hosts/hosts/add-host-metadata/index.md).

        * If you leave the **Router Selector** field empty, the selector will match every AxoRouter instance.
        * To select only a specific AxoRouter instance, set the `name` field to the name of the instance as selector. For example, `name = my-axorouter`.
        * If you set multiple fields in the selector, the selector will match only AxoRouter instances that match all elements of the selector. (There in an AND relationship between the fields.)

Note You can configure multiple fallback flows, but only one fallback flow can apply to an AxoRouter (so the **Router Selector** of the fallback flows can’t overlap). 

     5. Select the **Destination** where you want to send your data. If you don’t have any destination configured, you can select **\+ Add** in the destination section to create a new destination now. For details on the different destinations, see [Destinations](../../../docs/axoflow/destinations/index.md).

        * If you don’t have any destination configured, see [Destinations](../../../docs/axoflow/destinations/index.md).
        * If you’ve already created a [store](../../../docs/axoflow/destinations/axostore/index.md), it automatically available as a destination. Note that the **Router Selector** of the flow must match only AxoRouters that have the selected store available, otherwise you’ll get an error message.
        * If you want to send data to another AxoRouter, enable the **Show all destinations** option, and select the connector of the AxoRouter where you want to send the data.

![AxoRouter as destination](/docs/axoflow/img/data-management/flow-management/flows/axorouter-destination.png)

     6. (Optional) To process the data transferred in the flow, select **Add New Processing Step**. For details, see [Processing steps](../../../docs/axoflow/data-management/processing/index.md). For example:

        1. Add a **Classify** , a **Parse** , and a **Reduce** step, in that order, to automatically remove redundant and empty fields from your data.
        2. To select which messages are processed by the flow, add a **Select Messages** step, and enter a filter into the **AQL Expression** field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the `meta.vendor = fortinet AND meta.product = fortigate` query.
        3. **Save** the processing steps.

![Example processing steps](/docs/axoflow/img/data-management/flow-management/flows/processing/example-processing-steps.png)

     7. Select **Add**.

     8. The new flow appears in the **Flows** list.

![The new flow](/docs/axoflow/img/data-management/flow-management/flows/new-flow.png)




## Send logs to AxoRouter

By default, AxoRouter accepts data on the following ports (unless you’ve modified the default connector rules):

  * 514 UDP and TCP for RFC3164 (BSD-syslog) and RFC5424 (IETF-syslog) formatted traffic. AxoRouter automatically recognizes and handles both formats.
  * 601 TCP for RFC5424 (IETF-syslog) and RFC3164 (BSD-syslog) formatted traffic. AxoRouter automatically recognizes and handles both formats.
  * 6514 TCP for TLS-encrypted syslog traffic.


  * 4317 TCP for OpenTelemetry log data.



To receive data on other ports or other protocols, configure other [connector rules](../../../docs/axoflow/data-sources/connector-rules/index.md) for the AxoRouter host.

For TLS-encrypted syslog connections, create a new [connector rule](../../../docs/axoflow/data-sources/connector-rules/index.md) or edit an existing one, and configure the keys and certificates needed to encrypt the connections. For details, see [Syslog](../../../docs/axoflow/data-sources/syslog/index.md).

Note Make sure to enable the ports you’re using on the firewall of your host. 

## Upgrade AxoRouter

AxoConsole raises an alert for the host when a new AxoRouter version is available. To upgrade to the new version, re-run the one-liner installation command you used to install AxoRouter, or select [**Provisioning > Select type and platform**](../../../docs/axoflow/provisioning/axorouter/kubernetes/index.md#install) to create a new one.

Note that it can take a few minutes until the version numbers of the different services get updated on AxoConsole.

* * *

[Advanced installation options](../../../docs/axoflow/provisioning/axorouter/kubernetes/advanced-options/index.md)