EN
Currency:
EUR – €
Choose a currency
  • Euro EUR – €
  • United States dollar USD – $
VAT:
OT 0%
Choose your country (VAT)
  • OT All others 0%
Choose a language
  • Choose a currency
    Choose you country (VAT)
    Dedicated Servers
  • Instant
  • Custom
  • Single CPU servers
  • Dual CPU servers
  • Servers with 4th Gen EPYC
  • Servers with AMD Ryzen and Intel Core i9
  • Storage Servers
  • Servers with 10Gbps ports
  • Premium Servers
  • High-RAM Dedicated Servers
  • Servers for Solana Nodes
  • Web3 Server Infrastructure
  • Hosting virtualization nodes
  • GPU
  • Sale
  • Virtual Servers
  • Instant VPS & VDS
  • Hosting with ispmanager
  • Hosting with cPanel
  • GPU
  • Dedicated GPU server
  • VM with GPU
  • Tesla A100 80GB & H100 Servers
  • Nvidia RTX 5090
  • Nvidia RTX PRO 6000
  • GPU servers equipped with AMD Radeon
  • Sale
    Apps
    Colocation
  • Colocation in the Netherlands
  • Remote smart hands
  • Services
  • L3-L4 DDoS Protection
  • Network equipment
  • IPv4 and IPv6 address
  • Managed servers
  • SLA packages for technical support
  • Monitoring
  • Software
  • VLAN
  • Announcing your IP or AS (BYOIP)
  • USB flash/key/flash drive
  • Traffic
  • Hardware delivery for EU data centers
  • AI Chatbot Lite
  • AI Platform
  • About
  • Hostkey for Business
  • Careers at HOSTKEY
  • Server Control Panel & API
  • Data Centers
  • Network
  • Speed test
  • Hot deals
  • Contact
  • Reseller program
  • Affiliate Program
  • Grants for winners
  • Grants for scientific projects and startups
  • News
  • Our blog
  • Payment terms and methods
  • Legal
  • Abuse
  • Looking Glass
  • The KYC Verification
  • Hot Deals

    04.09.2025

    Review of the Akvorado NetFlow Collector with Visualization: From Deployment to Practical Use

    server one
    HOSTKEY

    Author: Nikita Vypryazhkin, Junior DevOps

    Network traffic is like water flowing in a river—someone can just stand on the shore and watch it flow, or they can dive deeper to understand where each drop comes from, where it’s going, and what happens along the way. Most administrators settle for the former option, but those who truly want to control their infrastructure choose the latter.

    Application Marketplace
    Dedicated and virtual servers with pre-installed software — from infrastructure monitoring solutions to development tools.

    Akvorado is designed precisely for this purpose. It processes data from protocols like NetFlow, sFlow, and IPFIX, turning abstract numbers into a clear and understandable representation of network activity—minus the need for complex setup or configuration.

    Who This Guide Is For?

    This guide is perfect for professionals in various fields:

    • Network Engineers: To identify and resolve performance issues. When users complain about slow internet speeds, Akvorado provides detailed data on traffic generation, dominant protocols, and any anomalies.
    • Security Professionals: As an early warning system; it helps detect large-scale scans, suspicious connections, and DDoS attacks by analyzing network traffic. It’s especially useful for tracking the origin and destination of traffic.
    • DevOps Engineers: To optimize microservice architectures. When multiple services interact over the network, understanding their interaction patterns is crucial. Akvorado shows who is communicating with whom and how intensively.
    • IT Managers: To make informed decisions about budget allocation. Data on actual bandwidth usage speaks louder than any assumptions. For example, whether to expand a connection to a branch office or block specific services (like YouTube).

    Part 1: The Architecture — Each Component of the “Orchestration” System

    Akvorado isn’t a monolithic application; it’s a set of interconnected services, each with its own role:

    1. Akvorado Inlet

    The inlet acts as the gateway, receiving data from network devices via UDP (e.g., port 2055/udp for NetFlow). Its main task is to efficiently forward packets to Kafka without any delays.

    Interesting Fact: Inlet functions like a high-speed conveyor belt—ensuring that all packets are processed promptly, even under heavy loads.

    2. Apache Kafka

    Kafka serves as the central storage and buffer. It’s designed for reliability and scalability, holding data until other services can process it. This ensures asynchronous processing and system resilience during DDoS attacks.

    Example: If Akvorado Orchestrator gets overwhelmed, Kafka will buffer all incoming traffic until the attack subsides, allowing normal processing to continue without data loss.

    3. Akvorado Orchestrator: The Brain of the System

    Akvorado Orchestrator is the core component that processes raw data received from Kafka, transforming it into meaningful information. This process involves adding additional details such as geographic location, ASN (Address Space Numbering), and host names.

    Important Note: Proper configuration with GeoIP databases is essential for accurate data analysis. Failing to set them up correctly will result in incomplete or inaccurate reports. We encountered this issue when attempting to manually configure the necessary files.

    4. ClickHouse

    As a fast, open-source columnar database, ClickHouse is ideal for analyzing large datasets. It handles complex queries in seconds, making data exploration effortless.

    Example: A query to show all traffic from Germany (DE) to port 80 over the past month returns results immediately, even with billions of records.

    5. Akvorado Console

    The web interface offers data in graphical, tabular, and map formats, making it easy to filter information, identify anomalies, and conduct in-depth analysis.

    A key feature of Akvorado is its console, which allows users to “dive” into the data. By clicking on any country on the map or an IP address in the table, you can instantly filter all the related information to that specific element.

    6. Dependencies (Redis, Traefik/Nginx)

    Redis is used to cache temporary data, significantly speeding up system performance. Traefik and Nginx act as reverse proxies, directing web traffic to different parts of Akvorado. They ensure secure and efficient access to the system's resources.

    Part 2: Getting Started – Quickstart Method

    The easiest way to get started with Akvorado is by using the official quickstart script. It automatically downloads and sets up all the necessary files. To do this, follow these steps:

    • Download and Installation: Open a terminal and run the following command. This will create a new akvorado directory containing all the required files:

    • curl -sL https://github.com/akvorado/akvorado/releases/latest/download/docker-compose-quickstart.tar.gz | tar zxvf -
    • Launch Akvorado: Switch to the newly created directory and run Docker Compose. Make sure you have Docker installed first; if not, install it along with the compose plugin:

      cd akvorado
      docker-compose up -d

      And that’s it! Akvorado is now up and running. But to fully understand how it works, let’s take a look at what’s inside the files.

    Part 3: Understanding All Configuration Files

    Akvorado’s Configuration is Stored in Two Main Files: docker-compose.yml and akvorado.yml.

    docker-compose.yml: Managing the Infrastructure

    This file serves as the “conductor” for the entire system, specifying which services need to be launched, how they are interconnected, which ports should be opened, and where data should be stored.

    • Ports: The akvorado-inlet section defines the ports on which Akvorado listens for incoming traffic. By default, these are 2055/udp (for NetFlow), 6343/udp (for sFlow), and 4739/udp (for IPFIX).

    • Volumes: This file manages how data is stored on disk. For example, the line akvorado-geoip:/usr/share/GeoIP:ro mounts the akvorado-geoip volume into the akvorado-orchestrator container.

    akvorado.yml: Internal Settings

    This file is located in the /config directory and controls the behavior of the Akvorado application itself.

    • Compression in Kafka: The kafka section contains the setting compression-codec: zstd. This is crucial! Using zstd allows for significant space savings and reduced network load, especially with large volumes of traffic.

    • Inlet settings: These settings are stored in a separate file called inlet.yaml, which is included in akvorado.yml. You can find the following settings there:

      • listen: :2055 – The port that Inlet listens on for incoming traffic.
      • use-src-addr-for-exporter-addr: true – This is an important option if your devices are behind a NAT firewall. It instructs Akvorado to use the IP address of the packet sender (i.e., your router) as the exporter’s address.
    • Classifiers: The core section in inlet.yaml contains powerful tools for automatically enriching data.

      • exporter-classifiers: Allows for the automatic classification of devices (exporters) based on their characteristics.
      • interface-classifiers: Uses regular expressions to automatically determine whether a network interface is external or internal. This simplifies traffic analysis.

    Part 4: How to Solve GeoIP Issues – Detailed Guide

    We often encounter problems with setting up GeoIP correctly. Docker containers may not be able to access files downloaded to the local machine due to differences in file systems. To resolve this issue, you can use one of the following methods:

    Method 1: Automatic (Recommended)

    This method involves using a separate Docker service to automatically download MaxMind databases (available for free). Create a file called .env with your account ID and license key from MaxMind.

    Example content for .env:

    GEOIPUPDATE_ACCOUNT_ID=YOUR ACCOUNT ID
    GEOIPUPDATELICENSE_KEY=YOUR LICENSE KEY

    Next, use the docker-compose-maxmind.yml file. This file defines a geoip service that automatically downloads the databases to a designated Docker volume and then mounts it in the Akvorado container.

    Method 2: Manual (for Debugging)

    If you want to use files that were downloaded manually, you need to explicitly mount the local directory into the container. To do this, modify the docker-compose.yml file: replace the named volume with a bind mount (mounting a directory from the host).

    # Replace the named volume with:
    # - akvorado-geoip:/usr/share/GeoIP:ro
    # Use a bind mount instead:
    # - /path/to/your/directory:/usr/share/GeoIP:ro

    Don’t forget to remove the volume definition afterward: make sure to delete the line akvorado-geoip: from the volumes section.

    Part 5: Final Steps

    After installing Akvorado, perform the following steps:

    1. Check the containers: Ensure that all containers are running by using the docker-compose ps command.
    2. Verify access: The web interface can be accessed at the address http://<your_server_ip>:8081.
    3. Configure devices: This is the final and most important step: configure your routers or switches to direct network traffic to your Akvorado server’s IP address.

    And what about security?

    In the basic “quickstart” configuration, the Akvorado web interface is accessible without a password. To protect it, you can use htpasswd, which is commonly used for authentication in Nginx and Apache.

    Step 1: Install httpd-tools

    First, you’ll need the htpasswd utility. Depending on your Linux distribution, you can install it as follows:

    For RHEL / Fedora / CentOS:

    sudo dnf install httpd-tools -y

    For Debian / Ubuntu:

    sudo apt-get install apache2-utils -y

    Step 2: Create the .htpasswd file

    Create a .htpasswd file in a directory that will be accessible to Docker Compose. A good place to put this file is your Akvorado working directory. To do this, run the following command in the console:

    touch /akvorado/docker/.htpasswd

    Step 3: Generate login credentials

    Use the htpasswd command to create a username and password pair:

    sudo htpasswd -c /akvorado/docker/.htpasswd admin

    Here’s what each part of the command does:

    • sudo htpasswd -c: This starts the utility in mode that creates a new file.
    • /akvorado/docker/.htpasswd: The path to the file where the credentials will be stored.
    • admin: The name of the user you’re creating.

    The command will ask you for a password, which will then be encrypted and saved in the file.

    Why should I switch to Akvorado?

    Akvorado stands out from other solutions such as ntopng, Grafana Flow, and ElastiFlow due to its approach to architecture and data processing. Let’s compare them:

     

    Akvorado

    ntopng

    Grafana Flow

    ElastiFlow

    Architecture

    Distributed (Inlet, Kafka, Orchestrator, ClickHouse).

    Monolithic.

    Combination of Grafana + Telegraf + InfluxDB/Prometheus.

    Distributed (Logstash, Elasticsearch, Kibana).

    Scalability

    High. Easily scalable horizontally using Kafka and ClickHouse.

    Low. Limited by the resources of a single server.

    Medium. Depends on database configuration.

    High. Based on the ELK stack.

    Performance

    Excellent. ClickHouse enables immediate access to large amounts of data.

    Good. Sufficient for small networks.

    Depends on the database and data volume.

    Good; may be slower with large volumes due to Elasticsearch.

    Data “Enrichment”

    Built-in and flexible. Supports GeoIP, ASN, SNMP, and custom classifications.

    Basic (only GeoIP).

    Basic; requires additional configuration.

    Built-in (GeoIP, ASN).

    Configuration Complexity

    Medium. Requires knowledge of Docker Compose and YAML files.

    Low. Simple installation.

    Medium. Multiple components need to be configured.

    High; the ELK stack is complex to set up.

    Best Use Cases

    For any network that requires detailed analysis, high performance, and scalability.

    For small networks, home use, and quick setup.

    For those already using the Grafana ecosystem.

    For those already using the ELK stack.

    The key advantage of Akvorado is its use of ClickHouse. Unlike Elasticsearch, which is optimized for full-text searches, ClickHouse is designed specifically for ultra-fast analytical queries on large amounts of structured data. This allows Akvorado to deliver performance that many other solutions cannot match, especially in large-scale projects.

    Here are several additional reasons why Akvorado could become your preferred monitoring tool:

    • Ease of use: Its simplicity hides its powerful capabilities. You can set it up in minutes using a quickstart script, allowing you to quickly evaluate all its features without spending hours on complex setup.
    • Intuitive visual analysis: Akvorado automatically enriches data with geographic information and system IDs, providing immediate insights into traffic sources on a map—no additional steps required. This transforms raw data into an easily understandable visual representation.
    • Ideal for learning: If you’re new to network traffic analysis, Akvorado is an excellent tool for understanding how network analytics works. It clearly demonstrates how valuable information can be extracted from data packets.
    • High performance: Even on regular laptops, Akvorado runs fast thanks to its use of ClickHouse, a database optimized for analytical queries, enabling you to analyze large amounts of data without delays.

    In summary:

    Akvorado offers a modern approach to network traffic analysis that overcomes the main challenges of traditional solutions—complex setup and deployment. What used to take days is now handled with just a few commands. Its microservice-based architecture makes it flexible and scalable, with each component performing a specific task efficiently.

    While there are some limitations (the system is still new, the community is small, and documentation needs improvement), Akvorado’s capabilities are more than sufficient for most corporate networks. Its advanced technology and low entry barrier make it a strong candidate for deployment in production environments.

    So, what monitoring and traffic visualization tool do you use—and why?

    Application Marketplace
    Dedicated and virtual servers with pre-installed software — from infrastructure monitoring solutions to development tools.

    Other articles

    05.09.2025

    Is a Cheap VPS Enough? A Performance Comparison of VPS Plans

    Is it worth saving on a VPS or should you opt for a plan with a buffer? We tested three budget HOSTKEY configurations and clearly show which tasks the minimal plan can handle and where it's wiser to invest in a more powerful server.

    31.08.2025

    Foreman in Isolation: Fault-Tolerant and Secure OS Deployment on Bare Metal and in the Cloud

    Share our experience in transforming our infrastructure: from decentralized Foreman instances with public IPs to a secure, isolated architecture featuring centralized GitLab management, enhanced security, and seamless scalability.

    28.08.2025

    NVIDIA RTX 6000 Blackwell Server Edition: Tests, Benchmarks & Comparison with Workstation and RTX 5090, Cooling Features

    NVIDIA has released three versions of the RTX 6000 Blackwell — and it’s precisely the Server Edition that turned out to be the most mysterious. We tested it in LLM tasks and video generation, and compared it with RTX 5090, A5000, and H100. The results will surprise you.

    25.08.2025

    WordPress – From a Simple Blogging Platform to the Leading CMS Ecosystem

    How did a blogging platform become the world’s dominant content management system? The story of WordPress isn’t just a list of its advantages—it’s a narrative of bold, strategic decisions that established it as the leading CMS.

    15.08.2025

    What is n8n? First Steps in Automation

    Want to automate your daily tasks — without touching a single line of code? In just 15 minutes, you’ll have a fully functional Telegram bot powered by n8n. And that’s just the beginning.

    Upload