04.09.2025

Review of the Akvorado NetFlow Collector with Visualization: From Deployment to Practical Use

Author: Nikita Vypryazhkin, Junior DevOps

Network traffic is like water flowing in a river—someone can just stand on the shore and watch it flow, or they can dive deeper to understand where each drop comes from, where it’s going, and what happens along the way. Most administrators settle for the former option, but those who truly want to control their infrastructure choose the latter.

Application Marketplace

Dedicated and virtual servers with pre-installed software — from infrastructure monitoring solutions to development tools.

Akvorado is designed precisely for this purpose. It processes data from protocols like NetFlow, sFlow, and IPFIX, turning abstract numbers into a clear and understandable representation of network activity—minus the need for complex setup or configuration.

Who This Guide Is For?

This guide is perfect for professionals in various fields:

Network Engineers: To identify and resolve performance issues. When users complain about slow internet speeds, Akvorado provides detailed data on traffic generation, dominant protocols, and any anomalies.
Security Professionals: As an early warning system; it helps detect large-scale scans, suspicious connections, and DDoS attacks by analyzing network traffic. It’s especially useful for tracking the origin and destination of traffic.
DevOps Engineers: To optimize microservice architectures. When multiple services interact over the network, understanding their interaction patterns is crucial. Akvorado shows who is communicating with whom and how intensively.
IT Managers: To make informed decisions about budget allocation. Data on actual bandwidth usage speaks louder than any assumptions. For example, whether to expand a connection to a branch office or block specific services (like YouTube).

Part 1: The Architecture — Each Component of the “Orchestration” System

Akvorado isn’t a monolithic application; it’s a set of interconnected services, each with its own role:

1. Akvorado Inlet

The inlet acts as the gateway, receiving data from network devices via UDP (e.g., port 2055/udp for NetFlow). Its main task is to efficiently forward packets to Kafka without any delays.

Interesting Fact: Inlet functions like a high-speed conveyor belt—ensuring that all packets are processed promptly, even under heavy loads.

2. Apache Kafka

Kafka serves as the central storage and buffer. It’s designed for reliability and scalability, holding data until other services can process it. This ensures asynchronous processing and system resilience during DDoS attacks.

Example: If Akvorado Orchestrator gets overwhelmed, Kafka will buffer all incoming traffic until the attack subsides, allowing normal processing to continue without data loss.

3. Akvorado Orchestrator: The Brain of the System

Akvorado Orchestrator is the core component that processes raw data received from Kafka, transforming it into meaningful information. This process involves adding additional details such as geographic location, ASN (Address Space Numbering), and host names.

Important Note: Proper configuration with GeoIP databases is essential for accurate data analysis. Failing to set them up correctly will result in incomplete or inaccurate reports. We encountered this issue when attempting to manually configure the necessary files.

4. ClickHouse

As a fast, open-source columnar database, ClickHouse is ideal for analyzing large datasets. It handles complex queries in seconds, making data exploration effortless.

Example: A query to show all traffic from Germany (DE) to port 80 over the past month returns results immediately, even with billions of records.

5. Akvorado Console

The web interface offers data in graphical, tabular, and map formats, making it easy to filter information, identify anomalies, and conduct in-depth analysis.

A key feature of Akvorado is its console, which allows users to “dive” into the data. By clicking on any country on the map or an IP address in the table, you can instantly filter all the related information to that specific element.

6. Dependencies (Redis, Traefik/Nginx)

Redis is used to cache temporary data, significantly speeding up system performance. Traefik and Nginx act as reverse proxies, directing web traffic to different parts of Akvorado. They ensure secure and efficient access to the system's resources.

Part 2: Getting Started – Quickstart Method

The easiest way to get started with Akvorado is by using the official quickstart script. It automatically downloads and sets up all the necessary files. To do this, follow these steps:

Download and Installation: Open a terminal and run the following command. This will create a new akvorado directory containing all the required files:

curl -sL https://github.com/akvorado/akvorado/releases/latest/download/docker-compose-quickstart.tar.gz | tar zxvf -

Launch Akvorado: Switch to the newly created directory and run Docker Compose. Make sure you have Docker installed first; if not, install it along with the compose plugin:
```
cd akvorado
docker-compose up -d
```
And that’s it! Akvorado is now up and running. But to fully understand how it works, let’s take a look at what’s inside the files.

Part 3: Understanding All Configuration Files

Akvorado’s Configuration is Stored in Two Main Files: docker-compose.yml and akvorado.yml.

docker-compose.yml: Managing the Infrastructure

This file serves as the “conductor” for the entire system, specifying which services need to be launched, how they are interconnected, which ports should be opened, and where data should be stored.

Ports: The akvorado-inlet section defines the ports on which Akvorado listens for incoming traffic. By default, these are 2055/udp (for NetFlow), 6343/udp (for sFlow), and 4739/udp (for IPFIX).
Volumes: This file manages how data is stored on disk. For example, the line akvorado-geoip:/usr/share/GeoIP:ro mounts the akvorado-geoip volume into the akvorado-orchestrator container.

akvorado.yml: Internal Settings

This file is located in the /config directory and controls the behavior of the Akvorado application itself.

Compression in Kafka: The kafka section contains the setting compression-codec: zstd. This is crucial! Using zstd allows for significant space savings and reduced network load, especially with large volumes of traffic.
Inlet settings: These settings are stored in a separate file called inlet.yaml, which is included in akvorado.yml. You can find the following settings there:
- listen: :2055 – The port that Inlet listens on for incoming traffic.
- use-src-addr-for-exporter-addr: true – This is an important option if your devices are behind a NAT firewall. It instructs Akvorado to use the IP address of the packet sender (i.e., your router) as the exporter’s address.
Classifiers: The core section in inlet.yaml contains powerful tools for automatically enriching data.
- exporter-classifiers: Allows for the automatic classification of devices (exporters) based on their characteristics.
- interface-classifiers: Uses regular expressions to automatically determine whether a network interface is external or internal. This simplifies traffic analysis.

Part 4: How to Solve GeoIP Issues – Detailed Guide

We often encounter problems with setting up GeoIP correctly. Docker containers may not be able to access files downloaded to the local machine due to differences in file systems. To resolve this issue, you can use one of the following methods:

Method 1: Automatic (Recommended)

This method involves using a separate Docker service to automatically download MaxMind databases (available for free). Create a file called .env with your account ID and license key from MaxMind.

Example content for .env:

GEOIPUPDATE_ACCOUNT_ID=YOUR ACCOUNT ID
GEOIPUPDATELICENSE_KEY=YOUR LICENSE KEY

Next, use the docker-compose-maxmind.yml file. This file defines a geoip service that automatically downloads the databases to a designated Docker volume and then mounts it in the Akvorado container.

Method 2: Manual (for Debugging)

If you want to use files that were downloaded manually, you need to explicitly mount the local directory into the container. To do this, modify the docker-compose.yml file: replace the named volume with a bind mount (mounting a directory from the host).

# Replace the named volume with:
# - akvorado-geoip:/usr/share/GeoIP:ro
# Use a bind mount instead:
# - /path/to/your/directory:/usr/share/GeoIP:ro

Don’t forget to remove the volume definition afterward: make sure to delete the line akvorado-geoip: from the volumes section.

Part 5: Final Steps

After installing Akvorado, perform the following steps:

Check the containers: Ensure that all containers are running by using the docker-compose ps command.
Verify access: The web interface can be accessed at the address http://<your_server_ip>:8081.
Configure devices: This is the final and most important step: configure your routers or switches to direct network traffic to your Akvorado server’s IP address.

And what about security?

In the basic “quickstart” configuration, the Akvorado web interface is accessible without a password. To protect it, you can use htpasswd, which is commonly used for authentication in Nginx and Apache.

Step 1: Install httpd-tools

First, you’ll need the htpasswd utility. Depending on your Linux distribution, you can install it as follows:

For RHEL / Fedora / CentOS:

sudo dnf install httpd-tools -y

For Debian / Ubuntu:

sudo apt-get install apache2-utils -y

Step 2: Create the .htpasswd file

Create a .htpasswd file in a directory that will be accessible to Docker Compose. A good place to put this file is your Akvorado working directory. To do this, run the following command in the console:

touch /akvorado/docker/.htpasswd

Step 3: Generate login credentials

Use the htpasswd command to create a username and password pair:

sudo htpasswd -c /akvorado/docker/.htpasswd admin

Here’s what each part of the command does:

sudo htpasswd -c: This starts the utility in mode that creates a new file.
/akvorado/docker/.htpasswd: The path to the file where the credentials will be stored.
admin: The name of the user you’re creating.

The command will ask you for a password, which will then be encrypted and saved in the file.

Why should I switch to Akvorado?

Akvorado stands out from other solutions such as ntopng, Grafana Flow, and ElastiFlow due to its approach to architecture and data processing. Let’s compare them:

	Akvorado	ntopng	Grafana Flow	ElastiFlow
Architecture	Distributed (Inlet, Kafka, Orchestrator, ClickHouse).	Monolithic.	Combination of Grafana + Telegraf + InfluxDB/Prometheus.	Distributed (Logstash, Elasticsearch, Kibana).
Scalability	High. Easily scalable horizontally using Kafka and ClickHouse.	Low. Limited by the resources of a single server.	Medium. Depends on database configuration.	High. Based on the ELK stack.
Performance	Excellent. ClickHouse enables immediate access to large amounts of data.	Good. Sufficient for small networks.	Depends on the database and data volume.	Good; may be slower with large volumes due to Elasticsearch.
Data “Enrichment”	Built-in and flexible. Supports GeoIP, ASN, SNMP, and custom classifications.	Basic (only GeoIP).	Basic; requires additional configuration.	Built-in (GeoIP, ASN).
Configuration Complexity	Medium. Requires knowledge of Docker Compose and YAML files.	Low. Simple installation.	Medium. Multiple components need to be configured.	High; the ELK stack is complex to set up.
Best Use Cases	For any network that requires detailed analysis, high performance, and scalability.	For small networks, home use, and quick setup.	For those already using the Grafana ecosystem.	For those already using the ELK stack.

The key advantage of Akvorado is its use of ClickHouse. Unlike Elasticsearch, which is optimized for full-text searches, ClickHouse is designed specifically for ultra-fast analytical queries on large amounts of structured data. This allows Akvorado to deliver performance that many other solutions cannot match, especially in large-scale projects.

Here are several additional reasons why Akvorado could become your preferred monitoring tool:

Ease of use: Its simplicity hides its powerful capabilities. You can set it up in minutes using a quickstart script, allowing you to quickly evaluate all its features without spending hours on complex setup.
Intuitive visual analysis: Akvorado automatically enriches data with geographic information and system IDs, providing immediate insights into traffic sources on a map—no additional steps required. This transforms raw data into an easily understandable visual representation.
Ideal for learning: If you’re new to network traffic analysis, Akvorado is an excellent tool for understanding how network analytics works. It clearly demonstrates how valuable information can be extracted from data packets.
High performance: Even on regular laptops, Akvorado runs fast thanks to its use of ClickHouse, a database optimized for analytical queries, enabling you to analyze large amounts of data without delays.

In summary:

Akvorado offers a modern approach to network traffic analysis that overcomes the main challenges of traditional solutions—complex setup and deployment. What used to take days is now handled with just a few commands. Its microservice-based architecture makes it flexible and scalable, with each component performing a specific task efficiently.

While there are some limitations (the system is still new, the community is small, and documentation needs improvement), Akvorado’s capabilities are more than sufficient for most corporate networks. Its advanced technology and low entry barrier make it a strong candidate for deployment in production environments.

So, what monitoring and traffic visualization tool do you use—and why?