VPC Setup

Multicloud Defense Gateway instances require two (2) security groups and 2 subnets per availability zone. This is required only if you are planning to deploy the Multicloud Defense Gateway in the same VPC as your applications.

Details of the VPC resources

Subnets

The two (2) subnets required for Multicloud Defense deployment are management and datapath. During the gateway deployment the controller asks you to provide the names of these subnets. Each availability zone requires these 2 subnets.

Management subnet is a public subnet and must be associated with the route table that has a default route to the internet gateway. Multicloud Defense Gateway instances have a network interface attached to this subnet for communication to the controller. This is used for policy pulls and other management and telemetry activities between the controller and the gateways. Customer application traffic does not flow through this interface/subnet. The interface is associated with management security-group (described in section below).

Datapath subnet is a public subnet and must be associated with the route table that has a default route to the internet gateway. Multicloud Defense Controller creates a network load balancer in this subnet and the gateway instances have a network interface attached to this subnet. The customer application traffic flows through this interface. The Multicloud Defense Gateway security policy is applied for the traffic that flows through this interface. The interface is associated with datapath security-group (described in section below)

Security Groups

The management and datapath security groups are associated to the interfaces on the gateway instance as described above.

The management security group needs to allow outbound traffic permitting the gateway instances to communicate with the controller.

The datapath security group is attached to the datapath interface and allows the traffic into the gateway instance. Currently this security group is not managed by the controller. An outbound rule must exist to allow the traffic to egress this interface. Inbound ports must be opened for each port that you configure in the Multicloud Defense security policy. For example, if you configure a Multicloud Defense service to listen on port 443, then port 443 must be opened on the datapath security group.

CloudFormation Template

For a brand new or "green field" deployment, Run this CloudFormation template. The template also provides additional options to create a EC2 for a test application. Look at the details below for the description of the parameters used in the CFT:

  1. VPC.

  2. Internet Gateway and attach it to the VPC.

  3. Management Subnet availability zone 1.

  4. Management Route Table availability zone 1 attached to the management subnet availability zone 1 with default route to the internet gateway.

  5. Management subnet availability zone 2.

  6. Management route table availability zone 2 attached to the management subnet availability zone 2 with default route to the internet gateway.

  7. Datapath subnet availability zone 1.

  8. Datapath route table availability zone 1 attached to the datapath subnet availability zone 1 with default route to the internet gateway.

  9. Datapath subnet availability zone 2.

  10. Datapath route table availability zone 2 attached to the datapath subnet availability zone 2 with default route to the internet gateway.

  11. Apps subnet availability zone 1.

  12. Apps toute table availability zone 1 attached to the apps subnet availability zone 1 with default route to the internet gateway.

  13. Apps subnet availability zone 2.

  14. Apps route table availability zone 2 attached to the apps subnet availability zone 2 with default route to the internet gateway.

  15. Management security group with outbound rules to allow traffic out.

  16. Datapath security group with outbound rules to allow traffic out and inbound rules for port 80 and 443.

  17. Apps security group with outbound rules to allow traffic out and inbound rules for ports: 22, 80, 443, 8000.

  18. Create an EC2 instance in the apps subnet using a default Multicloud Defense image based on CentOS. You can choose your own AMI if needed.

The subnets are created in two availability zones so you can operate the Multicloud Defense Gateways and apps in multiple availability zones.

You can run this template multiple times to create multiple VPCs that can be attached to the AWS transit gateway for centralized security (Hub) deployment architecture.

CloudFormation Parameters

  1. Stack Name - Provide a name for the stack (eg. multicloud defense-dp-resources).

  2. Prefix - A prefix to apply to all the resources' Name Tags (e.g multicloud defense).

  3. Create Multicloud Defense Resources - Yes/No. Choosing Yes would create the mgmt/dp subnets, mgmt/dp security groups. Choosing No would not create these resources.

  4. Create Bastion Host - Bastion gost that can be used to SSH to the app VMs (App VMs already get a public IP and have route to the internet gateway. You can later delete the route so the VMs can be private. Bastion host can be used to SSH to these VMs).

  5. VPC CIDR - CIDR for theVPC.

  6. Subnet Mask bits - Number of bits to use for each of the subnet. This is NOT the subnet mask. If VPC CIDR has /16 and if you want the subnet to have mask /24, then choose 8 for the bits. VPC CIDR mask plus the value here makes up the subnet mask.

  7. Availability Zone 1 and Zone 2 - Choose the availability zones.

  8. AMI for App Instance -multicloud defense-default AMI is available in us-east1, us-east2, us-west1 and us-west2. This is a CentOS 7 with docker and a sample Hello World application. You can provide your own AMI or any other AMI in the region.

  9. Instance Type - Choose the option. If the choices are limited, you can download the CloudFormation template and edit to add new choices.

  10. EC2 Key Pair - Choose the SSH key pair to associate to the EC2 instances.