Add cloud devices

Relevant for: AFA Administrators

This topic describes how to add an AWS account or an Azure subscription to AFA, to be managed and analyzed similarly to on-premises devices.

Note: Some of the Azure support functions are available in early availability mode. To learn more, refer to Early availability features.

AWS (Amazon Web Service) accounts in AFA

Add an AWS account to AFA to analyze data using the AWS access key ID you provide.

Tip: You can also add an AWS account, using the Assume-Role method. For more details, see AWS account fields and options using the assume-role method.

Analyzed data includes all of the security groups protecting EC2 instances and application load balancers (ALBs), from all AWS regions related to the configured access key. AFA separates these instances into groups called security sets. Each AWS security set is a group of instances or ALBs with the same security group and network ACLs, as well as network policies.

For details, see:

Network connection

The following diagram shows an ASMS Central Manager connecting to an AWS account via HTTPS-REST (TCP/443).

Tip: ASMS also supports connecting to AWS via a proxy server, which can be configured when adding the device to AFA. For more details, see Define a device proxy .

Device access requirements for AWS

ASMS requires the following permissions for your AWS accounts:

Add an AWS account to AFA

You can add an AWS account in two ways:

  • Using the standard method: Add an account by providing regular credentials - Access Key ID, Secret Access Key

  • Using the assume-role method: By using the assumed role method, you can leverage the same authentication credentials for multiple accounts. To implement this, add target AWS accounts to ASMS and configure them to assume the role of an existing AWS base account. During each target account setup, provide the base account's Access Key ID and Secret Access Key and enter the target account's Role ARN.

    Note: The setup of target accounts is a sequential process and does not involve simultaneous onboarding of multiple accounts.

    Note: The base account does not have to be onboarded to ASMS.

Do the following:

  1. Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.

  2. Click New > Devices.

  3. In the vendor and device selection page, select Amazon > Web Services (AWS) EC2.

  4. Configure the fields and options as needed:

  5. Click Finish. The new device is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the subscription is added.

In the device tree, AWS subscriptions are shown in three levels: the user account, region/VPC, and security set.

For example:

Back to top

Enable AlgoSec Cloud to perform AWS data collection and feed the ASMS network map

By default AlgoSec Cloud performs AWS data collection and feeds the ASMS network map using a designated AlgoSec Cloud-ASMS integration. To enable the advantages of this functionality, do the following:

  1. Integrate AlgoSec Cloudand ASMS. See ASMS Integration.

  2. Setup the subject AWS account in both Firewall Analyzer (AFA) AND AlgoSec Cloud.
    Notes: 
    (1) There MAY be a need to set the 'AWS_Network_Elements_Parse_From_AFA' parameter. Refer to the Algopedia article Configuring the AWS Network Elements Collection Source (ASMS A32.10 and above).
    (2) The AlgoPedia article Configuring the AWS Network Elements Collection Source (ASMS A32.10 and above) explains the advantages of this workflow, how to continue working in the previous manner if required and how to bring the advantages of this workflow to earlier ASMS versions.
    (3) When the ASMS-AlgoSec Cloud integration is configured to fetch Routing Data from AlgoSec Cloud, ASMS still connects to AWS to collect the Security Data [Rules, Security Groups, etc.] from AWS.

Microsoft Azure subscriptions in AFA

When you add an Azure subscription to AFA, all VMs related to your subscription are represented in the device tree.

AFA separates the instances into groups called security sets. Each Azure security set is a group of VMs with the same security group and subnet security groups, as well as network policies. VMs with no security groups are assigned to a security set called Unprotected VMs. To enable accurate traffic simulation, AFA automatically creates a rule to allow all traffic for these VMs.

For more details, see:

Network connection

The following diagram shows an ASMS Central Manager connecting to an Azure subscription via HTTPS-REST (TCP/443).

Tip: ASMS also supports connecting to Azure via a proxy server, which can be configured when adding the device to AFA. For more details, see Define a device proxy .

Device requirements for Azure

ASMS requires the following permissions for your Azure subscriptions:

Add a Microsoft Azure subscription to AFA

Do the following:

  1. In your Azure subscription, configure an Active Directory Application to use to connect to AFA.

    For details, see How to configure a Microsoft Azure Active Directory application in AlgoPedia .

  2. In AFA, access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  3. In the vendor and device selection page, select Microsoft > Azure.

  4. Configure the fields and options as needed.

  5. Click Finish.

    The new device is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the account is added.

In the device tree, Azure has a three-tier hierarchy: subscription, region/VNet, and then security set.

For example:

Back to top