Add cloud devices

Relevant for: AFA Administrators

This topic describes how to add an AWS account or an Azure subscription to AFA, to be managed and analyzed similarly to on-premises devices.

Note: Some of the Azure support functions are available in early availability mode. To learn more, refer to Early availability features.

In this topic:

AWS (Amazon Web Service) accounts in AFA

Add an AWS account to AFA to analyze data using the AWS access key ID you provide.

Analyzed data includes all of the security groups protecting EC2 instances and application load balancers (ALBs), from all AWS regions related to the configured access key. AFA separates these instances into groups called security sets. Each AWS security set is a group of instances or ALBs with the same security group and network ACLs, as well as network policies.

For details, see:

• Network connection
• Device access requirements for AWS
• Add an AWS account to AFA
• Enable AlgoSec Cloud to perform AWS data collection and feed the ASMS network map

Network connection

The following diagram shows an ASMS Central Manager connecting to an AWS account via HTTPS-REST (TCP/443).

Device access requirements for AWS

ASMS requires the following permissions for your AWS accounts:

Add an AWS account to AFA

You can add an AWS account in two ways:

• Using the standard method: Add an account by providing regular credentials - Access Key ID, Secret Access Key

• Using the assume-role method: By using the assumed role method, you can leverage the same authentication credentials for multiple accounts. To implement this, add target AWS accounts to ASMS and configure them to assume the role of an existing AWS base account. During each target account setup, provide the base account's Access Key ID and Secret Access Key and enter the target account's Role ARN.

  Note: The setup of target accounts is a sequential process and does not involve simultaneous onboarding of multiple accounts.

  Note: The base account does not have to be onboarded to ASMS.

Do the following:

1. Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.

2. Click New > Devices.

3. In the vendor and device selection page, select Amazon > Web Services (AWS) EC2.

4. Configure the fields and options as needed:

   

   AWS account fields and options using the standard method

   Access Information	The device type is automatically defined. In the Name field, enter the name that you want to appear in the device tree for this account. Tip: Use the account's host or route name.
   Additional Information	Enter the following details to define access to your AWS account: AWS Access Key ID. Enter your access key, supplied by Amazon. AWS Secret Key ID. Enter your secret key, supplied by Amazon. Regions. Select a region. For example: All China (Beijing) GovCloud For more details, see Device access requirements for AWS.
   Route Collection	Select one of the following to determine how AFA should acquire the device's routing data. Automatic. Automatically generate routing data upon analysis or monitoring. Static Routing Table (URT). Take the device's routing data from a static file that you provide. For details, see Specify routing data manually. Network Elements Collection Source This read-only field displays the source module that collects the network elements of the subject AWS account and updates the network map. The default source is AlgoSec Cloud. This means you need to setup the subject AWS account in both Firewall Analyzer AND AlgoSec Cloud. Doing this enables broader support for AWS network elements. For further details and instructions on how to modify this setting, see "Configuring the AWS Network Elements Collection Source (ASMS A32.10 and above)" in Algopedia.
   Proxy	Click Set Proxy Server to configure a proxy server to connect all cloud devices defined in AFA, including both AWS and Azure. For more details, see Define a device proxy .
   ActiveChange	Select Enable ActiveChange for this device. For details, see Implement changes with ActiveChange.
   Options	Select the following options for your AWS account as needed: Real-time change monitoring.Select this option to enable real-time alerting upon configuration changes. For more details, see Configure real-time monitoring. Set user permissions. Select this option to set user permissions for this device.

   Close ⌃
   AWS account fields and options using the assume-role method

   Access Information	The device type is automatically defined. In the Name field, enter the name that you want to appear in the device tree for this account. Tip: For example, AWS_Assume_Role
   Additional Information	Enter the following details: Provide the credentials of existing AWS account: AWS Access Key ID. Enter theaccess key, supplied by Amazon. AWS Secret Key ID. Enter the secret key, supplied by Amazon. Specify the Region of the new, target account, you wish to onboard to AFA: All China (Beijing) GovCloud Assume Role for a Different Account. Select to add a target account that assumes the role of the existing AWS account accessed above. Define the Target Account Role ARN (add the Amazon Resource Name (ARN) of the role to assume.) TIP: Get the Target Account Role ARN in AWS: For more details, see Device access requirements for AWS. Network Elements Collection Source This read-only field displays the source module that collects the network elements of the subject AWS account and updates the network map. The default source is AlgoSec Cloud. This means you need to setup the subject AWS account in both Firewall Analyzer AND AlgoSec Cloud. Doing this enables broader support for AWS network elements. To change Network Elements Collection Source change the setting of the relevant parameter. See AWS_Network_Elements_Parse_From_AFA. For further details and instructions on how to modify this setting, see Configuring the AWS Network Elements Collection Source (ASMS A32.10 and above) in Algopedia.
   Route Collection	Select one of the following to determine how AFA should acquire the device's routing data. Automatic. Automatically generate routing data upon analysis or monitoring. Static Routing Table (URT). Take the device's routing data from a static file that you provide. For details, see Specify routing data manually.
   Proxy	Click Set Proxy Server to configure a proxy server to connect all cloud devices defined in AFA, including both AWS and Azure. For more details, see Define a device proxy .
   ActiveChange	Select Enable ActiveChange for this device. For details, see Implement changes with ActiveChange.
   Options	Select the following options for your AWS account as needed: Real-time change monitoring.Select this option to enable real-time alerting upon configuration changes. For more details, see Configure real-time monitoring. Set user permissions. Select this option to set user permissions for this device.

   Close ⌃

5. Click Finish. The new device is added to the device tree.

6. If you selected Set user permissions, the Edit users dialog box appears.

   In the list of users displayed, select one or more users to provide access to reports for this account.

   To select multiple users, press the CTRL button while selecting.

   Click OK to close the dialog.

A success message appears to confirm that the subscription is added.

In the device tree, AWS subscriptions are shown in three levels: the user account, region/VPC, and security set.

For example:

Back to top

Enable AlgoSec Cloud to perform AWS data collection and feed the ASMS network map

By default AlgoSec Cloud performs AWS data collection and feeds the ASMS network map using a designated AlgoSec Cloud-ASMS integration. To enable the advantages of this functionality, do the following:

1. Integrate AlgoSec Cloudand ASMS. See ASMS Integration.

2. Setup the subject AWS account in both Firewall Analyzer (AFA) AND AlgoSec Cloud.
   Notes: 
   (1) There MAY be a need to set the 'AWS_Network_Elements_Parse_From_AFA' parameter. Refer to the Algopedia article Configuring the AWS Network Elements Collection Source (ASMS A32.10 and above).
   (2) The AlgoPedia article Configuring the AWS Network Elements Collection Source (ASMS A32.10 and above) explains the advantages of this workflow, how to continue working in the previous manner if required and how to bring the advantages of this workflow to earlier ASMS versions.
   (3) When the ASMS-AlgoSec Cloud integration is configured to fetch Routing Data from AlgoSec Cloud, ASMS still connects to AWS to collect the Security Data [Rules, Security Groups, etc.] from AWS.

Microsoft Azure subscriptions in AFA

When you add an Azure subscription to AFA, all VMs related to your subscription are represented in the device tree.

AFA separates the instances into groups called security sets. Each Azure security set is a group of VMs with the same security group and subnet security groups, as well as network policies. VMs with no security groups are assigned to a security set called Unprotected VMs. To enable accurate traffic simulation, AFA automatically creates a rule to allow all traffic for these VMs.

For more details, see:

• Network connection
• Device requirements for Azure
• Add a Microsoft Azure subscription to AFA

Network connection

The following diagram shows an ASMS Central Manager connecting to an Azure subscription via HTTPS-REST (TCP/443).

Device requirements for Azure

ASMS requires the following permissions for your Azure subscriptions:

Add a Microsoft Azure subscription to AFA

Do the following:

1. In your Azure subscription, configure an Active Directory Application to use to connect to AFA.

   For details, see How to configure a Microsoft Azure Active Directory application in AlgoPedia .

2. In AFA, access the Devices Setup page. For details, see Access the DEVICES SETUP page.

3. In the vendor and device selection page, select Microsoft > Azure.

4. Configure the fields and options as needed.

   Azure subscription field and options

   Access Information	Enter the following details: Name. The Azure subscription's host name or IP address. Subscription ID. The Azure subscription's ID. Tenant ID. The Active Directory Application tenant ID. For more details, see Azure documentation . Application ID. The application client ID. Key. The application key.
   Route Collection	Select one of the following to determine how AFA should acquire the device's routing data. Automatic. Automatically generate routing data upon analysis or monitoring. Static Routing Table (URT). Take the device's routing data from a static file that you provide. For details, see Specify routing data manually.
   Proxy	Click Set Proxy Server to configure a proxy server to connect all cloud devices defined in AFA, including both AWS and Azure. For more details, see Define a device proxy .
   ActiveChange	Select Enable ActiveChange for this device. To learn about Active Change, see Implement changes with ActiveChange.
   Mapping	After running a report for an Azure subscription, its topology will be displayed in the network map (with no configuration required).
   Options	Select the following options for your AWS account as needed: Real-time change monitoring.Select this option to enable real-time alerting upon configuration changes. For more details, see Configure real-time monitoring. Set user permissions. Select this option to set user permissions for this device.

   Close ⌃

5. Click Finish.

   The new device is added to the device tree.

6. If you selected Set user permissions, the Edit users dialog box appears.

   In the list of users displayed, select one or more users to provide access to reports for this account.

   To select multiple users, press the CTRL button while selecting.

   Click OK to close the dialog.

A success message appears to confirm that the account is added.

In the device tree, Azure has a three-tier hierarchy: subscription, region/VNet, and then security set.

For example:

Back to top