Add cloud devices

Relevant for: AFA Administrators

This topic describes how to add an AWS account or an Azure subscription to AFA, to be managed and analyzed similarly to on-premises devices. ASMS supports Google Cloud Project policy visibility and risks for Google Cloud firewalls added in AlgoSec Cloud (formerly CloudFlow).

Add AWS (Amazon Web Service) accounts in AFA

Add an AWS account to AFA to analyze data using the AWS access key ID you provide.

Tip: You can also add an AWS account, using the Assume-Role method. For more details, see AWS account fields and options using the assume-role method.

Analyzed data includes all of the security groups protecting EC2 instances and application load balancers (ALBs), from all AWS regions related to the configured access key. AFA separates these instances into groups called security sets. Each AWS security set is a group of instances or ALBs with the same security group and network ACLs, as well as network policies.

For details, see:

Network connection

The following diagram shows an ASMS Central Manager connecting to an AWS account via HTTPS-REST (TCP/443).

Tip: ASMS also supports connecting to AWS via a proxy server, which can be configured when adding the device to AFA. For more details, see Define a proxy server .

Permission requirements for AWS

ASMS requires the following permissions for your AWS accounts:

Add an AWS account to AFA

You can add an AWS account to ASMS in two ways:

  • Using the standard method: Add an account by providing regular credentials - Access Key ID, Secret Access Key

  • Using the assume-role method: By using the assumed role method, you can leverage the same authentication credentials for multiple accounts. To implement this, add target AWS accounts to ASMS and configure them to assume the role of an existing AWS base account. During each target account setup, provide the base account's Access Key ID and Secret Access Key and enter the target account's Role ARN.

    Note: The setup of target accounts is a sequential process and does not involve simultaneous onboarding of multiple accounts.

    Note: The base account does not have to be onboarded to ASMS.

Do the following:

  1. Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.

  2. Click New > Devices.

  3. In the vendor and device selection page, select Amazon > Web Services (AWS) EC2.

  4. Configure the fields and options as needed:

  5. Click Finish. The new device is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the subscription is added.

In the device tree, AWS subscriptions are shown in three levels: the user account, region/VPC, and security set.

For example:

Tip: In the onboarding stage, communication may be temporarily directed to the public services of the AWS firewall when using a third party proxy. Wait 10-15 minutes to sync the proxy settings inside the ASMS services.

To verify that proxy setting have been synced to all nodes, on the Central Manager run the following code:

/bin/algosec_conf --verify-proxy-configuration

Bulk Update of AWS Account Credentials

An API facilitates access/key password updating, which some customers require to do periodically for their AWS accounts, without reloading the accounts, which can be very time-consuming. See Bulk update keys of AWS cloud accounts

Set Up Specific Regions for Data Collection in AFA

When onboarding new accounts, AFA connects to multiple data centers spread across multiple geographical locations (regions) to gather data from the available AWS resources. If you want to limit data collection to specific regions only, this section explains how you can configure a customized set of regions for data collection on the DEVICES SETUP.

Do the following:

  1. Edit the file /usr/share/fa/data/plugins/aws/brand_config.xml as follows:

    1. In the configuration file, locate the FORM_FIELD with the title "Regions".

      The FORM_FIELD is followed by a list of dropdown options.

    2. Add a new option to the dropdown specifying the regions to collect data from. Set 'value' to the specific data collection regions and 'display' to how the selection appears in the Regions dropdown. For example:

      <OPTIONS value="eu-north-1 eu-central-1 us-east-1 eu-west-1" display="My Regions"/>

  2. Save the file.

    Note: For the new option to appear in the dropdown, log out and then log in.

Enable AlgoSec Cloud to perform AWS data collection and feed the ASMS network map

By default AlgoSec Cloud (formerly CloudFlow) performs AWS data collection and feeds the ASMS network map using a designated AlgoSec Cloud-ASMS integration. To enable the advantages of this functionality, do the following:

  1. Integrate AlgoSec Cloud and ASMS. See ASMS Integration.

  2. Setup the subject AWS account in both Firewall Analyzer (AFA) AND AlgoSec Cloud.

    Notes: 
    (1) There MAY be a need to set the 'AWS_Network_Elements_Parse_From_AFA' parameter. Refer to the Algopedia article Configuring the AWS Network Elements Collection Source (ASMS A32.10 and above) .
    (2) The AlgoPedia article Configuring the AWS Network Elements Collection Source (ASMS A32.10 and above) explains the advantages of this workflow, how to continue working in the previous manner if required and how to bring the advantages of this workflow to earlier ASMS versions.
    (3) When the ASMS-AlgoSec Cloud integration is configured to fetch Routing Data from AlgoSec Cloud, ASMS still connects to AWS to collect the Security Data [Rules, Security Groups, etc.].

Add Microsoft Azure subscriptions in AFA

Important: To see Azure topology in the ASMS map (used for Traffic Simulation Queries and FireFlow Automation, you must onboard the Azure Subscription in both ASMS and AlgoSec Cloud (formerly CloudFlow). First connect AlgoSec Cloud to ASMS (see here) and then onboard your subscription (see here).

When you add an Azure subscription to AFA, all VMs related to your subscription are represented in the device tree.

  • AFA separates the VMs into groups called security sets. Each Azure security set is a group of VMs with the same network security group and subnet network security groups.

  • VMs with no network security groups are assigned to a security set called Unprotected VMs. To enable accurate traffic simulation, AFA automatically creates a rule to allow all traffic for these VMs.

  • A Network security group, that is not attached to any VMs or subnets, is placed into a dedicated security set.

For more details, see:

Network connection

The following diagram shows an ASMS Central Manager connecting to an Azure subscription via HTTPS-REST (TCP/443).

Tip: ASMS also supports connecting to Azure via a proxy server, which can be configured when adding the device to AFA. For more details, see Define a proxy server .

Permission requirements for Azure

ASMS requires the following permissions for your Azure subscriptions:

Add a Microsoft Azure subscription to AFA

Do the following:

  1. In your Azure subscription, configure Entra ID Application to use to connect to AFA, if you have not already.

    For details, see How to configure a Microsoft Entra ID application in AlgoPedia .

  2. In AFA, access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  3. In the vendor and device selection page, select Microsoft > Azure.

  4. Configure the fields and options as needed.

  5. Click Finish.

    The subscription is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the account is added.

Tip: In the onboarding stage, communication may be temporarily directed to the public services of the Azure Cloud firewall when using a third party proxy. Wait 10-15 minutes to sync the proxy settings inside the ASMS services.

To verify that proxy setting have been synced to all nodes, on the Central Manager run the following code:

/bin/algosec_conf --verify-proxy-configuration

Enable AlgoSec Cloud - ASMS integration (optional)

Enable AlgoSec Cloud (formerly CloudFlow) - ASMS integration to see:

  • VNets and NSGs on the network map.

  • Azure Firewalls and Hubs in the device tree and on the network map

  • Azure Load Balancers

To enable AlgoSec Cloud-ASMS integration:

Do the following:

  1. Onboard the subject Azure subscription in both AFA AND AlgoSec Cloud.

  2. Integrate AlgoSec Cloud and ASMS. See ASMS Integration.

  3. Enable real time device monitoring. See Configure real-time monitoring. All Azure elements will be visible after the next monitoring cycle.

Tip:

  1. To get details about an Azure Firewalls policies and risks:

    • Click the Azure Firewall in the device tree to open the device page.

    • Click Policy page to see policies associated with the device in the AlgoSec Cloud Policy page.

    • Click Risks page to see risks associated with the device in the AlgoSec Cloud Risks page.

  2. If your on-premises network is connected to the Azure network via an Azure ExpressRoute, see the following knowledge base article.

Device tree display of NSGs

  • Attached NSGs: in the device tree, Azure NSGs have a three-tier hierarchy:

    1. Subscription (customer-given name for the subscription when onboarded to AFA)

    2. Region/VNet

    3. Security set (a container for one or two NSGs assigned to one or more instances)

      Note; When two NSGs exist in the security set, they are both shown separate by a / (For example, WindowsVM-nsg/DT3019).

  • Unattached NSGs: Unattached NSGs include unassigned NSGs or NSGs assigned to services that are not supported. Unattached NSGs in the device tree are shown with the same three-tier hierarchy as attached NSGs except that the second tier is shown as region/"Unattached_Network_Security_Groups".

    Note: Network Map/TSQ/Routing Query are not relevant for unattached NSGs.

Device tree display of Azure Firewall

  • Azure Firewall: in the device tree, Azure Firewall has a three-tier hierarchy:

    1. Subscription (customer-given name for the subscription when onboarded to AFA)

    2. Region/VNet or Virtual Hub

    3. Azure Firewall

  • For unassigned Azure Firewall policies (policies which are not assigned to any Azure Firewall): The device tree displays the following three-tier hierarchy:

    Note: Unassigned Azure Firewall policies are not shown in the network map and the TSQ results

    1. Subscription (customer-given name for the subscription when onboarded to AFA)

    2. Region/"Unassigned_Firewall_Policies"

    3. Unassigned Firewall Policies

Device tree display of Azure Load Balancer

  • In the device tree, Azure Load Balancer has a three-tier hierarchy:

    1. Subscription (customer-given name for the subscription when onboarded to AFA)

    2. Region/VNet or Virtual Hub/Azure Global Load Balancer

    3. Azure Load Balancer

Google Cloud projects in AFA

Note: ASMS supports visibility and risks calculations for Google Cloud Projects. There is an Early Availability feature which supports additional features including Map and Traffic Simulation Query. See Google Cloud Map and Traffic Path.

ASMS supports Google Cloud Project policy visibility and risks for Google Cloud added in AlgoSec Cloud (formerly CloudFlow).

Note: To enable this feature, you must first:

  1. Integrate ASMS with AlgoSec Cloud, see ASMS integration to SaaS services.

  2. Onboard your Google Cloud Project, see Onboard Google Cloud Project.

To open the Google Cloud Risk Report in AlgoSec Cloud from ASMS.

Do the following:

  1. In the ASMS device tree, select the Google Cloud Project.

  2. Click the link to Google Cloud Risk Report to open the report in AlgoSec Cloud.