Create Network Security AMI instances

To create a Network Security AMI instance to inspect network traffic, complete each of the following tasks in order.

1. Create security groups

Network Security requires a minimum of two security groups. These security groups are used when you create the ENIs. Learn more about security groups.

From the EC2 Dashboard, scroll down to Security Groups, and click Create security group.

Management security group

Use this security group for the Network Security management port.

  • Security Group Name: Management security group
  • Description: Allows you to access Network Security from the CLI and the Network Security management interface
  • VPC: Select the Inspection VPC

Select the management group, scroll down to the Inbound Rules and Outbound Rules tabs, and click Edit Rules to add these required rules.

Inbound rules

Type Protocol Port range Source Description
SSH TCP 22 <IP or CIDR addresses that need access to the management port for the Network Security instance> Allows you to SSH into Network Security and manage the instance with the CLI
HTTPS TCP 443 <management interface IP address> Allows you to manage Network Security outside of AWS

Outbound rules


NOTE

We recommend that you keep the outbound rules for this group open to all traffic on all ports to all destinations. To add more restrictions, or for more information about which ports are used and why, refer to the TPS Local Security Manager User Guide and the SMS User Guide in the Online Help Center.


Type Protocol Port range Source Description
All traffic All All 0.0.0.0/0 Allows all traffic on all ports to all destinations

Traffic security group

Use this security group for the Network Security data ports. AWS considers all traffic that passes through the data port to be inbound traffic, so you must allow inbound traffic rules from the internet, even if you are only inspecting connections originating inside your network.

The inbound and outbound rules listed below are the minimum required rules for the security group. Add any additional rules necessary for your network environment, but make sure the inbound and outbound rules are the same for this security group.

  • Security Group Name: Traffic security group
  • Description: Allows all inbound traffic from the internet
  • VPC: Select the Inspection VPC

NOTE

We recommend that you keep this security group as open as possible and that you restrict traffic using security groups attached to your Workload EC2 instances.


Inbound rules

Type Protocol Port range Source Description
All traffic All All 0.0.0.0/0 Allows all traffic that originates inside or outside of your network

Outbound rules

Type Protocol Port range Source Description
All traffic All All 0.0.0.0/0 Allows all traffic that originates inside or outside of your network

2. Create an IAM policy and role

Create an IAM policy then attach it to an IAM role. This IAM policy and role allows the Network Security instance to send metrics to CloudWatch. Learn more about creating IAM roles.

Create policy

  1. Navigate to the IAM Dashboard and click PoliciesCreate policy.

  2. Click on the JSON tab, then copy and paste the following permissions.

    { "Version": "2012-10-17", "Statement":[ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*", "Effect": "Allow" }, { "Action": "cloudwatch:PutMetricData", "Resource": "*", "Effect": "Allow" } ] }

  3. Click Review Policy, and enter the following parameters before clicking Create policy.

    • Name: CloudWatch_logs_policy
    • Description: Allows CloudWatch to track metric data

Create a role and attach a policy

After you create the policy, create a role and attach the CloudWatch logs policy to that role.

  1. Above Policies, click Roles, and then click Create role.
  2. Select AWS service, then choose EC2 for the service that will use this role.
  3. Click Next: Permissions, and then select the CloudWatch_logs_policy that you just created.
  4. Optionally, add any tags, and then click Next: Review.
  5. For role name, enter CloudWatch_logs, and then click Create role.

3. Modify the S3 VPC endpoint policy

This section only applies to users that plan to deploy a Network Security instance into the same VPC that uses an S3 VPC Endpoint. The policy for the endpoint must be modified to allow the Cloud One – Network Security virtual appliance to access files in the S3 bucket.

  1. Navigate to the VPC Dashboard and click Endpoints.

  2. Select the VPC endpoint where you plan to launch the Network Security instance.

  3. Select the Policy tab below the list of endpoints.

  4. Click Edit Policy, and add the following text to your existing policy statement.

    "Statement": [
     {
       "Sid": "NetworkSecurityPolicy",
       "Effect": "Allow",
       "Principal": "*",
       "Action": [
         "s3:GetObject",
         "s3:GetObjectVersion",
         "s3:PutObject"
       ],
       "Resource": [
         "arn:aws:s3:::network-security-*",
         "arn:aws:s3:::network-security-*/*"
       ]
     }
    ]

  5. Click Save.

4. Create Network Security instances

Create at least one Network Security instance in each AZ where you have Workload VPCs.

  1. Navigate to the Cloud One – Network Security AMIs. Alternatively, follow these steps to search for the Network Security AMIs manually.

    1. Navigate to the EC2 Dashboard.
    2. Under Images, select AMIs.
    3. In the drop down menu under Launch, select Public images.
    4. In the search bar at the top of the page, type Owner : 511311637224.
  2. From the list that appears, select the latest AMI version.


    NOTE

    The latest version is the AMI with the highest number. For instance, IPS_AMI--5.5.0.10605 is more recent then IPS_AMI--5.4.0.10605.


  3. After you select the correct AMI, click Launch.

  4. Select one of the following instance types.


    IMPORTANT

    Only select one of the following instance types. The other instance types included in the AMI might not work.


    Instance type Description
    c5n.4xlarge (recommended) Supports a sustained throughput rate of 10 Gbps with bursts up to 11 Gbps. Does not include ZDI filter support.
    c5n.2xlarge Similar to c5n.4xlarge but for smaller workloads.
    c5n.9xlarge Similar to c5n.4xlarge but for larger workloads.
    c5.2xlarge Supports a sustained throughput rate of 2.5 Gbps with bursts up to 3.5 Gbps. Does not include ZDI filter support.
    c5.9xlarge Similar to c5.2xlarge but for larger workloads.
    f1.2xlarge Supports a sustained throughput rate of 2.5 Gbps with bursts up to 10 Gbps. Supports ZDI filters.
  5. Configure the following information on the Configure Instance Details page.

    If not specified, keep the default settings.

    • Network: Select the Inspection VPC.

    • Subnet: For deployment option 1, select the management subnet. For deployment option 2 and 3, select the inspection connection subnet.

    • Auto-assign Public IP: Select Disable.

    • IAM role: Select the IAM role that you created in Create an IAM role.

    • Shutdown behavior: Select Stop.

    • Network interfaces: Leave eth0, which is created automatically by AWS, as the only network interface.

    • Advanced details user data: Copy and paste the following text.

    # -- START VTPS CLOUDWATCH
    log-group-name < Name your CloudWatch Log Group Here >
    # -- END VTPS CLOUDWATCH

  6. On the Add Storage page, select 24GiB for the size and General Purpose SSD for the volume type.

  7. On the Configure Security Group page, click Select an existing security group, and select the management security group that you created.

  8. Review the information you entered, and select Launch to create the instance.

  9. After you launch the instance, choose or create an SSH key.

5. Create Elastic Network Interfaces

The management port, which connects to SSH or HTTPS, is created automatically in AWS as eth0. Network Security uses two additional ports, 1A and 1B, for each instance. To add these ports, create two new ENIs and then attach them to the Network Security instance. Learn more about elastic network interfaces.

  1. From the EC2 Dashboard, click Network Interfaces (under Network & Security).

  2. Click Create Network Interface to create the 1A port, eth1.

    Enter the following parameters.

    • Description: eth1

    • Subnet: Select the inspection subnet.

    • IPv4 Private IP: Keep setting as Auto-assign.


      NOTE

      Note the IPv4 IP that is automatically assigned to the port as you will need this later in the deployment process.


    • Security groups: Select the Traffic security group.

  3. Next, click Create Network Interface again to create the 1B port, eth2.

    Enter the following parameters.

    • Description: eth2

    • Subnet: For deployment option 1, select the protected-public subnet. For deployment option 2 and 3, select the sanitized subnet.

    • IPv4 Private IP: Leave set to Auto-assign.


      NOTE

      Note the IPv4 IP that is automatically assigned to the port as you will need this later in the deployment process.


    • Security groups: Select the Traffic security group.

  4. Stop any Network Security instances you created before you attach the ENIs.

  5. From the EC2 Dashboard, navigate to Instances, and select the Network Security instance you created in Create Network Security instances.

  6. Click ActionsNetworkingAttach Network Interface, and attach the 1A port ENI, eth1, to the Network Security instance.

  7. Repeat the previous step to also attach the 1B port ENI, eth2, to the Network Security instance.

  8. After the ENIs are attached, restart the Network Security instance.

  9. Navigate back to the Network Interfaces page.

  10. Right click on eth1, click Change Source/Dest. Check, and select Disable.

  11. Repeat the step above to disable the Source/Destination Check for eth2 as well. Learn more about source and destination checks.

6. Configure additional Network Security settings

Complete the remaining configuration requirements. These configuration settings create the virtual segments, register the instance with the Network Security management interface, and create a CloudWatch metric that is used if you set up high availability.

The following information is required to complete this task.

Component Description
1A port IP address The IPv4 private IP address that was auto generated for 1A, eth1.
Inspection subnet CIDR prefix length The decimal number after the slash for the inspection subnet CIDR block.
1B port IP address The IPv4 private IP address that was auto generated for 1B, eth2.
Sanitized subnet CIDR prefix length The decimal number after the slash for the sanitized subnet CIDR block.
API key The API key for the Network Security management interface.
VPC CIDR The VPC CIDR block number.
  1. SSH into the instance.

  2. For deployment option 1, run the following commands.

    edit  
    virtual-segments  
    virtual-segment "cloud formation"  
    route 0.0.0.0/0 <Gateway IP Address of Inspection Subnet>  
    route <VPC CIDR> <Gateway IP Address of Protected-Public Subnet>  
    exit  
    commit  
    exit
    
    high-availability  
    cloudwatch-health period <CloudWatch Metrics granularity in seconds>  
    commit  
    exit
    
    exit  
    save-config -y  
    cloudone [register|unregister] <api-key>
    
  3. For deployment options 2 and 3, run the following commands.

    edit  
    virtual-segments  
    virtual-segment "cloud formation"  
    route 0.0.0.0/0 <Gateway IP Address of Sanitized Subnet>   
    exit  
    commit  
    exit
    
    high-availability  
    cloudwatch-health period <CloudWatch Metrics granularity in seconds>
    commit  
    exit
    
    exit  
    save-config -y  
    cloudone [register|unregister] <api-key>
    

7. Route traffic for inspection

After you have completed set up of the Network Security instances, route the network traffic so that it passes through the instances for inspection. Use the appropriate route tables, depending on your deployment option.

Edge protection deployment route tables

Modify the route tables that you already created to match the route tables below for each AZ in your VPC. This routes the traffic through Network Security for inspection.

VPC access route table

Destination Target
<VPC CIDR> Local
<protected-public subnet CIDR> eni-1A

Protected-public route table

Destination Target
<VPC CIDR> Local
0.0.0.0/0 eni-1B

Protected-private route table

Destination Target
<VPC CIDR> Local
0.0.0.0/0 NAT Gateway
ON PREM CIDRs eni-1B

Management route table

Destination Target
<VPC CIDR> Local
0.0.0.0/0 NAT Gateway
ON PREM CIDRs eni-1B

Detailed image

The image below is a detailed view of what your network environment should look like after you insert the Network Security instances.

Private VPC protection route tables

Modify the route tables that you already created to match the route tables below. This routes the traffic through Network Security for inspection.

Public route table

Destination Target
<Inspection VPC IP CIDR Local
<Workload VPC IP CIDR> eni-1A
0.0.0.0/0 Internet Gateway

Inspection connection route table

Destination Target
<Inspection VPC IP CIDR Local
<Workload VPC IP CIDR> eni-1A
0.0.0.0/0 eni-1A

Detailed image

The image below is a detailed view of what your network environment should look like after you insert the Network Security instances. The sections in red highlight the route table changes.

Public and private VPC protection route tables

Modify the route tables that you already created to match the route tables below. This routes the traffic through Network Security for inspection.

Inspection connection route table

Destination Target
<Inspection VPC IP CIDR> Local
0.0.0.0/0 eni-1A

Transit Gateway Inspection route table

CIDR Attachment Resource type Route type
0.0.0.0/0 Inspection VPC VPC Static
<Inspection VPC IP CIDR> Inspection VPC VPC Propagated

Modify the propagations for this route table to only include the Inspection VPC TGW attachment as a propagation. Delete the Public VPC TGW attachment and the Workload VPC TGW attachment.

Detailed image

The image below is a detailed view of what your network environment should look like after you insert the Network Security instances. The sections in red highlight the route table changes.