Integrate with AWS PrivateLink

AWS PrivateLink allows you to configure your AWS deployment to use AWS private connectivity, rather than the public internet, for data connections between any instances or applications running in AWS and Workload Security.

Connecting to Workload Security without AWS PrivateLink

The standard deployment model for Workload Security requires that the data connections from Deep Security Agents, any API-based applications, and browser-based administrative access for the four services listed below are accessed from the public internet.

Service address (internet-facing) Description
relay.deepsecurity.trendmicro.com Deep Security Agent retrieval of security updates and packages
agents.deepsecurity.trendmicro.com Deep Security Agent Traffic
dsmim.deepsecurity.trendmicro.com Deep Security Agent Traffic
app.deepsecurity.trendmicro.com API and browser-based administrative access

For a full list of Workload Security network requirements, see Port numbers, URLs, and IP addresses.

How does AWS PrivateLink work with Workload Security?

When using AWS PrivateLink with Workload Security, the four services listed in the table above are accessed as VPC Service Endpoints.

Using AWS Route53 and VPC services, a private DNS hosted zone transparently routes traffic going to those four services to the private VPC Service Endpoint addresses directly, rather than to the public internet.

For example, when using PrivateLink for Workload Security, agents.deepsecurity.trendmicro.com resolves to the private IP of the VPC Services Endpoint instead of mapping to a public IP address. As a result, connections from the Deep Security Agent terminate on the VPC service endpoint and are routed using AWS PrivateLink rather than the public internet.

VPC Service Endpoints for use with AWS PrivateLink

Service address Description VPC Service Endpoint for use with AWS PrivateLink
relay.deepsecurity.trendmicro.com Deep Security Agent retrieval of security updates and packages com.amazonaws.vpce.us-east-1.vpce-svc-0ca160f19663f348e
agents.deepsecurity.trendmicro.com Deep Security Agent Traffic com.amazonaws.vpce.us-east-1.vpce-svc-0ecb2dc36c34b3aef
dsmim.deepsecurity.trendmicro.com Deep Security Agent Traffic com.amazonaws.vpce.us-east-1.vpce-svc-01a733ad6b4b0afc1
app.deepsecurity.trendmicro.com API and browser-based administrative access com.amazonaws.vpce.us-east-1.vpce-svc-04912367f0b0c73d9

 

Even when using AWS PrivateLink, Deep Security Agent traffic not listed in the table above (for example, traffic destined for the Trend Micro Smart Protection network) must still be routed from your VPCs directly to the internet. For a complete list of Workload Security network requirements, see Port numbers, URLs, and IP addresses.

Workload Security VPC Service Endpoint region support

Workload Security provides VPC Service Endpoints in all availability zones for the us-east-1 (North Virginia) region:

  • us-east-1a (use1-az1)
  • us-east-1b (use1-az2)
  • us-east-1c (use1-az4)
  • us-east-1d (use1-az6)
  • us-east-1e (use1-az3)
  • us-east-1f (use1-az5)

Configure PrivateLink for use with Workload Security

  1. Create a VPC Endpoint in us-east-1 for each of the services provided by Workload Security. See the table above for the four services.
  2. Ensure DNS hostnames and DNS resolution are enabled on your VPC.
  3. Configure a private hosted zone for the deepsecurity.trendmicro.com domain. Add an A alias entry for each service that Workload Security exposes (relay, agents, dsmim, app) that maps to the VPC endpoints you created in step 1.
  4. Use a tool like nslookup to verify that service DNS addresses are now pointing to private IPs (rather than to the public internet addresses).

What if my traffic originates from a region without a VPC service endpoint?

If you have traffic originating from regions outside of us-east-1 (which means there is no corresponding Workload Security VPC service endpoint available in that region), you can use VPC peering to connect VPCs from other regions or AWS accounts to a VPC that you host in us-east-1. That VPC then forwards traffic to the Workload Security PrivateLink service endpoints that are exposed by Trend Micro. AWS provides an example of this type of configuration.

You must still enable DNS hostnames and DNS resolution on all VPCs that will use AWS PrivateLink, as well as configure Route53 records for DNS resolution (steps 2 and 3 in Configure PrivateLink for use with Workload Security).

For more information on using VPC peering, see What is VPC Peering? in the AWS documentation.