Cloudguard datacenter objects - AWS multiple accounts
My company has been looking at integrating our on premise management server to ingest datacenter objects from AWS. We have a cloud deployment in one region today but have multiple accounts (~8) in AWS we need to pull from.
Our on-premise MGMT and GWs are all R80.30 today and want to use tags in our on premise access policies to get around the changing of resource IPs.
We have Dome9 as well and we had to set up each account with its own role to access each; so wasn't sure if the vsec controller setup was similar
The vSEC controller R80.30 docs didn't mention anything about multiple accounts and hence looking from some guidance from those that have deployed this solution with multiple AWS accounts.
Thanks in advance 🙂
I believe you can do this by creating a Data Center object for each account.
In fact, in later versions, you can create a query object that allows you to make objects involving multiple data centers.
In this case, you’d have 8 Data Center objects, and would need to import the tag(s) from each Data Center object for use in policy.
The Data Center Query object is more efficient since although you still have to create each Data Center, you only need to do one Query object to search all of them.
thw docs referenced above will show how it works.
The suggestion of creating multiple Data Center Servers (one per AWS account) is the correct way since you are using R80.30 as the Management version today.
It may also be useful to note that from the R81.10, we have now introduced the capability to utilize AWS Security Token Service (STS) Assume Role to simplify the access to AWS Data Centers.
With this feature, instead of creating multiple AWS user accounts and configure access permissions to AWS resources for each account, the STS Assume Role allows creating the necessary permissions once for use across multiple AWS accounts.
This is well documented in the CloudGuard Controller Admin Guide R81.10 here:
Not to stir up an old thread but I have a general question regarding the CloudGuard Controller supported objects and some of the features in the releases.
- Are the CloudGuard features based on the version of the management server or on the version of the gateways?
If I have a management server on R81.10 but have GWs on R80.40, would the supported data center objects follow the GW or does it vary?
For example, would you be able to use the data center query objects features released starting in R81 to be used on R80.40 gateways....as long as management is indeed R81 or higher?
Same with support for new data Centers (i.e VMware vCenter, version 7 in R81.10 or Oracle OCI support coming in R81.20)....does that have any relation to the GW versions to use these? I 'feel' like it would be management only here since its the integrator between each cloud but questioning that thought that there would be some use cases (some or all) that might be GW/JHF version dependent.
Depends on the feature.
Generic Data Center objects, which do not use the CloudGuard Controller, require R81 or above gateways.
For Data Center Query objects, provided the management is on at least R81 and the gateways are on any R8x version, they should be supported.
I presume support for new Data Centers would work the same way, but we'll have to wait until R81.20 is released to confirm.
Since the CloudGuard Controller runs on the management, the features availability is dependent on the version of the management you currently use .
For example you can use the Data Center Query feature since R81 but you will be able to push the identities to an older version GW version (for example R80.40).
In addition you can find in the admin guide the supported GWs by the CloudGuard Controller - https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_CloudGuard_Controller_AdminG...
I'll add that in some cases the feature will have dependence on the GW version , for example as mentioned above in the generic data center objects
But in general, the CloudGuard Controller supports backwards compatibility hence you will be able to use it with older version GWs that the CloudGuard Controller supports
If you're using terraform to manage objects, you can use a script to automate the datacenter object creation. If you're still looking for some solutions, I can share what we are doing.
I was wondering what are the limits on the number of datacenter servers? I couldn't find anything in limitations or other articles.
It can quickly explode if you have say 50 AWS accounts, with several regions. This can easily get into hundreds of datacenter server objects. Then there are datacenter query objects which would go through all of them searching for matches every minute.
What would be recommendation to have no more than "x" of said objects?
Hi, there are no hard-coded limits. We have customers with 400+ AWS data centers and 400+ data center queries on the same platform. We are constantly working to improve the CloudGuard Controller process throughput and performance to handle bigger and bigger environments via the Jumbo hotfix. Let me know if that helps.