cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Azure Scale Sets & Identity Awareness Identity Web API enabling

I'm deploying my first Azure VMSS.

To get the cloudguard controller working on the gateway I need to enable the Identity Awareness Identity Web API and allow 127.0.0.1.

How do I ensure that this is in my scale set template?  i am assuming that I need to add mgmt_cli commands to enable that?  I don't seem to be able to find anything relating to the Web API configuration when I query the already provisioned (and manually configured) instances.

I know I need to run:

autoprov_cfg set template -tn "<configuration-template-name>" -nk "<parameter-name>" "<parameter-value>"

However I don't seem to be able to find any commands in the cli reference in regards to enabling the Identity Web API and adding an allowed host.

 

My existing scale set members are all configured as I require, however the moment it tries to scale out, any new gateway will come up without the IS Web API setup correctly, so won;t accept the policy assigned because it'll have Cloudguard objects in it, but the gateway on;t accept it because IA isn;t enabled correctly for it.

 

Any help greatly appreciated.

 

0 Kudos
4 Replies
Highlighted
Admin
Admin

Re: Azure Scale Sets & Identity Awareness Identity Web API enabling

If you enable IDA on the gateway itself, you should only need to enable the API, which you can do on the gateway CLI using pdp api enable.
However, that shouldn't be necessary as the integration with CloudGuard Controller uses Identity Awareness.
What versions are in use here (gateway and management) and has CloudGuard Controller been installed/updated?
0 Kudos
Highlighted

Re: Azure Scale Sets & Identity Awareness Identity Web API enabling

Management is R80.40

Gateways are R80.30

So I should pass the "pdp api enable" in the azure bootstrap script as long as the CME template has IA enabled and that would resolve the issue?

Do I not specifically have to allow 127.0.0.1 and create a key as the documentation for CloudGuard Controller suggests in relation to enabling IA?

I'll double check the cloudguard controller version tomorrow as I don't have access currently, but the management was upgraded within the last week and CME was installed 3 days ago (CME Version: Build: 991000574 Take: 79).

I'm just painfully aware that any manual modifications to the existing scale set gateway objects won't be reflected in any newly provisioned scaled set objects without manual intervention by an administrator (which won't be me once I finish the deployment), which seems to run contrary to the idea of automatic scale sets.

 

 

0 Kudos
Highlighted
Admin
Admin

Re: Azure Scale Sets & Identity Awareness Identity Web API enabling

Pretty sure the key is only needed when connecting over a network and loopback is allowed by default.
You can try passing it in the bootstrap but I was under the impression this happened by default…at least it does in AWS.
Might be worth a TAC case.
0 Kudos
Highlighted

Re: Azure Scale Sets & Identity Awareness Identity Web API enabling

have you tried to add the IA module to the template:

<autoprov_cfg set template -tn <template-name> -ia

 

see also CME R80.10 and Above Administration Guide 

 

That is working for us

Matthias

 

 

0 Kudos