Alert Logic® recommends that when deploying the Alert Logic Threat Manager™ product in an Amazon Web Services (AWS) environment, you should also deploy a Threat Manager appliance within each VPC that contains protected hosts. Alert Logic has built automation into how assignment policies for protected hosts are handled in AWS so that protected hosts automatically receive an assignment policy when created. This automation is designed to work at the VPC-level, where the protected host is given an assignment policy designated for that VPC, with the targeted appliance also being in the same VPC. This VPC-level assignment policy is created when an appliance is provisioned in a new VPC. The policy contains special meta-data that binds it to that VPC.
For customers that utilize multiple VPCs, this can present a cost problem., Under this model, an appliance would need to be running in each VPC to enable this automated behavior. To solve this problem, you can use VPC-peering connections to connect host-VPCs (VPCs that contain protected hosts) to appliance-VPCs (VPCs that contain at least one Threat Manager appliance). In addition to the VPC-peering connection, there is some additional work required by Alert Logic Support to create the VPC-level assignment policies for each of the host-VPCs.
To enable a multi-VPC deployment, you will need to set up your environment in the following way before it can be enabled:
- Establish at least two VPCs. One VPC needs to be designated as the appliance-VPC, where one or more Threat Manager appliances will reside. In addition to the appliance-VPC, you should determine which other VPCs will contain protected hosts. These VPCs should be designated as host-VPCs.
- In each appliance-VPC, provision at least one Threat Manager appliance.
- For each host-VPC, determine which appliance-VPC you want that host-VPC to communicate to. Once you have determined this, establish a VPC-peering connection between both VPCs. Make sure to complete the peering connection setup by adjusting the route tables in each VPC/subnet so that communication can occur over the peering connection.
Once you have provisioned the necessary appliances and created the VPC-peering connections between the host-VPCs and appliance-VPCs, create a ticket with Alert Logic Support to have the VPC-level assignment policies created for each of the host-VPCs. Provide the following information for each host-VPC you would like this behavior enabled on:
- Host-VPC ID
- Host-VPC region
- Appliance-VPC ID
- Appliance-VPC region
- One or more appliance instance-IDs that you would like the protected hosts in the host-VPC to send traffic to
Alert Logic Support will then create a VPC-level assignment policy that will be automatically assigned to any new protected hosts created within the host-VPC(s).
One limitation of this type of deployment is that each host-VPC’s assignment policy will not be automatically updated if there are changes in your appliance deployment. For example, if you were to build a new appliance in your appliance-VPC, this appliance will not automatically be added to the host-VPC’s assignment policy. This will need to be done manually any time you make changes to your appliances.