Alert Logic® recommends that when deploying our network intrusion detection system in an Amazon Web Services (AWS) environment, you should also deploy an Alert Logic appliance within each VPC that contains protected hosts. Alert Logic has built automation into how assignment policies for protected hosts are handled in AWS so that protected hosts automatically receive an assignment policy when created. This automation is designed to work at the VPC-level, where the protected host is given an assignment policy designated for that VPC, with the targeted appliance also being in the same VPC. This VPC-level assignment policy is created when an appliance is provisioned in a new VPC. The policy contains special meta-data that binds it to that VPC.
For customers that utilize multiple VPCs, this can present a cost problem in certain circumstances. It may be more cost effective to utilize an existing appliance in a different VPC if you have a very small amount of traffic you expect to be monitored by the hosts in a given VPC. Reference the AWS pricing documentation to determine whether the cost of VPC-peering traffic would be lower than the cost of a separate appliance.
To solve this problem, you can use VPC-peering connections to connect host-VPCs (VPCs that contain protected hosts) to appliance-VPCs (VPCs that contain at least one Alert Logic appliance). In addition to the VPC-peering connection, there is some additional work required by Alert Logic Support to create the VPC-level assignment policies for each of the host-VPCs.
Solution
To enable a multi-VPC deployment, you will need to set up your environment in the following way before it can be enabled:
- Establish at least two VPCs. One VPC needs to be designated as the appliance-VPC, where one or more Alert Logic appliances will reside. In addition to the appliance-VPC, you should determine which other VPCs will contain protected hosts. These VPCs should be designated as host-VPCs.
- In each appliance-VPC, provision at least one Alert Logic appliance.
- For each host-VPC, determine which appliance-VPC you want that host-VPC to communicate to. Once you have determined this, establish a VPC-peering connection between both VPCs. Make sure to complete the peering connection setup by adjusting the route tables in each VPC/subnet so that communication can occur over the peering connection.
Once you have provisioned the necessary appliances and created the VPC-peering connections between the host-VPCs and appliance-VPCs, create a ticket with Alert Logic Support to have the VPC-level assignment policies created for each of the host-VPCs. Provide the following information for each host-VPC you would like this behavior enabled on:
- Host-VPC ID
- Host-VPC region
- Appliance-VPC ID
- Appliance-VPC region
- One or more appliance instance-IDs that you would like the protected hosts in the host-VPC to send traffic to
Alert Logic Support will then create a VPC-level assignment policy that will be automatically assigned to any new protected hosts created within the host-VPC(s).
One limitation of this type of deployment is that each host-VPC’s assignment policy will not be automatically updated if there are changes in your appliance deployment. For example, if you were to build a new appliance in your appliance-VPC, this appliance will not automatically be added to the host-VPC’s assignment policy. This will need to be done manually any time you make changes to your appliances.
Comments
2 comments
Hello,
Thanks for sharing this useful procedure. I saw also the alternative on https://support.alertlogic.com/hc/en-us/articles/115005766146-Deploying-Cloud-Defender-in-Amazon-Web-Services#choosing%20a%20deployment%20archi.
Are you considering to allow to set the policy by ourself in the roadmap ? In our case, we create VPC quite often with automatic landing zone, if we open a ticket each time to your team, it can be annoying for us but also for Alert Logic Team.
Thanks,
Regards,
Hi Jonathan -
Thank you for reaching out! I've gotten some good information for you from our Support and Product teams. You've found the perfect resource to set up multi-VPC deployments without contacting Alert Logic - the Deploying Cloud Defender in Amazon Web Services knowledge base article. Unfortunately customers cannot create the policy in the same way that Alert Logic Support can, as we use API calls and processes that are internal only. The end result is exactly the same in either case, however!
In regards to your roadmap question, while the answer is no, we do have plans on the roadmap to make the functionality you're describing unnecessary - that is, if you're upgraded to SIEMless Threat Management, you won't need to contact Alert Logic to set policies any longer.
I hope this helps! Please let me know if you have any further questions.
Please sign in to leave a comment.