Alert Logic® Essentials™, Professional™, and Cloud Defender™ customers who utilize network intrusion detection (IDS) and have deployments in, or plan to deploy in, Amazon Web Services (AWS) are now able to define their Protection scope and desired Protection preferences. This allows for backend services to analyze the defined scope and set of preferences and to ultimately deploy IDS appliances and other necessary security infrastructure.
Historical Default Behavior in Automatic Mode
Before availability of this capability, users who chose Automatic Mode for their AWS deployment would, by default, see the following configuration rules:
- Deployment of IDS appliances
- Placement of one appliance in every Availability Zone (AZ) that has at least one customer asset deployed
- Instance type of c5.large
- Auto-scaling is not currently an option, but planned in future work
- For any AZ that is not populated by at least once customer asset, Alert Logic will automatically remove any deployed appliance from the uninhabited AZ, but will leave one appliance in a Virtual Private Cloud (VPC) where AZs do reside
This configuration has caused some customers, such as those wanting to avoid the monthly cost of deploying an additional appliance, to choose Manual Mode for AWS deployments, which does not support the ability to scale down to zero, relative to demand.
This new tuning capability enables users to override the default configuration rules of Automatic Mode by providing additional options for tuning preferences, via API. The Alert Logic backend service, Otis, supports three different options for tuning:
- ids_appliances_placement - Specify which AZs appliances should be deployed to
- ids_appliances_scaling - Establish the number of appliances to be deployed per AZ
- ids_appliance_instance_type - Identify which AWS instance type should be used
Tuning Option 1: ids_appliances_placement
This option defines a policy to manage protection preferences inside a target VPC. You can specify an option scope - either the entire deployment or a specific VPC - that should be covered by the policy.
- Security infrastructure is removed from empty AZs automatically, leaving one appliance in VPCs where all AZs are uninhabited
- Defined either by selecting the number of AZs or by an explicit list of AZs that are to be deployed
- Security infrastructure is never removed
- Defined by selecting an explicit list of AZs to be deployed
Tuning Option 2: ids_appliances_scaling
This option defines a policy to manage the number of IDS appliances launched inside protected VPCs. You can specify an option scope (deployment of VPC) for which the defined policy is to be applied.
- Customers can select a predefined number of appliances to deploy - up to eight - in each AZ as part of the AWS auto-scaling group
Tuning Option 3: ids_appliance_instance_type
This option overrides the default instance size (c5.large) that is used in standard Automatic Mode deployments. Any appliance type that you define here will be deployed inside the selected VPCs. You can then specify which deployment or VPC the defined option should be applied for.
Supported AWS Instance Types
|t3||t3.medium, t3.large, t3.xlarge, t3.2xlarge|
|m4||m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge, m4.16xlarge|
|m5||m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.12xlarge, m5.24xlarge|
|c4||c4.large, c4.xlarge, c4.2xlarge, c4.4xlarge, c4.8xlarge|
|c5||c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, c5.18xlarge|