Cisco Security Cloud Control: AWS VPC Management

PDF

Cisco Security Cloud Control: AWS VPC Management

AWS VPC Policy

Want to summarize with AI?

Log in

Learn how to manage AWS VPC policies and security group rules in Security Cloud Control Firewall Management to define inbound and outbound traffic, update rules, and deploy policy changes to selected AWS VPCs.


Security Cloud Control Firewall Management enables you to keep security policies consistent across any Amazon Web Services (AWS) Virtual Private Cloud (VPC) associated with your AWS account. You can also use Security Cloud Control Firewall Management to share objects across multiple device types. See these topics for more information.


AWS VPC Security Groups Rules

AWS security groups are collections of rules that govern inbound and outbound network traffic to all AWS EC2 instances, and other entities, associated with the security group. Similar to the Amazon Web Services (AWS) console, Security Cloud Control displays each rule individually.

If your SDC has Internet access, you can create and manage AWS Virtual Private Cloud (VPC) rules for these environments:

  • A security group allowing information to or from another security group within the same AWS VPC.

  • A security group allowing to or from an IPv4 or IPv6 address.

When creating a rule in Security Cloud Control that contains an AWS security group, keep these limitations in mind:

  • For a rule allowing inbound traffic, the source can be one or more security group objects in the same AWS VPC, an IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address. Inbound rules can have only one security group object as the destination.

  • For a rule allowing outbound traffic, the destination can be one or more security group objects in the same AWS VPC, a prefix list ID, an IPv4 or IPv6 CIDR block, a single IPv4 or IPv6 address. Outbound rules can have only one security group object as the source.

  • Security Cloud Control translates rules that contain multiple entities, such as more than one port or subnet, into separate rules before deploying them to an AWS VPC.

  • When you add or remove rules, the changes are automatically applied to all AWS entities associated with the security group.

  • An AWS security group is limited to hosting a maximum of 60 inbound rules and 60 outbound rules. This limit is enforced separately for IPv4 rules and IPv6 rules; any additional rules created in Security Cloud Control are inclusive to the total number of rules. You cannot exceed the 60-rule limit by onboarding to Security Cloud Control.

Warning

If you edit an existing rule, the system deletes the edited rule and creates a new rule with the updated details. As a result, traffic that depends on the rule may be dropped briefly during the update process. This does not occur if you create a brand new rule.

For more information about the types of rules you can create from the AWS console, refer to AWS Security Group Object.


Create a Security Group Rule

By default, Amazon Web Services (AWS) Virtual Private Cloud (VPC) blocks all network traffic. As a result, any rules are automatically configured to Allow traffic. You cannot edit this action.

Note

When you create a new security group rule, you must associate it with a security group.

The AWS console does not support rules that contain more than one source or destination. This means that if you deploy a single security group rule that contains more than one entity, Security Cloud Control converts the rule into separate rules before deploying it to the AWS VPC. For example, if you create an inbound rule that allows traffic from two port ranges into one cloud security group object, Security Cloud Control converts it into two separate rules. One allows traffic from the first port range to the security group, and the other allows traffic from the second port range to the security group.

Use this procedure to create a security group rule:

Procedure

1.

From the Security Cloud Control Home page, click Firewall.

2.

Choose Security Devices.

3.

Click the Template tab.

4.

Click the AWS tab, and select the AWS VPC device template whose access control policy you want to edit.

5.

In the Management pane, select Policy.

6.

Click the blue plus button next to the security group you wish to add the rule to.

Add icon.
7.

Click Inbound or Outbound.

Inbound rules: The source network can contain one or multiple IPv4 addresses, IPv6 addresses, or cloud security group objects. The destination network must be defined as a single cloud security group object.

Outbound rules: The source network must be defined as a single cloud security group object. The destination network can contain one or multiple IPv4 addresses, IPv6 addresses, or security group objects.

8.

Enter the rule name. You can use alphanumeric characters, spaces, and the special characters plus, period, underscore, and hyphen.

9.

Define the traffic matching criteria by using any combination of attributes in the following tabs.

Source : Click the Source tab and add or remove networks (which includes networks and continents). You cannot define a port or port range as the source.

Destination: Click the Destination tab and add or remove networks (which includes networks and continents), or ports on which the traffic arrives. The default value is "Any."

Note

If no network object is defined, it will be translated into two rules in the AWS Console: one for IPv4 (0.0.0.0/0) and one for IPv6 (::0/0).

10.

Click Save.

11.

Review and deploy the changes you made immediately, or wait and deploy multiple changes at once.

Caution

If the deploy fails, Security Cloud Control tries to restore the AWS VPC to its previous state. This is done on a "best-effort" basis. Because AWS does not maintain a "state," this rollback attempt might fail. If this happens, log in to the AWS management console and manually restore the AWS VPC configuration and then read the changes into Security Cloud Control.


Edit a Security Group Rule

Use this procedure to edit an access control rule for an AWS VPC using Security Cloud Control:

Procedure

1.

From the Security Cloud Control Home page, click Firewall.

2.

Choose Security Devices.

3.

Click the Devices tab to locate the device, or click the Templates tab to locate the model device.

4.

Click the AWS tab and select the AWS VPC whose access control policy you want to edit.

5.

In the Management pane, select Policy.

6.

To edit an existing security group rule, select the rule and click the edit icon Edit icon. in the Actions pane. You can also make simple edits inline without entering edit mode. For more information about rule limitations and exceptions, refer to AWS VPC Security Group Rules.

7.

Click Save.

8.

Review and deploy the changes you made immediately, or wait and deploy multiple changes at once.

Caution

If the deployment fails, Security Cloud Control tries to restore the AWS VPC to its previous state. This is done on a "best-effort" basis. Because AWS does not maintain a "state," this rollback attempt might fail. If this happens, log in to the AWS management console and manually restore the AWS VPC configuration. Then poll for differences between the AWS VPC device configuration and the configuration in Security Cloud Control.


Delete a Security Group Rule

Procedure

1.

From the Security Cloud Control Home page, click Firewall.

2.

Choose Security Devices.

3.

Click the Devices tab to locate the device, or click the Templates tab to locate the model device.

4.

Click the AWS tab and select the AWS VPC whose access control policy you want to edit.

5.

In the Management pane, select Policy.

6.

To delete a security group rule you no longer need, select the rule and click the delete icon Delete icon. in the Actions pane.

7.

Review and deploy the changes you made immediately, or wait and deploy multiple changes at once.

Caution

If the deployment fails, Security Cloud Control tries to restore the AWS VPC to its previous state. This is done on a "best-effort" basis. Because AWS does not maintain a "state," this rollback attempt might fail. If this happens, log in to the AWS management console and manually restore the AWS VPC configuration. Then poll for differences between the AWS VPC device configuration and the configuration in Security Cloud Control.