About Multicloud Defense

Multicloud Defense

Multicloud Defense is a comprehensive security solution consisting of two primary components, the Multicloud Defense Controller and Multicloud Defense Gateway. These components collaborate to establish a secure multicloud environment.

Multicloud Defense currently supports Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), and Oracle OCI cloud accounts. The range of support for these platforms varies.

Multicloud Defense offers a sophisticated, streamlined security framework harmonizing controller orchestration, gateway communication, and optimized datapath processing for robust and efficient multicloud protection.

Multicloud Defense Naming Conventions

Multicloud Defense interacts with a variety of cloud service providers. To provide a universal experience across the platforms, Multicloud Defense limits the character count when you create gateways and objects.

Gateways and objects that exist outside of Multicloud Defense prepend ciscomcd as a prefix in their names, which may cause issues if the original gateway or object name is too long.

Consider the character limitations when naming your gateways or objects inside and outside of Multicloud Defense:

Table 1. Character Limitation for Naming Conventions

Multicloud Defense Feature

Character Limit

Gateway Instance

55

Object Name

63

Note

The values that are listed indicate the character limit for names without the prepended Multicloud Defense tag. You are not responsible for including the tag when you name the gateway or object.

Supported Regions

We currently support all regions for any commercial cloud service provider region for AWS, Azure, GCP and OCI. Refer to your cloud service provider support documentation for detailed information.

If a region is not supported, or a new region needs support, contact Cisco Support to add support for the region.

Multicloud Defense in Cisco Security Cloud Control

Multicloud Defense is now hosted in Cisco Security Cloud Control. Security Cloud Control is a platform that allows you to manage your security products and achieve security outcomes from a single integrated interface. From Security Cloud Control platform, you can manage Multicloud Defense along with other Security products.

When you enroll in a Multicloud Defense, Security Cloud Control creates an account for your tenancy by default to better manage your enterprises across the board. The Security Cloud enterprise supports these cases:

  1. You have purchased a license and already have a Multicloud Defense account, and

  2. You have purchased a license but do not have a Multicloud Defense account.

New customers or users of Multicloud Defense can complete these steps in Security Cloud Control.

  1. Create an organization. For more information, refer to the Create an Organization topic in the Organizations and Regions section of the Getting Started Guide for New Customers of Security Cloud Control.

  2. Buy a subscription license. Once you purchase the license, you or the designated system administrator receives an email with a subscription claim code. Do not lose this email.

  3. Claim the subscription. Enter the claim code in the Claim Subscription section of Security Cloud Control application and claim the product. You will receive a confirmation email that Multicloud Defense has been activated on Security Cloud Control. For more information, refer to the Claim Your Product Subscriptions section in the Getting Started Guide for New Customers of Security Cloud Control.

Multicloud Defense is provisioned and is available on the default landing page of Security Cloud Control. The navigation pane on Security Cloud Control contains the organization details and menu elements, and the central area contains the dashboard widgets.


Note

Customers who provision Multicloud Defense after August 6, 2025 and want to use Object Sharing will need to contact Cisco Technical Assistance Center (Cisco TAC) to enable this feature.

For existing users of Multicloud Defense migrating to Security Cloud Control, refer to the Getting Started Guide for Existing Customers of Security Cloud Control.

Multicloud Defense Components

Multicloud Defense uses a common principle in public clouds and Software-Defined Networking (SDN) which decouples the control and data plane, translating to two solution components:

  • Multicloud Defense Controller

  • Multicloud Defense Gateway

Multicloud Defense Controller

The Multicloud Defense Controller is a highly reliable and scalable centralized controller that provides the management and control plane. This runs as software-as-a-service (SaaS) and is fully managed and maintained by Multicloud Defense. You can access a web portal to utilize the Multicloud Defense Controller. Alternatively, you may choose to use the Multicloud Defense provider for terraform to instantiate security into the DevOps/DevSecOps processes.

Multicloud Defense Gateway

The Multicloud Defense Gateway is an auto-scaling fleet of Multicloud Defense software deployed as Platform-as-a-Service (PaaS) into the customers public cloud account(s) by the Multicloud Defense Controller. This provides advanced, inline security protections that defend against external attacks, prevent egress data exfiltration and lateral movement of attacks. Multicloud Defense Gateways include functionality for Transport Layer Security (TLS) decryption, Intrusion Detection and Prevention (IDS/IPS), Web Application Firewall (WAF), antivirus filtering, Data Loss Prevention (DLP) and Fully Qualified Domain Name (FQDN) or Uniform Resource Locator (URL) filtering capabilities.

To facilitate the auto-scaling, the Multicloud Defense Gateway offers:

  • Autoscaling and Self-healing: Operate as autoscaling, self-healing Platform-as-a-Service (PaaS), serving as inline network-based security enforcement nodes. For more information about auto-scaling and how it operates within the construct of the gateway, see below.

  • Simplified Management: Eliminate the need for constructing virtual firewalls, configuring high-availability setups, or managing software installations.

  • Advanced Security Profiles: Implement granular security profiles within a single-pass datapath pipeline, negating the need for traffic offloading to third-party engines.


Important

The Multicloud Defense Gateway does not currently support Internet Protocol (IP) fragmentation because of cloud service provider load-balancer limitations. We strongly recommend you adjust the Maximum Transmission Unit (MTU) size so it is consistent across the network to avoid the need for fragmentation.

Multicloud Defense SaaS Controller

Multicloud Defense offers a sophisticated, streamlined security framework, combining robust controller orchestration, gateway communication, and optimized datapath processing to provide efficient and comprehensive multicloud protection. This solution helps your organization secure your cloud workloads and applications from cyber threats while maintaining flexibility and scalability in your cloud environment.

  • SaaS-Based Management: The Software-as-a-Service (SaaS) controller manages the Gateway stack and includes an API Server for orchestration of CSP load balancers (LBs) and Gateway Instances.

  • Dynamic Scaling: Facilitates dynamic horizontal scaling through instance additions and removals from the load balancer’s “target pool,” monitored for high availability.

  • Continuous Communication: Engages in continuous communication with Cloud Service Provider (CSP) accounts to keep security policies up-to-date.

Communications

Multicloud Defense Gateways engage in continuous communication, approximately every 3 seconds, with the Multicloud Defense Controller, transmitting health status and policy updates. This enables proactive health reporting, gateway replacement, and scalability adjustments as needed.

Optimized Gateway Instances

Multicloud Defense Gateway instances operate on highly optimized software, incorporating a single pass datapath pipeline for efficient traffic processing and advanced security enforcement. Each gateway instance comprises three core processes: a "worker" process responsible for policy enforcement, a "distributor" process for traffic distribution and session management, and an "agent" process communicating with the controller. Gateway instances can seamlessly transition "in service" for a "datapath restart," enabling smooth updates without disrupting traffic flow.

Gateway Auto-scaling

Autoscaling in Multicloud Defense is triggered based on these usage thresholds:

  • CPU Usage

    • Scale Out: Triggered when CPU usage exceeds 95%.

    • Scale In: Occurs when CPU usage falls below 40%.

  • Memory Usage

    • Scale Out: Triggered when memory usage exceeds 85%.

    • Scale In: Occurs when memory usage falls below 40%.

  • Bandwidth Usage

    • Scale Out: Triggered when bandwidth usage exceeds 75%.

    • Scale In: Occurs when bandwidth usage falls below 40%.

  • Connection Usage

    • Scale Out: Triggered when connection usage exceeds 75%.

    • Scale In: Occurs when connection usage falls below 40%.

  • Load Sustain Period: Autoscaling actions are triggered if the load conditions are sustained for 120 seconds.

  • Scale-In and Scale-Out Periods: Both scale-in and scale-out actions have a 120-second assessment period to ensure consistent load conditions.

For information about specific cloud service providers and their instance type support, refer to Cloud Service Provider Instance Type Support.

Advanced Security Profiles

Multicloud Defense Controller implements granular security profiles within the single pass datapath pipeline, catering to evolving traffic needs. Customers have the flexibility to enable or disable Advanced Security Profiles as required. The pipeline's single pass architecture negates the need for traffic offloading to third-party engines. For instance, full TLS decryption is selectively triggered within the pipeline, ensuring efficient handling without unnecessary data transfers.

In essence, Multicloud Defense offers a sophisticated and streamlined security framework, harmonizing controller orchestration, gateway communication, and optimized datapath processing for a robust and efficient multicloud protection mechanism.

Multicloud Defense Controller Dashboard

The dashboard of the Multicloud Defense Controller has a multitude of widgets to give you a quick snapshot of the current state of your accounts, account resources, and top-hitting policies or profiles.

The dashboard displays widgets for cloud accounts, account resources, CSP services, traffic, logs, and more.

You can drag-and-drop any of the widgets to customize and organize the dashboard to meet your needs. Click "x" at the top-right corner of a widget to remove it from your dashboard. You can click View More which is located within the widget, to go directly to the associated page to add accounts. At the top of each widget is a tag or label that indicates what function the widget serves, such as discovery, detection, deployment, or defending.

The dashboard generates these widgets by default.

Cloud Accounts

This provides a high-level view of all the cloud accounts you have connected to the Multicloud Defense Controller,and the number of accounts for each of the identified cloud service providers.

Click Add Account to open a connection wizard for onboarding a new cloud service provider.

Account Resources

This is a general list of allocated resources across all of your connected cloud accounts. It displays how many of these resources are currently used:

  • VPC/VNets

  • Subnets

  • Security Groups

  • Load Balancers

  • Instances

  • Tags

  • Route Tables

  • Applications.

Top CSP Services

The Multicloud Defense Controller connects to the cloud service providers and displays a top-down view that generalizes Domain Name System (DNS) traffic.

DNS Traffic

Similar to Top CSP Services, this DNS Traffic widget offers a limited view of current DNS traffic for the cloud service providers that are actively processing traffic. We recommend expanding the widget to the full discovery scope for more insight.

VPCs/VNets with Malicious Traffic

This widget displays any recent VPC or VNet that has encountered malicious traffic. For a comprehensive list of events and attacks, expand the widget and view the traffic.

Top Ports with Malicious Traffic

This small snapshot displays which ports within your cloud accounts have the most hits against malicious traffic.

Security Considerations

The Security Considerations widget summarizes the applications, VPCs or VNets, and associated gateways that are not protected by Multicloud Defense.

System Logs

The System Logs window provides a recent history of logs that catalog the accounts affected, the gateway associated, the severity of events or attacks and more. We strongly recommend utilizing this widget or the whole System Log page as a valuable resource.

Top Applications

This widget displays the topmost applications used across all cloud service providers.

Threats

This view provides a graph depicting the last seven days of traffic and the amount of the incoming traffic was categorized as threats.

Top Countries by Threat

This horizontal bar chart shows the top 10 countries with the most events and breaks the volume down by time increment.

Exfiltration Attempts

This view is a general display of egress data exfiltration that have occurred on the cloud service providers currently connected to Multicloud Defense.

My Profile Information

The User Profile page details your user information. To access this page, select your username from the Admin drop-down list in the upper right corner of the Multicloud Defense dashboard to display the information:

  • Your name.

  • The email address associated with your Multicloud Defense account.

  • The user role you currently have.

  • The name of the tenant currently logged in.

  • Assigned accounts.

Use this page for general information or when seeking assistance from Cisco Support.

Multicloud Defense 90-Day Free Trial

When you log in to your Security Cloud Control tenant, you will see a wizard that guides you through connecting your cloud accounts to Multicloud Defense so that you can manage them with a free 90-day trial of Multicloud Defense Controller. The 90-day trial experience offers the full functionality of a paid subscription to Multicloud Defense Controller.

Figure 1. Multicloud Defense Easy Setup

Easy Setup of Multicloud Defense

Click Get Started to begin your 90-day trial. This begins provisioning the Multicloud Defense Controller.


Note

Easy Setup supports the following Cloud Providers:

  • Account Onboarding: AWS, Azure, GCP, OCI

  • Enable Traffic Visibility: AWS (Flow Logs, DNS Query Logs), Azure (Flow Logs), GCP (VPC flow logs, DNS Query Logs)

  • Create Services VPC/VNet: AWS, Azure, GCP

  • Create Gateways: AWS, Azure, GCP

Although Services VCN orchestration is not supported for OCI (requires the user to create the Services VCN using the Cloud Provider console), the Gateway orchestration is supported in Multicloud DefenseMulticloud Defense. Open Multicloud Defense and navigate to Infrastructure > Gateways > Gateways.

Connect Cloud Accounts

After Multicloud Defense Controller is provisioned, the Connect a Cloud Account page opens and you can connect any of the types of cloud accounts that are shown to the Multicloud Defense Controller.

The first step is to onboard a set of one or more cloud accounts. This allows the Multicloud Defense Controller to interact with each account by discovering inventory and traffic, orchestrating security deployment, and creating and managing policy.

To connect to your cloud accounts, follow these instructions:

Enable Visibility

After onboarding, to enable traffic visibility for your cloud account, click Enable Visibility in Multicloud Defense in Security Cloud Control.

Enabling traffic visibility provides awareness into the traffic flows within the Cloud Accounts by collecting VPC/VNet Flow Logs and DNS Query Logs. The Flow and DNS Query logs are used by Multicloud Defense to understand traffic flow, correlate with threat intelligence feeds, and provide insight into existing threats that can be protected using Multicloud Defense.

Enabling traffic visibility is a different process for every cloud account type, but typically you will need to identify account characteristics such as your cloud account's region, VPC/VNet that you want to monitor, network security groups, and a cloud storage account for logs.

View Traffic on your Cloud Account

After enabling traffic visibility, view the traffic moving through your cloud account and look for any malicious traffic that requires protection.

  1. Log in to Security Cloud Control.

  2. In the left pane, click Multicloud Defense.

  3. In the upper-right corner, click Multicloud Defense Controller to open the controller in a new browser tab.

  4. In the Multicloud Defense portal navigate to Investigate > Traffic Analysis > Topology.

  5. Use the Filters and Search bar to find the cloud account you want to monitor.

  6. In the Global View, add Malicious Traffic to your filtering.

  7. Click through the malicious traffic bubble to view the information in the Region View about the affected country of origin, IP address, FQDN, Service, and Port.

Secure Your Cloud Account

Based on your known security needs, and after monitoring traffic, you can secure your account using either a centralized hub and spoke model or a distributed model.

Use the Secure Your Account wizard to configure a Service VPC and Multicloud Defense Gateway to secure your account.

  1. Log in to Security Cloud Control.

  2. In the left pane, click Multicloud Defense.

  3. In the upper-right corner, click Multicloud Defense Controller to open the controller in a new browser tab.

  4. In the Multicloud Defense Controller dashboard, click Setup in the navigation panel.

  5. Click Secure Account on the Setup page.

  6. Click Centralized or Distributed.

  7. Click Next and continue with the wizard setup.

Relaunching Easy Setup

After you complete the Easy Setup workflow on the Security Cloud Control dashboard, you cannot relaunch it to start your 90-day free trial. However, the Easy Setup wizard is available in Multicloud Defense Controller to help you connect and configure other cloud accounts at a later time.

  1. In the left pane of the Security Cloud Control dashboard, click Multicloud Defense.

  2. In the upper-right corner, click Multicloud Defense Controller.

  3. On the Multicloud Defense dashboard, click Setup in the Multicloud Defense menu bar.

Cloud Explorer

Cloud Explorer, also known as Explorer, is designed to provide users with a graphical visualization of their cloud assets and their relationships. It offers a comprehensive view of the network topology, including components such as service VPCs, VPC/VNets, subnets, and instances. This visualization helps users manage the structure and interconnections of resources within a single interface. Explorer is beneficial for users who want to visualize their cloud infrastructure, manage these assets and their interconnections, and protect them. To manage large amounts of cloud infrastructure and connections, you can create them manually or use Terraform.

The key features of Cloud Explorer are:

  • Graphical representation: Displays a clear, visual topology of cloud resources, making it easier to comprehend the relationships between assets.

  • Interactive asset management: Enables users to interact with the graphical interface to manage and secure their resources effectively.

  • Integrated security posture: Enables users to build and enhance their security posture by protecting assets directly within the Cloud Explorer interface.

The benefits of Cloud Explorer are:

  • Enhanced visibility: Provides a unified view of all cloud assets and their interconnections, simplifying resource management.

  • Improved security: Allows users to secure their assets by creating service VPCs and gateways, and by protecting resources through easy drag-and-drop actions and drawing lines to connect assets.

  • Ease of use: Simplifies complex configurations with an intuitive interface, enabling users to take immediate actions on their assets.

  • Scenario-based utility: Particularly useful in scenarios where users need to understand resource relationships or enhance their security posture dynamically.

To access Cloud Explorer, navigate to Home > Explorer.

To create an account or select accounts to add to the viewer, click the icon ( ).

Figure 2. Cloud Explorer
View of the Explorer interface with components

Use these icons in the left pane to perform these actions:

  • Move (): Move your assets between the swimlanes by drag-and-drop actions.

  • Secure (): Secure your assets by forming connections between them and configuring them on the related screens. For example, click and drag on the Service VPC icon to form a line and connect it to the VPC in the next swimlane. Configure and protect the VPC in the relevant screen that opens up.

  • Add SVPC (): Click the icon and drop a service VPC into the Service VPC swimlane. This opens a drawer for Create Service VPC where you can provide details.

  • Add Gateway (): Click the icon and drop a gateway into the swimlane. This opens a drawer for Create Gateway where you can provide details.

  • Add Tags (): Add tags to selected objects. Click to select up to 3 tags to view in the display.

The central area or canvas contains swimlanes for Service VPCs, VPC/VNets, subnets, and instances. The assets that you include are displayed in the swimlanes. Click the asset and perform actions such as adding a gateway, protecting the asset, or creating a policy for the asset. You can also click an asset to expand or collapse the view of all the asset's connections.