Setup with the Multicloud Defense Wizard

The Multicloud Defense Controller provides a SaaS-delivered centralized control plane to deploy and manage Multicloud Defense and its security policy.

The Setup guides you through the process of setting up Multicloud Defense security using a series of simple steps:

  • Connect your Account—This process onboards your cloud service provider account to Multicloud Defense, discovering regions and additional inventory and assets affiliated with your account.

  • Enable Traffic Visibility—The easy setup method enables log collection to understand traffic flow.

  • Secure Your Account—This procedure sets up a VNET or VPC, depending on the cloud account you have, and sets up Multicloud Defense Gateway to secure your experience.

For detailed instructions on getting started with Multicloud Defense, refer to the Cisco Multicloud Defense Getting Started Guide.

Connect Cloud Account

Onboard one or more cloud accounts into Multicloud Defense as the first step. This enables the Multicloud Defense Controller to interact with each account by discovering inventory, enabling traffic and logs, orchestrating security deployment, and managing policy.

Use these procedures to connect your cloud service provider account to the Multicloud Defense Controller.

Connect An AWS Account

Use this procedure to connect to an AWS subscription through Multicloud Defense's easy setup wizard.

Before you begin

  • An active Amazon Web Services (AWS) account is required.

  • An Admin or Super Admin user role is required in your Security Cloud Control tenant.

  • Multicloud Defense must be enabled for your Security Cloud Control tenant.


Note

Multicloud Defense Controller version 23.10 defaults to IMDSv2 in the AWS EC2 instance when using Multicloud Defense Gateway version 23.04 or newer. For more information about the difference beween IMDSv1 and IMDSv2, refer to the AWS documentation.

Procedure

Step 1

From the Multicloud Defense Controller dashboard, click Setup located to the left of the window.

Step 2

Select Connect Account.

Step 3

Select the AWS icon.

Step 4

Enter the information in the modal:

  1. Click Launch Stack to download and deploy our CloudFormation template. This should open up another tab to deploy the template.

  2. Log in to AWS. Copy and paste the controller IAM role ARN from the CloudFormation stack output in the CloudFormation template.

  3. In the Multicloud Defense Controller easy setup modal, enter the AWS Account Number. This number can be found in the output value Current Account of the CloudFormation Template.

  4. Assign an Account Name to your account in the Multicloud Defense Controller.

  5. (Optional) Enter an account Description.

  6. Enter the External ID. This random string is for the IAM role's trust policy used in the controller IAM role. You can edit or regenerate the External ID.

  7. Enter the Controller IAM Role. This is the IAM role created for the Multicloud Defense Controller during CloudFormation Template (CFT) deployment. Look for the output value MCDControllerRoleArm in CFT stack. It should be something similar to this: arn:aws:iam::<Acc Number>:role/ciscomcdcontrollerrole.

  8. Enter the Inventory Monitor Role. This is the IAM role created for Multicould Defense Inventory during CFT deployment. Look for the output value MCDInventoryRoleArn in CFT stack. Should be something similar to this: arn:aws:iam::<Acc Number>:role/ciscomcdinventoryrole.

Step 5

Click Next to onboard your account to the Multicloud Defense Controller.

What to do next

Before continuing, manually accept the AWS Marketplace Terms of Service in the AWS dashboard. Without the acceptance, the Multicloud Defense Controller cannot wholly communicate with the cloud service provider.

Once you connect the account, Multicloud Defense Controller automatically starts to discover assets and inventory associated with the cloud service provider account. Note that this is different from discovering traffic. Because Multicloud Defense Controller discovers account assets and inventory by default, the next step in this wizard is to Enable traffic visibility.

Connect Azure Account

Use this procedure to connect to an Azure subscription through Multicloud Defense Controller's easy setup wizard:

Before you begin

  • You must have an active Azure subscription.

  • You must have an Admin or Super Admin role in your Security Cloud Control tenant.

  • You must enable Multicloud Defense for your Security Cloud Control tenant.

Procedure

Step 1

In the Security Cloud Control dashboard, click the Multicloud Defense tab located in the left navigation pane.

Step 2

Click Multicloud Defense Controller located in the upper right window.

Step 3

From the Multicloud Defense Controller dashboard, click Setup located to the left of the window.

Step 4

Select Connect Account.

Step 5

Select the Azure icon.

Step 6

Enter the required information:

  1. Click the link to open an Azure Cloud Shell in bash mode.

  2. In the Azure account modal, click Copy to copy the onboarding script and execute it in the bash shell that was opened in step 1.

  3. In the Azure account modal, provide a name for this Azure account. You can choose to name this the same as your Azure subscription name. This name is visible on the Multicloud Defense Controller accounts page only.

  4. (Optional) Provide a description for the subscription.

  5. Enter the Directory ID, also referred as the Tenant ID.

  6. Enter the Subscription ID for the subscription being onboarded.

  7. Enter the Application ID, also referred to as the Client ID, created by the onboarding script.

  8. Enter the Client Secret, also referred to as the Secret ID.

Step 7

Click Next.

What to do next

Once you connect the account, Multicloud Defense Controller automatically starts to discover assets and inventory associated with the cloud service provider account. Note that this is different from discovering traffic. Because Multicloud Defense Controller discovers account assets and inventory by default, the next step in this wizard is to Enable traffic visibility.

Connect Google Cloud Platform Account

Use this procedure to onboard a singular GCP project as an account using the Multicloud Defense Controller's easy setup wizard:

Before you begin

  • You must have an active Google Cloud Platform (GCP) project.

  • Ensure you have the permissions required to create VPCs, subnets, and a service account within your GCP project. For more information, refer to the GCP documentation.

  • You must have an Admin or Super Admin role in your Security Cloud Control tenant.

  • You must enable Multicloud Defense for your Security Cloud Control tenant.

Procedure

Step 1

In the Multicloud Defense Controller dashboard, click Setup.

Step 2

Select Connect Account.

Step 3

Select the GCP icon.

Step 4

Click Cloud Platform Cloud Shell to launch the Cloud Shell. You can also log into your GCP account and launch the Cloud Shell from the project to connect to Multicloud Defense; note that the script automatically modifies the project name to the name of the project you launch the cloud shell from.

  1. Copy the command generated in the Multicloud Defense Controller easy setup modal and paste the command into the Cloud Shell. Execute it to initiate the onboarding process. This script automatically creates user accounts enabling Multicloud Defense Controller to communicate directly with your GCP project.

  2. If you have multiple GCP projects, you are prompted to select the project through a numbered list. Select the value for the project you want to connect and submit.

  3. When prompted with Continue configuring this project? [y/n] note that you only need to type either "y" or "n". Do not hit enter to submit your selection.

If the GCP project you are connecting to Multicloud Defense has been previously onboarded, you may get an error about the GCP's cloud storage bucket already existing. If that is not amenable, create a new storage bucket in your GCP account to handle the flow logs on this project after it is connected to Multicloud Defense.

Step 5

Enter the required information:

  1. Enter the GCP Account Name. This name is displayed only in Multicloud Defense.

  2. (Optional) Enter a Description.

  3. Enter the Project ID for the GCP project. This can be found at the top of the private key generated by the script from step 1.

  4. Enter the Client Email for the service account created as part of the onboarding process. This is included in the private key generated by the script from step 1.

  5. Copy and paste the Private key of the service account from the script output.

Step 6

Click Next.

What to do next

GCP does not automatically include the regions your project is confugred for. After your project is connected to Multicloud Defense we strongly recommend navigating to Inventory > Inventory to manually modify and add any and all appropriate regions.

Once you connect the account, Multicloud Defense Controller automatically starts to discover assets and inventory associated with the cloud service provider account. Note that this is different from discovering traffic. Because Multicloud Defense Controller discovers account assets and inventory by default, the next step in this wizard is to Enable traffic visibility.

Connect to an OCI Account

Review the procedures to prepare your OCI account before you connecting it to Multicloud Defense.

Prepare Your OCI Account

This procedure automates the connection between Multicloud Defense and your OCI account and then create a policy with the correct permissions. Without the necessary permissions provided in this procedure, certain features are unavailable.

Execute this procedure to connect to an Oracle Cloud (OCI) account using Multicloud Defense's setup wizard:

Procedure

Step 1

Log in to your OCI tenant.

Step 2

Navigate to Identity & Security > Groups.

Step 3

Click Create Group.

Step 4

Enter the following:

  • Name: Multicloud Defense-controller-group

  • Description: Multicloud Defense Group

Step 5

Click Create.

Step 6

Create a Network Firewall Policy in OCI. For more information, refer to the OCI documentation. Include this information when creating the policy:

  • Name: Multicloud Defense-controller-policy.

  • Description: Multicloud Defense Policy.

  • Compartment: [Must be the "root" Compartment].

  1. Add the following permissions under the Show Manual Editor tab: 

    
Allow group <group_name> to inspect instance-images in compartment <compartment_name>
Allow group <group_name> to read app-catalog-listing in compartment <compartment_name>
Allow group <group_name> to use volume-family in compartment <compartment_name>
Allow group <group_name> to use virtual-network-family in compartment <compartment_name>
Allow group <group_name> to manage volume-attachments in compartment <compartment_name>
Allow group <group_name> to manage instances in compartment <compartment_name>
Allow group <group_name> to {INSTANCE_IMAGE_READ} in compartment <compartment_name>
Allow group <group_name> to manage load-balancers in compartment <compartment_name>
Allow group <group_name> to read marketplace-listings in tenancy
Allow group <group_name> to read marketplace-community-listings in tenancy
Allow group <group_name> to inspect compartments in tenancy
Allow group <group_name> to manage app-catalog-listing in compartment <compartment_name>
Allow group <group_name> to read virtual-network-family in tenancy
Allow group <group_name> to read instance-family in tenancy
Allow group <group_name> to read load-balancers in tenancy

    • group_name: Multicloud Defense-controller-group.

    • compartment_name:[Compartment where Multicloud Defense will be deployed].

      Note

       

      When replacing the <compartment_name> with the name of the compartment where the policy will apply, if the compartment is a sub-compartment, the name format is compartment:sub-compartment (for example, Prod:App1).

      If the <compartment_name> is specified as the root compartment (e.g., multicloud (root)), OCI will not accept the policy and will produce an error: Invalid parameter. The policy will need to be defined for an specific compartment and that compartment cannot be the root compartment.

  2. Click Create.

Step 7

Create a user in OCI. For more information, refer to the OCI documentation. Provide the configuration information when creating a user:

  • Name: Multicloud Defense-controller-user

  • Description: Multicloud Defense User

Step 8

Create an API Key. For more information, refer to the OCI documentation.

Download both the private key and the public key before adding the API Key.

Step 9

Accept the Terms and Conditions for an OCI account. For more information, refer to the OCI documentation. Ensure to access the Change image section of the UI to add the following "community image" information specific to Multicloud Defense:

  1. Check the box for Multicloud Defense.

  2. Check the box for I have reviewed and accept the Publishers terms of use, Oracle Terms of Use, and the Oracle General Privacy Policy.

  3. Click Exit without deploying the image prior to connecting the account to Multicloud Defense.

    Repeat the steps for each compartment you plan to deploy a Multicloud Defense Gateway.

Connect Oracle Account

Use this procedure to connect to an OCI account using Multicloud Defense Controller's easy setup wizard:

Before you begin

  • You must have an existing Oracle Cloud (OCI) account.

  • Ensure your OCI account prerequisites are completed before onboarding. For more information, refer to Prepare Your OCI Account.

  • You must have an Admin or Super Admin role in your Security Cloud Control tenant.

  • You must enable Multicloud Defense for your Security Cloud Control tenant.

Procedure

Step 1

In the Multicloud Defense Controller dashboard, click Setup.

Step 2

Select Connect Account.

Step 3

Select the OCI icon.

Step 4

Click Oracle Cloud Shell to launch the native shell prompt.

Step 5

Run the command from the Multicloud Defense Setup wizard in your cloud shell.

This command automates the process of creating an IAM policy, OCI group, and an OCI user that facilitate the communication between your OCI account and the Multicloud Defense.

Step 6

Enter the required information:

  1. Enter an OCI Account Name. This name is used only within the Multicloud Defense Controller and used for identification purposes.

  2. (Optional) Enter a Description of your account.

  3. Enter your Tenancy OCID . This is your Tenancy Oracle Cloud Identifier obtained from the OCI User.

  4. Enter the Private Key that is assigned to the OCI User.

Step 7

Click Next.

What to do next

Once you connect the account, Multicloud Defense Controller automatically starts to discover assets and inventory associated with the cloud service provider account. Note that this is different from discovering traffic. Because Multicloud Defense Controller discovers account assets and inventory by default, the next step in this wizard is to Enable traffic visibility.

Enable Traffic Visibility

To understand traffic flows within your cloud account, enabling traffic visibility collects these types of logs:

  • VPC or VNet flow logs

  • DNS logs

  • Route53 query logging

Flow and DNS query logs help Multicloud Defense to understand traffic flow, correlate data with threat intelligence feeds, and gain insights into existing threats protected by Multicloud Defense.

Enabling traffic visibility varies by cloud account type. Identify the characteristics of your cloud account, including the region, VPC/VNet for monitoring, network security groups, and a cloud storage account for logs.


Note

Multicloud Defense does not support traffic visibility for OCI at this time. Enable asset discovery as an alternative action for this procedure: which means Multicloud Defense identifies and collects metadata for assets from an external environment and the resulting data collected creates an inventory that can be used to assist migration. For more information, refer to Enable Asset Discovery and Inventory.

Enable Traffic for an AWS Account

Use this procedure to enable traffic visibility for an AWS account using the Setup wizard:

Procedure

Step 1

In the Multicloud Defense Controller portal click Setup in the left navigation bar.

Step 2

In the setup wizard, click Enable Traffic Visibility.

Step 3

Enter the required information into the modal:

  1. CSP Account - Use the drop-down menu to select the cloud service provider account to which Multicloud Defense Controller deploys the Service VPC/VNet.

  2. Region - Use the drop-down menu to select the region where the cloud service provider you selected is located.

  3. VPCs - Scroll through the table of available VPCs that are applicable to the type of cloud service provider you selected and check the appropriate VPC. If the VPC does not appear, click the Refresh icon to update the list.

  4. S3 Bucket - Use the drop-down menu to select an existing S3 bucket from your account; stores DNS queries and VPC/VNet flow logs. This S3 bucket is already created in your account.

Step 4

Click Next.

What to do next

Ensure your account is secure.

Enable Traffic for an Azure Account

Use this procedure to enable traffic visibility for an Azure account from the Setup wizard:

Procedure

Step 1

In the Multicloud Defense Controller portal click Setup in the left navigation bar.

Step 2

In the setup wizard, click Enable Traffic Visibility.

Step 3

Enter the required information into the modal:

  1. CSP Account - Use the drop-down menu to select the cloud service provider account to which Multicloud Defense Controller deploys the Service VPC/VNet.

  2. Region - Use the drop-down menu to select the region where the cloud service provider you selected is located.

  3. Copy and run the script. If you are re-onboarding an Azure account and are reusing a cloud storage bucket, the script does not automatically create a new storage bucket. Use the default, or preexisting storage bucket. Otherwise, create a new storage bucket in the Azure dashboard or manually edit the script command before executing it to include the storage bucket name for the flow logs.

  4. Virtual Network (VNet) - Select at least one VNet for traffic to be visible on. Scroll through the table of available VNets applicable to the type of cloud service provider you selected, and check the appropriate one. Note that if you do not immediately see the VNet, click the Refresh icon to refresh the current list.

    Note

     

    You may see existing NSG Flow Logs, which will be supported by Multicloud Defense until it is deprecated by Microsoft Azure. You will no longer be able to create new NSG Flow Logs. Instead, you can create VNet Flow Logs.

  5. Storage Account - Enter the full Resource ID in the selected region.

Step 4

Click Next.

What to do next

Ensure your account is secure.

Enable Traffic for a GCP Project

Use this procedure to enable traffic visibility for a GCP account with the Setup wizard:

Procedure

Step 1

From the Security Cloud Control home page, choose Multicloud Defense .

Step 2

In the Multicloud Defense Controller portal click Setup in the left navigation bar.

Step 3

In the setup wizard, click Enable Traffic Visibility.

Step 4

Enter the required information into the modal:

  1. CSP Account - Use the drop-down menu to select the cloud service provider account to which Multicloud Defense Controller deploys the Service VPC/VNet.

  2. Cloud Storage - Select an available cloud storage bucket that has already been assigned to the GCP project you selected.

  3. Select VPC(s) - Select at least one VPC for traffic to be visible on. Scroll through the table of available VPCs that apply to the type of cloud service provider you selected, and check the appropriate VPC. Note that if you do not immediately see the VPC, click the Refresh icon to refresh the current list.

  4. Copy and run the script. Note that if you are re-onboarding a GCP project and reusing a cloud storage bucket, the script does not automatically create a new storage bucket. You can use the default or preexisting storage bucket. Otherwise, create a new storage bucket in the GCP dashboard or manually edit this script command before executing to include the storage bucket name for storing your GCP project's flow logs.

Step 5

Click Next.

What to do next

Ensure your account is secure.

Secure Your Account

Secure your account with a gateway deployed in either a centralized or a distributed model.

In a Centralized model, Multicloud Defense orchestrates the VPC or VNet and additional components, and deploys the gateway within this construct.

In a Distributed model, Multicloud Defense builds and deploys a gateway within the existing infrastructure that your network already has available.

Follow one of these procedures to secure your account.

Centralized Model: Add a VPC or VNet

Use the following procedure to create and add a VPC or VNet to house your gateway and secure your account:

Before you begin

You must have at least one cloud service provider connected to the Multicloud Defense Controller before you begin this wizard. This procedure may vary for different providers based on their required parameters.

Procedure

Step 1

In the left pane of the Multicloud Defense Controller portal, choose Home > Easy Setup.

Step 2

In the setup wizard, on the Secure Your Account section, click Secure Account.

Step 3

Select Centralized so it is highlighted.

Step 4

Click Next.

Step 5

Add a Service VPC/VNet:

  1. Name - Enter a name for the service VPC/VNet. Once created, this name is displayed in the Infrastructure > Gateways > VPCs/VNets page.

  2. (AWS only)CSP Account - Use the drop-down menu to select a cloud service provider account that is already connected to the Multicloud Defense Controller. The Service VPC/VNet is deployed to the selected account.

  3. Region - Use the drop-down menu to select the region where the selected cloud service provider is located.

  4. CIDR Block - Enter the unique value for the Transit Gateway that the Service VPC/VNet is attaching to.

  5. (GCP only) Datapath CIDR Block - Enter a valid CIDR block for datapath VPC which should not overlap with spoke VPCs.

  6. (GCP only) Management CIDR Block - Enter a valid CIDR block for the management VPC.

  7. Availability Zones - Of the generated list, select at least one availability zone. We strongly recommend selecting two zones for best results.

  8. (Azure only) Resource Group - Use the drop-down menu to select a resource group to associate the gateway to. If there are none currently listed, you can Create Resource Group from this screen.

  9. (AWS only) Transit Gateway - Use the drop-down menu to select an available transit gateway for the VPC to assocaite with. If you do not have one available, click create_new to create a transit gateway from this window.

  10. (AWS and Azure only) Use NAT Gateway - check this option if you want all egress traffic to be directed through the NAT gateway. Multicloud Defense automatically creates a NAT gateway for each availability zone that is selected.

  11. (Azure only) If you want to attach a Virtual WAN (VWAN), in vWAN Attachment set the toggle to Enabled .

  12. (Azure only) From the vHub drop-down list, choose a hub.

  13. (Azure only) In the Associate Route Table drop-down list, select a route table to associate.

  14. (Azure only) In the Propagate Route Tables drop-down list, select route tables to propagate.

Step 6

Click Next.

What to do next

Add a Gateway.

Distributed Model

For a distributed gateway model, use the following procedures according to which cloud service provider you are using.

Azure Distributed Model: Create a Gateway

Use the following procedure to create a gateway for an Azure account with the distributed model:

Procedure

Step 1

In the Multicloud Defense Controller portal click Setup in the left navigation bar.

Step 2

In the setup wizard, click Secure Account.

Step 3

Select Distributed so it is highlighted.

Step 4

Click Next.

Step 5

Enter the following Gateway Information:

  1. Account - Use the drop-down menu to select an Azure account you want to deploy the gateway to.

  2. Name - Enter a name for the gateway. This name is displayed in the Infrastructure > Gateways > Gateways page.

  3. (Optional) Description - Enter a description for the gateway that might help identify it from other gateways.

  4. Instance Type - Use the drop-down menu to select the instance type that deploys the Gateway.

  5. Minimum Instances - Select the minimum number of instances deployed in auto scaling group per availability zone.

  6. Maximum Instance - Select the maximum number of instances deployed in auto scaling group per availability zone.

  7. HealthCheck Port - Enter the healthcheck port number. Multicloud Defense Controller uses 65534 as the default value.

  8. User Name - Enter the user name used to access the gateway once created.

  9. Packet Capture Profile - Use the drop-down menu to select where packets are stored in the cloud storage bucket. If there are no option listed, click Create Packet Capture Profile to create one from this window.

  10. Log Profile - Use the drop-down menu to select which cloud service provider is used to forward logging to.

  11. Metrics Profile - Use the drop-down menu to select an entity to forward metrics to. If there are no option listed, click Create Metrics Forward Profile to create one from this window.

  12. NTP Profile - Use the drop-down menu to select the NTP profile associated with the gateway. If there are no options listed, click Create to create one from this window.

  13. Security - Select the type of traffic flow your gateway is expected to handle. Ingress security targets traffic that flows from the public internet to a private network; east-west & egress security targets traffic that is outbound from your private network and traffic that moves between your data centers.

  14. Gateway Image - Use the drop-down menu to select the gateway image to be deployed to the gateway.

  15. Policy Ruleset - Use the drop-down menu to select a policy rulset to be deployed and start processing traffic. If there is not ruleset listed, click Create new to create a policy rulset from this window.

  16. Region - Use the drop-down menu to select the region your gateway is deployed to.

  17. VPC/VNet ID - Use the drop-down menu to select the VPC where the gateway is deployed to.

  18. Key Selection - Select either an SSH Public key or an SSH Key Pair. Enter the value that is applied to the gateway in the next text field.

  19. Resource Group - Use the drop-down menu to select an existing resource group that is applied to the gateway.

  20. User Assigned Identity ID - Enter a valid value.

  21. Mgmt. Security Group - Use the drop-down menu to select a security group used for the gateway management interface. Note that if you select a Multicloud Defense-created service VPC, a security group is created specifically for management.

  22. Datapath Security Group - Use the drop-down menu to select a security group used for the gateway datapath interface. If selecting Multicloud Defense-created service VPC, a security group is created specifically for the datapath.

  23. Disk Encryption - Enable disk encryption with either the Azure managed encryption or a customer-managed encryption key. Note that if you opt for a customer-managed encryption key, you need to create and deploy an IAM policy for successful deployment.

  24. Availability Zone - Use the drop-down menu to select an availablilty zone.

  25. Mgmt. Subnet - Use the drop-down menu to select a management subnet for the management interface.

  26. Datapth Subnet - Use the drop-down menu to select a datapath subnet for the datapth interface.

    To add more instance types, click the "+" icon. Subseuqntly, you can remove additional instance types with the "-" icon.

Step 6

Click Next.

Step 7

Enter details for Advanced Settings.

Step 8

Click Next.

Step 9

Review.
What to do next