BlastShield™ Gateway Installation in AWS

BlastShield™ Gateway Installation in AWS

The BlastShield Gateway is an in-line protection instance that will be deployed in front of protected assets or applications. The gateway software may be deployed on x86 platforms or selected cloud infrastructures such as AWS.

Installation of a new gateway instance in AWS requires the following primary workflows:

  1. Create the AWS networking infrastructure.
  2. Create the BlastShield Gateway instance and launch it in AWS.
  3. Configure the AWS security groups.

This article covers step (2) and describes how to launch the Blastshield Gateway instance in the AWS cloud infrastructure. You must complete step (1) before starting step (2).

Preparation

The following requirements apply:

  • The BlastShield Orchestrator is running and configured
  • You have a working account for the Orchestrator with read/write access
  • You have a working AWS account and admin rights to add and configure VPC and EC2 instances
  • You have been granted permissions to use the BlastShield Gateway AMI

Step 1: Create a new Gateway in the Orchestrator

Performed by the BlastShield Orchestrator Administrator.

  • Name your Gateway and set the address mode as IP Address (NAT).
  • Save and download the invitation BSI file.
  • The BSI file will be needed later during the configuration of the gateway AMI.

Step 2: Launch the BlastShield AMI instance

Performed by the AWS Administrator.

From the EC2 Console:

  • Choose Launch instance.
  • Then, from the Choose an AMI window:
  • Select the BlastShield image from My AMIs

Step 3: Choose an instance type

Performed by the AWS Administrator.

It’s important to use the correct instance type.

Select a t3.small instance and then click on Next Configure Instance Details.

Step 4: Configure instance details

Performed by the AWS Administrator.

Use the following values to configure the instance:

  • Network: use the VPC name which you created previously.
  • Subnet: Choose the BlastShield Public subnet.
  • Auto-assign public IP: Enable

Step 5: Add the BSI file

Performed by the AWS Administrator.

Add the gateway BSI file in this step:

  • Select User Data.
  • Choose As file.
  • Select the BSI file for the gateway which you downloaded from the Orchestrator.

Step 6: Configure network interfaces

Performed by the AWS Administrator.

You will now need to add a new network interface.

  • Select Add Device to add a new network interface Eth 1 for the protected private network.
  • For the new Eth 1 interface, choose the BlastShield Protected subnet.

Click Next: add storage.

Step 7: Configure Storage and Tags

Both of these may be left as default.

  • Add Storage: leave as default & click next.
  • Add Tags: leave as default & click next.

Step 8: Configure the security group

Performed by the AWS Administrator.

From the Assign a security group menu, select: Create a new security group.

Configure it as follows:

  • Type: Custom UDP
  • Protocol: UDP
  • Port range: 12345
  • Source: anywhere

Then click review and launch.

Step 9: Review and Launch the instance

Performed by the AWS Administrator.

  • Click launch.
  • Select an existing key pair and then click Launch Instances.
  • The instance will now launch.
  • Find your instance by searching for the VPC-id in the AWS EC-2 console / Instances.
  • If necessary, add a name for your instance using the  Edit Name dialogue box.

Step 10: Edit the networking of the instance

Performed by the AWS Administrator.

From the instance view, Choose the Networking tab from the lower window.

Scroll down to the interfaces view and select the primary network interface (the public network).

The interface details open in a new window.

Add a name for the interface.

Then repeat for the second interface:

  • Return to the interfaces view and select the secondary network interface (the protected network).
  • Add a new name for the second, private / protected interface

Add a public IP to the public port of the instance.

  • From the EC-2 console / Elastic IPs:
  • Click on Allocate Elastic IP address.

Configure the IP address:

  • Select Allocate a new public IPv4 address from Amazon’s pool of public IP addresses.
  • Select the new IP address and select the Actions / Associate Elastic IP address option.
  • The Allocate Elastic IP Address screen appears.
  • In the Network Interface field, select the BlastShield Gateway public interface.
  • Click Associate.

The allocated IP address is now associated with the gateway instance’s public interface.

Verify in the BlastShield Orchestrator that the Gateway comes online.

Step 11: Disable the source / destination check on the instance

Performed by the AWS Administrator.

The BlastShield Gateway is a NAT instance, so we must stop the source / destination check.

  • Select the gateway instance.
  • Right-click to select Change source/destination check.

The Source / destination check configuration window opens.

  • Select Stop.
  • Click Save.

Step 12: Configure the routes on the protected route table

Performed by the AWS Administrator.

From the AWS console / Virtual Private Cloud / Route Tables:

  • Select the BlastShield Protected route table.
  • Chose the Routes tab in the bottom table.
  • Click Edit routes.
  • Add a route for the 172.16.0.0/16 network and connect it to the BlastShield Gateway Protected interface.
  • click Save routes.

Step 13: Add endpoints and configure policy

Performed by the BlastShield Orchestrator Administrator.

From the BlastShield Orchestrator you can now add endpoints for the EC-2 instances you wish to connect to the BlastShield protected network and then configure groups and add policy to allow connectivity.

When you add new AWS instances that you want to be protected by the BlastShield Gateway, they must be configured to be on the BlastShield VPC and in the BlastShield Protected Subnet.

See the following articles for further information on groups and policies, managing groups and managing policies. To find out about adding endpoints, see this article.

This article is always evolving and being updated when our product is being developed. Be sure to keep track of this article so you'll stay updated with the last version of it!