Skip to main content

BlastShield Documentation

AWS Gateway configuration

‍This article will help you learn how to configure an AWS virtual BlastShield™ Gateway after you have installed it

Summary

There are three main steps to this workflow as described below.

  1. Create Endpoints on the Gateway for your virtual instances.

  2. Configure a security group for your protected instances which allows inbound traffic from from the BlastShield™ Gateway. Add this security group to each protected endpoint.

  3. Configure access policy for zero trust access and micro-segmentation in the Orchestrator.

This process is explained in more details in the following steps.

Step 1: Create Endpoints on the Gateway for your EC2 instances.

For each of the EC2 instances that you want to securely connect to the BlastShield™ Gateway, you must create a corresponding Endpoint for it on the Gateway.

Follow this procedure to learn how to create an Endpoint on the Gateway for each virtual instance that you want to protect. From the Orchestrator, perform the following:

  1. In the Orchestrator, select the AWS Gateway and click on the Endpoints tab.

  2. Click the 'Add New Endpoint' button and click on the 'Endpoint Enabled' button.

  3. Enter a name for the Endpoint in the Name field.

  4. In the DNS Hostname field, enter a hostname for the BlastShield Network.

  5. In the Destination field, enter the EC2 instance's Private IPv4 address or hostname.

  6. Click on 'Save Changes'.

  7. The status of the Endpoint will show as 'Online'.

    add-new-endpoint.png

Now move on to the next step to configure the AWS security groups.

Step 2: Modify the AWS Endpoint Security Group

You must now modify the Endpoint Security Group Rules in AWS to allow inbound access from the BlastShield™ Gateway. From the AWS EC2 Console, perform the folowing:

  1. Select the Endpoint instance's Security Tab. From the 'Security details' table select the Security Group.

  2. Click on the 'Inbound rules' tab and then click on 'Edit inbound rules'.

  3. Add a new rule to allow all traffic from the BlastShield™ Gateway Security Group and click on 'Save rules'.

    Endpoint-inbound-security-group.png

Since BlastShield™ is a zero-trust solution, you will now need to configure an access policy. Move onto the next steps to learn how to do this.

Step 3: Configure access policy

Next you must add the Endpoints to a Group and then add that Group to a Policy to enable access to the Endpoint.

To do this, perform the following steps in the Orchestrator to first create groups and then create a policy:

Create Groups

BlastShield™ policy works by creating two groups, typically one which defines a user group and a second group which defines an Enpoint and/or Host Agent group. This approach will also allow machine-to-machcine policy. The groups are used to micro-segment the assets and the users. The two groups are linked together with a policy which defines the connectivity permissions betweeen the two groups. The following section explains how to create a group and add members to it. You may create multiple policies and groups.

Summary

  • Create a group for the Gateway endpoints and/or Host Agents

  • Create a group for the users

  • Link the two groups with a policy to define the connection permissions between the two groups.

The following section describes how to create the groups.

Create Groups

  1. From the Orchestrator, select "Groups" from the left menu.

  2. Select "Add New Group" from the Group List.

  3. Enter a name for the new Group.

  4. To add members to the new group, click the "Add Members" button.

    1. If you adding users to the group then select the desired Users which you want to be associated with the Group from the "Users" box.

    2. If you are adding Agents to the group then select the desired Agents which you want to be associated with the Group from the "Agents" box.

    3. If you are adding Gateway Endpoints then select the desired Endpoints from the "Endpoints" box.

    4. Alternatively, you can leave the members list empty and add/modify new members later.

  5. Click "Add Members" to save the members.

  6. Click "Save" to save the new group.

  7. Repeat, if required, to ensure you have one group for your endpoints and one group for your users, which is the minimum you will need in order to define the access policy.

Please refer to the following video, which is an example of creating one group for your users and one group for Host Agents.

Create a Policy to link your Groups
To connect your user groups and protected servers groups, you must link them with a policy as described here:

Note

Users and Agents must be a member of a group for them to be used in a policy.

  1. Select "Policies" from the left menu.

  2. Select "Add New Policy" from the Policy List.

  3. Enter a name for the new Policy.

  4. Select desired "From" Groups to be associated with the new Policy.

  5. Select desired "To" Groups to be associated with the new Policy.

  6. Save the new Policy.

Policies are directional, so that you can control the direction in which connections may be initiated. Typically for remote access use-cases your policy would be from the "user group" to the "server group" so that users may start connections to the servers, but servers cannot start connections to users. You can create bi-directional permissions by using two policies.

The following video shows an example of creating an access Policy between a group of remote workers and a group of servers. The policy gives the remote workers authorisation to access the server group.

In this section: