Add cloud devices

Relevant for: AFA Administrators

This topic describes how to add an AWS account or an Azure subscription to AFA, to be managed and analyzed similarly to on-premises devices.

Note: Some of the Azure support functions are available in early availability mode. To learn more, please refer to https://www.algosec.com/docs/en/asms/a30.10/asms-help/content/afa-admin/enabling-disabling-early-availability.htm

AWS (Amazon Web Service) accounts in AFA

Add an AWS account to AFA to analyze data using the AWS access key ID you provide.

Analyzed data includes all of the security groups protecting EC2 instances and application load balancers (ALBs), from all AWS regions related to the configured access key. AFA separates these instances into groups called security sets. Each AWS security set is a group of instances or ALBs with the same security group and network ACLs, as well as network policies.

For details, see:

Network connection

The following diagram shows an ASMS Central Manager or Remote Agent connecting to an AWS account via HTTPS-REST (TCP/443).

Tip: ASMS also supports connecting to AWS via a proxy server, which can be configured when adding the device to AFA. For more details, see Define a device proxy .

Device access requirements for AWS

ASMS requires the following permissions for your AWS accounts:

Add an AWS account to AFA

Do the following:

  1. Access the DEVICES SETUP page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Amazon > Web Services (AWS) EC2.

  3. Configure the fields and options as needed.

  4. Click Finish. The new device is added to the device tree.

  5. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the subscription is added.

In the device tree, AWS subscriptions are shown in three levels: the user account, region/VPC, and security set.

For example:

Back to top

Microsoft Azure subscriptions in AFA

When you add an Azure subscription to AFA, all VMs related to your subscription are represented in the device tree.

AFA separates the instances into groups called security sets. Each Azure security set is a group of VMs with the same security group and subnet security groups, as well as network policies. VMs with no security groups are assigned to a security set called Unprotected VMs. To enable accurate traffic simulation, AFA automatically creates a rule to allow all traffic for these VMs.

For more details, see:

Network connection

The following diagram shows an ASMS Central Manager or Remote Agent connecting to an Azure subscription via HTTPS-REST (TCP/443).

Tip: ASMS also supports connecting to Azure via a proxy server, which can be configured when adding the device to AFA. For more details, see Define a device proxy .

Device requirements for Azure

ASMS requires the following permissions for your Azure subscriptions:

Add a Microsoft Azure subscription to AFA

Do the following:

  1. In your Azure subscription, configure an Active Directory Application to use to connect to AFA.

    For details, see How to configure a Microsoft Azure Active Directory application in AlgoPedia .

  2. In AFA, access the Devices Setup page. For details, see Access the DEVICES SETUP page.
  3. In the vendor and device selection page, select Microsoft > Azure.

  4. Configure the fields and options as needed.

  5. Click Finish.

    The new device is added to the device tree.

  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    To select multiple users, press the CTRL button while selecting.

    Click OK to close the dialog.

A success message appears to confirm that the account is added.

In the device tree, Azure has a three-tier hierarchy: subscription, region/VNet, and then security set.

For example:

Back to top