Focus

VM-Series Deployment Guide

AWS Shared VPC Monitoring

Table of Contents

AWS Shared VPC Monitoring

AWS Shared VPC set up enables you to share and manage VPC subnets with multiple AWS accounts and deploy resources in a shared and centrally managed network. Configure multiple monitoring definitions with the same VPC-ID and with different AWS credentials. This enables you to track IPs from multiple accounts within the shared VPC enhancing the security and network management.

If you try setting up a monitoring definition using the same VPC-ID with the same credentials, the configuration window in Panorama throws an error message on a duplicate entry.

Prerequisites:

PAN-OS version 10.2.4 or above
AWS Plugin version 5.4.0

Setting Up Monitoring Definitions in AWS Shared VPC

To set up and enable monitoring of VM instances across multiple AWS accounts in a shared VPC, perform the following steps:

Set up a shared VPC.
1. Create a Shared VPC in your AWS Account.
2. Create a Subnet within this shared VPC.
3. Using the AWS Resource Access Manager (RAM) share the subnet with AWS Account.
Create virtual machines in the shared subnets in Account A and Account B. For example, create VM1 in Account A and VM2 in Account B within the shared subnet.
Configure the IAM roles for cross-account access.
1. In Account B, go to IAM > Roles > Create Role.
2. Select AWS Account as the trusted entity type.
3. Select Another AWS Account and enter Account A’s Account ID.
4. Assign the AmazonEC2ReadOnlyAccess policy to the role.
5. Note the Role ARN after creation.
In Panorama, configure the AWS plugin for monitoring.
1. In panorama, go to AWS > NGFW > Set Up > IAM Roles.
2. Select Account A’s IAM credentials for onboarding.
3. Create first Monitoring Definition for Account A IAM role, select the VPC-ID of the shared VPC.
  
  If you try setting up a monitoring definition using the same VPC-ID with the same credentials, the configuration window on Panorama throws an error message on a duplicate entry.
4. Verify that the AWS portal dashboard displays VM1’s IP address.
Create Second Monitoring Definition for Account B.
1. Create a new Monitoring Definition.
2. Using Account A’s IAM Role, create a new monitoring definition.
3. Enter the Role ARN from Account B’s IAM role.
4. Select the same Shared VPC ID.
5. After the monitoring retrieval process, verify that the AWS dashboard now displays VM2’s IP address.
  
  You can also check the VM2’s IP on the Panorama Monitoring Definition Detailed status window.
  
  If VPC is shared to the third account, you can repeat the step of creating and getting the role ARN from the third account. Create a third monitoring definition to harvest IP-tags from the third account. This provides you the flexibility for device group configurations.
For the three monitoring definitions that are monitoring the shared VPC in different accounts:
- If firewalls are separate per account: Assign different plugin notify groups for each monitoring definition.
- If firewalls are shared across accounts: Use the same plugin notify group for all monitoring definitions.

Use AWS Secrets Manager to Store VM-Series Certificates

Use Case: Secure the EC2 Instances in the AWS Cloud