Managing Nodes in the Cloud

The Genian ZTNA Cloud Collector can be enabled to collect information about IP-enabled nodes in a Cloud environment. At the configured interval, the Cloud Collector will query the Cloud Service Provider to identify any nodes in the specified environment as well as other valuable Cloud related details of the discovered nodes.

Configuring Cloud Environment

Add Cloud Provider

  1. From the top menu navigate to System > Cloud Provider
  2. Click Tasks then Create
  3. Enter Name for the Cloud Provider (ex. 'AWS Cloud')
  4. Select “AWS”, “AZURE”, “NHN”, “NAVER”, “LINODE” for Cloud.
  5. Please enter information by referring to 'Input Method By Cloud Type' below.
  6. Click Save

Input Method By Cloud Type

  • Credential information from AWS
  1. Access Key: AWS Console > Select user email in the upper right corner > Select Security credentials > Check 'Access key' and enter it.
  2. Secret Key: When creating an access key, select show > check 'Secret key' and enter it.
  • Policy that must be activated related to IAM for AWS account
  • Setting path: AWS Console > IAM > Users > User ID > Permissions > Policy name
  • AdministratorAccess: Provides full access to AWS services and resources.
  • AmazonEC2FullAccess: Provides full access to Amazon EC2 through the AWS Management Console.
  • AmazonRoute53FullAccess: Provides full access to all Amazon Route 53 through the AWS Management Console.
  • AmazonS3FullAccess: Provides full access to all buckets through the AWS Management Console.
  • AWSMarketplaceFullAccess: Provides the ability to subscribe and unsubscribe to AWS Marketplace software, allows users to manage Marketplace software instances from the Marketplace 'Your Software' page, and provides management access to EC2
  • AWSSupportAccess: Allows users to access the AWS Support Center.
  • CloudFrontFullAccess: Provides full access to the CloudFront console and the ability to list Amazon S3 buckets through the AWS Management Console.
  • CloudWatchEventsFullAccess: Provides full access to Amazon CloudWatch Events.
  • CloudWatchFullAccess: Provides full access to CloudWatch.
  • SecurityAudit: The Security Audit template grants access to read security configuration metadata. This is useful for software that audits the configuration of AWS accounts.
  • Credential information from AZURE
  1. Client ID: Azure portal > Azure Active Directory > App registrations > Check and enter 'Application ID'.
  2. Client Secret: Home > Azure Active Directory > App registrations > Certificates & secrets > Check and enter 'Value'.
  3. Subscription ID: Home > Subscriptions > Check 'Subscription ID' and enter it.
  4. Tenant ID: Home > Azure Active Directory > App registrations > Check and enter 'Directory ID'.
  5. Resource Group Name: Home > Subscriptions > Subscription Name > Resource groups > Check 'Name' and enter it.
  • Policies that must be activated related to IAM in Azure account
  • Setting path: Access control (IAM) > View my access > Current role assignments > Role item
  • Contributor: Grants full access to manage all resources, but cannot assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
  • User Access Administrator: Can manage user access to Azure resources.
  • Managed Application Operator Role: Can read and perform operations on managed application resources.
  • Credential information from NHN
  1. User Name: Enter NHN Console login 'ID'.
  2. Tenant ID: Compute > Instance > Management page > Click the API endpoint settings button > Check 'Tenant ID' and enter it.
  3. Password: Compute > Instance > Click the API endpoint settings button on the management page > Specify the desired API 'Password' and enter it.
  • Project roles to be set related to IAM of NHN account
  • Path: Headang Console Login > Member Management > IAM Member
  • The project role is set to ADMIN.
  • It is possible to Create/Read/Update/Delete the entire project, including basic project information, members, roles, and services.
  • Credential information from NAVER
  1. Access Key: NCloud Console > User ID in the upper right corner > Account Management > Password and Authentication > Authentication Key Management > Create a new API authentication key > Check and enter 'Access Key ID'.
  2. Secret Key: After creating the API authentication key, check the 'Secret Key' and enter it.
  • Policy items that must be activated related to IAM for Naver account
  • Setting path: User ID in the upper right corner > View permissions
  • The policy name of the authority is set to NCP_ADMINISTRATOR (the authority to access the portal and console is the same as the main account).
  • Permission settings are set in the administrator-only menu at Service Environment Settings > Membership/Permission Management at the top left.
  • Credential information from LINODE
  1. Token: Linode Console > My Profile > API Tokens > Add a Personal Access Token > Check 'Key' and enter it.
  • Policies that must be activated related to Linode account
  • When creating an API Token, set it to have full authority such as creation/deletion.
  • On the left, set Account > User & Grants > User Permissions for the user > Full Account Access.

Create Cloud site

  1. From the top menu, navigate to System > Site
  2. Click Tasks then Create
  3. Enter a Name for the site (ex. 'Corp Hub' or 'VCP-XXXXXXXX')
  4. For Infrastructure select Cloud
  5. For Cloud Provider, select the Cloud Provider created in the previous steps
  6. For Region, select the desired AWS Region from the list
  7. For VPC ID, select the desired VPC from the list

Note

If no VPCs are listed, check the previous step and logs to ensure there were no issues when adding the Cloud Provider.

  1. For Type select Hub or Branch
  2. For Network Address enter the corresponding subnet for the VPC entered in step 7 (ex. 172.31.16.0/20)
  3. Set Collector status to Enabled (leave Proxy settings default and set desired collection interval)
  4. Click Save

Verify Cloud Node Detection

  1. From the top menu, navigate to Management > Node
  2. In the left window pane, click on the Site name created in the previous steps
  3. All AWS EC2 instances in the VPC and subnet previously specified should be listed as nodes
  4. AWS details for discovered nodes is logged under node details. Node details can be viewed by navigating to Management > Node, clicking on the node IP and scrolling down to the AWS section.

Note

See: Monitoring Network Nodes for search, grouping and monitoring of nodes.Managing Nodes in the Cloud