While editing an Amazon Web Services (AWS) Discovery or Visibility, AWS Discovery options let you specify the specific information that Cloud Discovery & Visibility (CDV) imports from the AWS infrastructure. While setting up a new discovery, these settings are available only if you choose Advanced setup.
-
If you update the name of a Configuration or View in Address Manager after you enable Discovery and Visibility, Cloud Discovery & Visibility AWS will no longer import AWS infrastructure changes into Address Manager.
-
When configuring Cloud Discovery & Visibility AWS to discover resources in an AWS GovCloud environment, note that AWS GovCloud does not use external Route 53 zones. To include Route 53 zones as part of a Discovery, you must first link them to a non-AWS GovCloud account that points to those Route 53 zones. For more information, see https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-route53.html.
-
If you enter the name of an existing Address Manager configuration in the BlueCat Configuration field of the Configuration Options section, CDV automatically populates all views within the Discovery Options section with appropriate values.
-
When configuring new view names in the relevant view fields, click Create <view name> from the dropdown menu, or press Enter to confirm your selection.
Discover AWS resources options
| Field/Option | Description |
|---|---|
| AWS VPC/subnet | Import all AWS VPC and Subnet network information. Within Address
Manager, private VPCs/Subnets are converted into IPv4 and IPv6 blocks
and networks. Note: This option is always enabled
and cannot be disabled.
|
| Allocate AWS reserved IP Addresses | Select this checkbox to import IPv4/IPv6 addresses reserved by the AWS platform in each subnet range. AWS reserves the first four addresses and the last address of each subnet. Within Address Manager, reserved IP addresses are stored as IP addresses with corresponding types in a BlueCat Address Manager (BAM) network. |
| AWS public IP ranges |
Select this checkbox to import the AWS public address space
information of virtual machines and load balancers within the
region. Within Address Manager, public VPCs are converted into IPv4
and IPv6 blocks and networks.
Note: When this option is unchecked,
the virtual machine and load balancer information is still
imported into Address Manager; however, the IP
ADDRESSES of Public virtual machine and
load balancer devices within Address Manager will be
blank.
|
| AWS VPC
Endpoints Endpoint view |
Select this checkbox to import VPC endpoint information. In Address Manager, the VPC endpoints are converted into the VPC endpoint device type. Also, in Endpoint View, enter the name of the
view that will be created in Address Manager or select an existing
view in Address Manager that will contain the DNS records from the
VPC endpoint.
|
|
AWS EC2 instances |
Select this checkbox to import all EC2 instance information. In Address Manager, the EC2 instances are converted into devices. |
| AWS ELBv2 load balancers | Select this checkbox to import all ELBv2 load balancer information. In Address Manager, this is converted into the ELBv2 device type. |
|
AWS DNS hostnames internal DNS hostname internal view |
(Available only if AWS EC2 instances or AWS ELBv2 load balancers is ticked.) Select this checkbox to import internal DNS record information. The internal DNS records are converted into internal DNS records on Address Manager with the prefix defined in the BlueCat Target Zone field. Also, in DNS hostname internal view, enter the
name of the view that will be created in Address Manager, or select
an existing view in Address Manager that will contain the internal
AWS provided name resolution information.
|
| AWS DNS hostnames -
external DNS hostname external view |
(Available only if AWS EC2 instances or AWS ELBv2 load balancers is ticked.) Select this checkbox to import external DNS record information. The external DNS records are converted into external DNS records on Address Manager with the prefix defined in the BlueCat Target Zone field. Also, in DNS hostname external view, enter the name of the view that will be created in Address Manager or select an existing view in Address Manager that will contain the external AWS provided name resolution information.
|
| AWS Route 53 DNS -
private DNS resource Record private view |
Select this checkbox to import all private AWS Route 53 DNS zone record information. Within Address Manager, the DNS zone records are converted into private DNS records. Also, in DNS resource record private view, enter the name of the view that will be created in Address Manager, or select an existing view in Address Manager that will contain the internal AWS provided name resolution information.
|
| AWS Route 53 DNS -
public DNS resource Record public view |
Select this checkbox to import all public AWS Route 53 DNS zone record information. The DNS zone records are converted into public DNS records on Address Manager. In DNS resource record public view, enter the name of the view that will be created in Address Manager or select an existing view in Address Manager that will contain the external AWS provided name resolution information.
|
| AWS elastic network interface allocations |
Select this checkbox to import all Elastic Network Interface (ENI) information in the region during discovery. ENIs are imported as devices in Address Manager. |
| Ignore default VPCs |
When checked, the default VPC and its related resources (virtual machines, load balancers, private endpoints, elastic kubernetes, and private DNS zones) will not be added to the BAM configuration during Discovery or Visibility. |
| Create stand-alone PTR records |
(This setting is available only when AWS DNS hostnames - internal is ticked and either AWS EC2 instances or AWS ELBv2 load balancers is ticked.) If checked, when a host record is created, the corresponding PTR record is also created. These PTR records will be located in external hosts under the internal view. |
| Skip creating default internal zone | If ticked, CDV does not create resources for default internal zones in EC2 instances and ELBv2 load balancers. |
AWS Elastic Kubernetes Service options
| Field/Option | Description |
|---|---|
| AWS Elastic Kubernetes Service | Select this checkbox to import AWS Elastic Kubernetes Service (EKS) resources, including cluster and node groups. Within Address Manager, clusters are converted into devices and node groups are converted into tags. |
| AWS internal resources within Kubernetes engine |
Select this checkbox to also discover Kubernetes pods and services within EKS resources. CDV will also create a new Configuration for each Kubernetes cluster to hold that cluster's pods and services. Note: CDV does not directly support EKS discovery for Private EKS
Clusters (when the Cluster endpoint access is private). However,
it is possible for CDV to access the private endpoints via SSM
Port Forwarding. For more details, see Amazon EKS cluster endpoint
access control on the AWS Documentation
website.
|
| Kubernetes view | Select the Address Manager View that will contain the discovered EKS resources. To use the default View name, select AWS Kubernetes view. |
Address Manager target zone options
| Field/Option | Description |
|---|---|
|
Target zone for private endpoints Auto create zones for private endpoints |
In Target zone for private endpoints, enter the name of the DNS zone on BAM that will contain resource records from private endpoints. CDV will create a zone in BAM based on the entered zone name. Tick the Auto create zones for private endpoints checkbox to create separate subzones for each private endpoint region under the specified Target Zone for Private Endpoints. If cleared, information will be stored in a single zone. |
|
Target Zone for EC2 instances and load balancers Auto create zones for EC2 instances and load balancers |
In Target Zone for EC2 instances and load balancers, enter the name of the DNS zone on BAM that will contain EC2 instance DNS records. Tick the Auto create zones for EC2 instancer and load balancers checkbox to embed AWS availability zones for EC2 Instances and AWS region names for ELBv2 into the provided name resolution. Clear the checkbox otherwise. Note:
In GCP infrastructures, only the Published service type has a region assigned to its private endpoint. When this option is used, CDV will generate a subzone with their region as a name. If the Private Service Connect (PSC) and Virtual Private Service
Connect (VPSC) were not assigned a region, CDV will generate a
subzone named |
| Remove deleted resources (tag deleted views/zones during rediscovery) |
Tick this checkbox to automatically delete resources (except for DNS Views and Zones) that currently exist in Address Manager, but were not found upon rediscovery. Missing View and Zone resources will be tagged for manual inspection and removal. For more details on viewing and manually deleting these tagged resources, see Deleting resources flagged as missing during rediscovery. Note: If you are using Scheduled discovery to monitor
networks for further changes (specified in the job's Monitoring
options), this option is automatically ticked and cannot be
changed.
|
| Remove IP and MAC addresses of deleted devices |
(This option is available only when connecting to Address Manager v9.4.0 or later.) Tick this checkbox to automatically delete IP addresses if (and only if) they are not associated with any other host records (such as manually-created host records pointing to the device's IP address). CDV will also delete MAC addresses if (and only if) they are not linked to any other IP addresses (such as IP addresses that do not belong to a deleted device). |
| Update existing blocks/networks in Address Manager | If ticked, if imported device, view, and zone resources have the same name as existing resources in Address Manager, CDV will try to reuse blocks and networks that already exist in Address Manager instead of dropping (not importing) the duplicate resources. |
| Dynamic update of DNS resource records |
(This option is available only when connecting to Address Manager v9.4.0 or later.) Select this checkbox to update the DNS records in Address Manager and automatically deploy the changes to the primary BDDS of that zone using selective deployment. This checkbox is disabled by default and only available if you select Real time updates as your Monitoring mode. Attention:
You must perform a full DNS deployment to the managed BDDS before any subsequent selective deployments can be performed. If you are configuring the managed BDDS to exclusively manage the cloud infrastructure, you can run a Discovery to import the cloud infrastructure into your Address Manager.
|
AWS exclusion filters
Under AWS exclusion filters, users can configure the following filters:
Exclude VPCs based on tags—exclude VPCs by specifying a list of associated AWS tags.
Exclude networks based on CIDRs—exclude networks by specifying one or more IPv4/IPv6 CIDR exclusion ranges.
| Field/Option | Description |
|---|---|
|
Exclude VPCs based on tags |
AWS Discovery and Visibility will exclude VPCs with AWS tags that match one of the specified tag key/value pairs. Discovery and Visibility will not run on excluded accounts. To exclude accounts with a specific AWS tag and value:
Tag keys and values can use only alphanumeric characters. If you
enter a tag key but leave the value blank, the filter will exclude
accounts that have an empty value for that tag. To include an empty
value in a list of multiple tag values, use an empty space between
commas: Tags and values that you exclude from Discovery are listed below the Tag key and Tag value fields. To remove a tag from the list, click the remove (X) button next to it. |
| Exclude networks based on CIDRs |
AWS Discovery and Visibility will exclude any address spaces or subnets that overlap with the specified CIDR range(s) and are equal to or smaller than the specified CIDR range(s). Excluded address space and subnet items will be displayed in the Dropped resources section of each Discovery job. To exclude networks based on CIDRs:
Exclusion CIDRs are listed below the CIDR field. To remove a CIDR from the list, click the remove (X) button next to it. Note: Devices such as virtual machines, load balancers, private endpoints, and kubernetes clusters
will be imported if they have any private IP address
belonging to a non-excluded CIDR range (block or network).
Otherwise, if all the private IP addresses of the device match
the excluded list, the device will not be imported into Address
Manager. The host record of the device will be imported whenever
the device is imported, along with the device (if user enables
the corresponding options).
DNS resources, such as zones and resource records, will always be imported. However, A and AAAA resource records are now imported as a Generic type resource record if their subnet is excluded by the Exclude networks based on CIDRs filter. |
Additional Tags settings
The Additional Tags settings let you specify that CDV add the values of specified AWS resource tags to the Address Manager resources created during Discovery and Visibility jobs.
For more details, see Adding the values of AWS resource tags to Address Manager entities.
| Field/Option | Description |
|---|---|
|
Resource Type |
The type of resource whose tags you want to discover, such as VPCs. To discover AWS tags for all types, select All Resources. |
| Tag Name |
The name of the AWS tag whose values you want to discover. In BAM,
this will appear as the UDF display name. The Tag name cannot use
commas ( |
| Address Manager UDF |
(Text only) The Address Manager UDF (user-defined field) name in which tag information will be collected.
|
| Add (+) |
When you've entered a Resource Type, Tag Name, and Address Manager UDF, click the add button (+) to add the specifications to the list of AWS tags to discover. To remove a specific tag from the list of discovered tags, click the remove button (X) corresponding to that tag. To remove all the tags for the selected resource type, click Remove. |