AWS Monitoring Options - Adaptive Applications - BlueCat Gateway - 23.3.2

Cloud Discovery & Visibility Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
23.3.2
The Monitoring Options section of the Amazon Web Services (AWS) Setup page lets you configure monitoring settings for importing data into Address Manager. Here, you configure what and how you want your network data to be made visible for monitoring.
Attention: AWS Visibility functionality imports only incremental EC2 changes to Address Manager.

You can choose from two monitoring modes.

Scheduled Discovery

When you select the Scheduled Discovery radio button, Cloud Discovery & Visibility creates a scheduled discovery of AWS resources based on the configuration settings in the Discovery Options section. Cloud Discovery & Visibility will periodically monitor changes made to AWS resources based on the configured interval.

Scheduled monitoring is available only for VPC/Subnets, VM instances, load balancers, Cloud DS, private service connect, and Kubernetes Engine.

Attention: When you select the Scheduled Discovery radio button, the Remove Deleted Resources during Rediscovery Discovery option and Override Configuration Configuration option are automatically checked and greyed out, to avoid failures for subsequent scheduled discovery jobs. For more details, see AWS Discovery Options and AWS Configuration Options.

You can configure the following options:

Schedule options

Field/Option Description
Run Once

Cloud Discovery & Visibility runs discovery on AWS resources a single time, based on the configuration settings in the Discovery Options section.

Tip: To instead run this discovery configuration multiple times at regular intervals, simply uncheck this checkbox and enter the desired interval in the Interval field.
Interval

The interval time between discovery jobs. The interval indicates the amount of time, in seconds, that Cloud Discovery & Visibility waits after the previous discovery job finishes before starting the next discovery job.

Note: The scheduled discovery task only supports the discovery of VPC/Subnet, EC2 Instances, Load Balancers, Route 53, VPC Endpoints, and Kubernetes Services.

To run the discovery only once, select the Run Once checkbox.

Address Manager User options

Field/Option Description

Address Manager Username

Address Manager Password

The Address Manager Username field is populated with the current user that is logged into Gateway. If required, you can update the username to another Address Manager user.
Note: This user should be an Address Manager administrative API user with full permissions.
In the Address Manager Password field, enter the password for the Address Manager user.

Visibility

When you select the Visibility radio button, Cloud Discovery & Visibility creates a visibility task to retrieve AWS resources based on the configuration settings in the Discovery Options section.

Note: The Visibility functionality imports only incremental VPC/Subnets, VM instance, Load Balancer, VPC network, cloud DNS (private zones), cloud DNS (public zones), private endpoint, and Kubernetes engine changes to Address Manager. Visibility for provided name resolution and public IP ranges is not supported.

You can configure the following options:

Address Manager User options

Field/Option Description

Address Manager Username

Address Manager Password

The Address Manager Username field is populated with the current user that is logged into Gateway. If required, you can update the username to another Address Manager user.
Note: This user should be an Address Manager administrative API user with full permissions.
In the Address Manager Password field, enter the password for the Address Manager user.

AWS Service Account options

Field/Option Description
Service Account Key

Enter the AWS access key ID for the account used in the AWS Credentials page.

Service Account Secret Enter the AWS secret access key for the account used in the AWS Credentials page.

Advanced AWS Parameters options

Field/Option Description
Enable AWS Role Assumption Select this checkbox to use AssumeRole security credentials within your account to gain visibility into your AWS environment.
Attention: If you deployed Cloud Discovery & Visibility on an AWS EC2 Instance, the following fields do not appear if you also selected the Get Credentials from environment checkbox within the AWS Credentials page.
  • AWS Role ARN: Enter the AWS role assumption ARN. The AWS role ARN must be in the following format: arn:aws:iam::<account_role_number>:role/<name>

    An example AWS role ARN might look as follows: arn:aws:iam::987654321098:role/developerRole

AWS Role ARN
Note: This field is not available if you're automatically acquiring Cloud Discovery & Visibility credentials from an EC2 Instance. (That is, if CDV is deployed on an AWS EC2 Instance and you selected the Get Credentials from environment checkbox within the AWS Credentials page.)
Enter the AWS role assumption ARN. The AWS role ARN must be in the following format:

arn:aws:iam::<account_role_number>:role/<name>

For example, arn:aws:iam::987654321098:role/developerRole

Override Queue and Notification Default Names

Select the Override Queue and Notification Default Names checkbox to specify custom queue and notification names to be created in the cloud where you have specific naming requirements for those resources, instead of using the default generated names.

Selecting this checkbox displays the following fields:

  • SNS Topic Name: Enter the name of the SNS (Simple Notification Service) Topic that will be used by the visibility service to notify services when resources have been changed or added.

    The name can have up to 256 characters using letters, numbers, hyphens ("-"), and underscores ("_").

  • SQS Name: Enter the name of the SQS (Simple Queue Service) that will be used by the visibility service to store messages of changes that have occurred in your AWS environment.

    The name can have up to 80 characters using letters, numbers, hyphens ("-"), and underscores ("_").

  • EventBridge Rule Name: Enter the name of the EventBridge Rule that will be used by the visibility service to retrieve data from the queue containing changes that occurred in your AWS resources.

    This name must satisfy EventBridge rules for Rule names: It can have up to 64 characters using letters, numbers, periods ("."), hyphens ("-"), and underscores ("_").

If you enter a name that already exists in the resource group, you'll be asked if you want to reuse the same name. Click Cancel (and choose a different name) if you think your Visibility jobs will affect other Visibility jobs using the same name. Click Reuse to confirm use of the same name (that is, if you're sure that your jobs will not impact other Visibility jobs with the same name).

Attention:

When overriding queue and notification default names:

  • If you reuse the existing EventBridge Rule name, any changes in the event pattern will update it within your AWS environment. If you do not have permissions to update the EventBridge Rule name, contact your administrator to modify it to the existing Event Grid Subscription name.

  • The filter will update if you modify any Discovery Options within the same Visibility job.

  • If errors occur due to modifications of the filter, older information will be used and the following error appears:



  • To avoid conflicts, do not use the same SQS names in multiple Visibility jobs. As a best practice, do not reuse names of an SQS Topic, SQS name, or EventBridge Rule that you do not own or control.