Configure an IP Tag Cloud Connection

If you have not already done so, activate User Context and configure a segment to receive the mapping information.

Select

User Context

IP-Tag Collection

.

Select the

Credential Configuration

tab (if it does not already display).

To

Set Up a New Credential Configuration

, select the cloud service provider you want to use.

AWS—Connect to an Amazon Web Services (AWS) instance.
Azure—Connect to a Microsoft Azure Active Directory instance.
Google Cloud Platform—Connect to a Google Cloud Platform (GCP) instance.

Enter a unique and descriptive

Name

for the configuration.

(

AWS only

) Configure your AWS connection.

To open your AWS administrator portal in a new window so you can create or edit any necessary ARNs, click

Open CFT

and log in with your AWS credentials.

Enter your
Access Key ID
.
To learn how to obtain your access key ID and secret access key, refer to the AWS documentation.
Enter your
Secret Access Key
.
Reenter your secret access key to
Confirm Secret Access Key
.
(Optional) Enter a
Role ARN Name
and
Role ARN Value
.
To configure additional Role ARNs, click
Add Role ARN
for each Role ARN you want to include.
If you specify an ARN, you can't also specify a VPC.

(

Azure only

) Configure your Azure connection.

Enter your
Client ID
.
To learn how to obtain the client ID and client secret, refer to the Azure documentation.
Enter your
Client Secret
.
Enter your
Tenant ID
.
To learn how to obtain the tenant ID and subscription ID, refer to the Azure documentation.
Enter your
Subscription ID
.

(

Google Cloud Platform only

) Configure your GCP connection.

Create credentials for a service account in your Google Cloud console, then download and save the JSON file in a safe location.

Click

Browse files

and click

Open

to navigate to the JSON file or drag and drop the GCP credential JSON file.

Verify the connection by clicking the

Test Connection

button.

For AWS configurations, you can optionally select the

Region

before testing the connection. By default, the Cloud Identity Engine selects the

US West

region; if this region does not allow API requests, select a region that can allow API requests.

Even if the connection test isn't successful, you can still submit your configuration; until you resolve the connectivity issues, the configuration status is

Not connected

. You must resolve the connection issues for the configuration to successfully retrieve the IP address-to-tag mappings.

Submit

the configuration.

(

Strata Cloud Manager only

) If you're using Strata Cloud Manager, view the tags that the Cloud Identity Engine shares with Strata Cloud Manager by selecting an address group then select the

Tags from CIE

tab when you add match criteria.

To configure a connection to your cloud service provider for monitoring purposes (such as audits) or to share the IP address-to-tag mapping information using a segment, select the

Monitor & Status

tab.

There are four states for the connection to the cloud service provider:

Connected
—The Cloud Identity Engine has successfully established a connection.
Partially connected
—The Cloud Identity Engine could successfully establish a connection to some aspects of the configuration, such as regions or VPCs for AWS, but not all of them.
Connection pending
—The Cloud Identity Engine has successfully established a connection but has not completed the sync for the IP tag mappings from one or more regions.
For more information on the connection status, select
Click to see details
.
Not connected
—The Cloud Identity Engine couldn’t successfully establish a connection with the current configuration.

Set Up a New Monitor Configuration
and select the type of monitor configuration that matches the credential connection you configured in step 4.
Enter a unique and descriptive
Name
for the configuration.
Select the
Credential Configuration
that you configured in step 4.
(
AWS only
) Optionally select the
Role ARN
you want to use.
Select if you want to configure the connection for
All Regions
,
All VPCs
(AWS only) or
All Project IDs
(GCP only).
To select a specific region or virtual private cloud (VPC), deselect the
All Regions
or
All VPCs
check box and allow the list of regions or VPCs to populate, then select the region or VPC you want to include. To select a specific VPC, you must first select one or more regions or select all regions.
(
Azure only
) Select whether you want to
Fetch Service Tags
.
If you select this option, the Cloud Identity Engine syncs the service tags from Azure.
Define the
Polling Interval (in seconds)
to specify how frequently the Cloud Identity Engine checks for new data.
The default is 60 seconds and the range is 60–1800 seconds.
If you want to share the mappings, select the segment you configured in step 1. Otherwise, if you want to create this configuration only for monitoring without sending mappings to any firewalls, select
None
.
Because you can't select another segment after you submit the configuration, ensure you select the correct segment before submitting the configuration. If you need to change the segment after you submit the configuration, you must create a new configuration and select the segment you want to use.
Submit
the configuration.

Search and monitor your configurations in the Cloud Identity Engine.

Select the
Monitor & Status
tab.
Use the filters to highlight the information you want to find.
Name
—Enter the name of a configuration to filter results to this configuration.
Vendor
—Select the vendor type to filter the results to this vendor type.
Status
— Select the status type (such as
Connected
or
Partially Connected
) to filter the results to this status type.
Segment
— Select the
Segment
name to filter the results to this segment.
Associated Credential
— Select the name of the
Associated Credential
configuration to filter the results to this configuration.
To remove the filter, click
Reset
.

View more details for a specific configuration.

Select the name of the configuration that you want to view from the

IP-Tag Collection

page.

On the

Monitor & Status

page, review the

Connection Details

to view information such as the connection status.

View the IP address-to-tag mapping information.

Options vary depending on your configuration type.

(

AWS only

) On the

VPC

tab,

Search by VPC ID

to view information for a specific VPC or select the number in the

IPs

column to view the IP addresses associated with the

VPC ID

in that row.

Select the

Tag To IP

tab and

Search by Tag

to locate IP address information for a specific tag.

You can view the results for an exact or partial match for your query. You can optionally limit the search to a specific region or select

All Regions

.

Select the number in the

IPs

column to view the IP addresses that the Cloud Identity Engine has collected for the selected

Tag

.

Search by IP Address

then close the window or click

Cancel

after reviewing the IP addresses.

Select the

IP To Tag

tab to

Search by IP Address

.

For an AWS-based configuration, you can also search by VPC ID.

Click the number in the

Tags

column to view the tags associated with the

IP Address

of that row.

Search by Tag

then close the window or click

Cancel

after reviewing the tags.

(Optional) Edit or remove configurations as needed.

Click

Edit

to change the configuration and

Submit

your changes or click

Remove

and click

Yes

to delete this configuration.

Removing a configuration also removes all IP tags from associated devices.

You can also edit or delete the configuration from the

IP-Tag Collection

page.