IAM Roles for HA
Configure IAM roles to set up HA VM-Series firewalls.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- AWS account
- Amazon Machine Image (AMI) ID
- VM-Series License (PAYG or BYOL)
- VM-Series plugin
- Panorama
- Panorama plugin for AWS
|
AWS requires that all API requests must be cryptographically signed using credentials issued by
them. To enable API permissions for the VM-Series firewalls that will be deployed as an
HA pair, you must create a policy and attach that policy to a role in the
AWS Identity and Access Management (IAM)
service. The role must be attached to the VM-Series firewalls at launch. The
policy gives the IAM role permissions for initiating API actions required to move
interfaces or secondary IP addresses from the active peer to the passive peer when
failover is triggered.
For detailed instructions on creating policy, refer to the AWS
documentation on
Creating Customer Managed Polices.
For detailed instructions on creating an IAM role, defining which
accounts or AWS services can assume the role, defining which API
actions and resources the application can use upon assuming the
role, refer to the AWS documentation on
IAM Roles for Amazon EC2.
The IAM policy, which is configured in the AWS console, must
have permissions for the following actions and resources (at a minimum):
| IAM Action, Permission, or Resource | Description | Interface Move | Secondary IP Move |
|---|
AttachNetworkInterface | For permission to attach an ENI to an instance. |
|
|
DescribeNetworkInterfaces | For fetching the ENI parameters to attach an interface to the instance. |
|
|
DetachNetworkInterface | For permission to detach the ENI from the
EC2 instance. |
|
|
DescribeInstances | For permission to obtain information on
the EC2 instances in the VPC. |
|
|
AssociateAddress | For permissions to move public IP addresses
associated with the primary IP addresses from the passive to active
interfaces. | |
|
AssignPrivateIpAddresses | For permissions to assign secondary IP addresses
and associated public IP addresses to interfaces on the passive
peer. | |
|
DescribeRouteTables | For permission to retrieve all route tables
associated to the VM-Series firewall instances. | |
|
ReplaceRoute | For permissions to update the AWS route
table entries. | |
|
| GetPolicyVersion | For permission to retrieve AWS policy version
information. | |
|
| GetPolicy | For permission to retrieve AWS policy information. | |
|
| ListAttachedRolePolicies | For permission to retrieve the list of all
managed policies attached to a specified IAM role. | |
|
| ListRolePolicies | For permission to retrieve a list of the names
of inline policies embedded in a specified IAM role. | |
|
| GetRolePolicy | For permission to retrieve a specified inline
policy embedded in a specified IAM role. | |
|
| policy | For permission to access the IAM policy
Amazon Resource Name (ARN). | |
|
role | For permission to access the IAM roles ARN. | |
|
route-table | For permission to access the route table
Amazon Resource Name (ARN) to update it upon failover. | |
|
Wild card (*) | In the ARN field, use the * as a wild card. |
|
|
The following screenshot shows the access management settings
for the IAM role described above for secondary-IP HA:
The minimum permissions you need for interface move HA are:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"VisualEditor0",
"Effect":"Allow", "Action":[ "ec2:AttachNetworkInterface",
"ec2:DetachNetworkInterface", "ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces" ], "Resource":"*"
} ]}
The minimum permissions you need for secondary IP move HA are:
{ "Statement": [ { "Action": [
"ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface",
"ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces",
"ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress",
"ec2:DescribeRouteTables" ],
"Effect": "Allow", "Resource": [ "*"
], "Sid": "VisualEditor0" },
{ "Action": "ec2:ReplaceRoute", "Effect":
"Allow", "Resource": "arn:aws:ec2:*:*:route-table/*",
"Sid": "VisualEditor1" } ], "Version": "2012-10-17"}
