Cloud Resolvers

  • 5 minute read
Prev Next

When resource names are used in Entitlement Actions it becomes possible to automate the creation of Entitlements. Read more about their usage in Cloud API resolvers. You can set the order within the same type of resolver using the up down arrows.

List of GCP Resolvers with update intervals displayed for each resolver.

NOTE

If multiple resolvers are configured (of the same type), they are tried one by one until the specified name(s) is hit (Tag name, Security Group name, etc). No other resolvers will be tried for the the specified name(s). So, make sure the names used are different for each.

Cloud Resolvers

AWS Resolvers

Complete the following fields to enter the parameters for resolving aws:// resource names. Refer to Cloud API resolvers for more information about where to obtain the required parameters.

  • Update Interval. Resolver polling frequency: the number of seconds before the Gateway queries the API to get the latest IP address information for hostnames. This will affect how quickly the Gateway will respond to changes. Defaults to 60 seconds.

  • Access Method. Choose AWS API access method. If using the instance's IAM role (created with the instance profile), you will need a valid access Policy created for it to work.

  • Use IAM Role. The preferred method for using the AWS resolver is by using IAM Roles. By referring to this role, the API calls made by this AppGate ZTNA instance inherits the same rights.

  • Use Access Key. Only use this mode if you have remote Gateways not inside AWS that are protecting AWS resources.

    • Access Key ID. Enter an AWS Access Key ID.

    • Secret Access Key. Enter the Secret Access Key for the Key ID.

  • Regions. If your Site (and VPC) extends across multiple regions then, instead of having to define an AWS resolver for the VPC in each region, one AWS resolver can be set up which is used in multiple regions. Use this section to list the codes of regions provided by your AWS account. The resolver will query each region in turn. For information about AWS region codes, refer to: Amazon Web Services

  • Partition. AWS Partition default is aws. (There are also aws-us-gov (GovCloud) and aws-cn (China).

  • Amazon Services. Users can enable EC2, EKS, or RDS services, and can also enable an API Gateway. By default, the EC2 service will be checked. The RDS and EKS services should only be enabled when needed to avoid potential 'permissions' warnings and unnecessary downloads.

  • Optional Settings.

    • Use Assumed Roles. If checked, the AWS concept of Assumed Roles is used. These are very useful when resources exist in other accounts/regions/ etc. If you have not configured these before then there is an example of how to configure this shown in Cloud API resolvers.

      • Assumed Roles. Enter as many Assumed Roles as required; which will be the name of the user/role you need to be in the destination account/region.

      • Resolve with master credentials. If checked the resolver will use any assumed IAM roles as well as the master account (jump account) IAM role.

    • Disable VPC Auto Discovery. Normally, the name resolver will automatically discover which VPCs IDs are available, and resolve names across all these VPCs IDs.

      • VPCs IDs. If not using VPC Auto Discovery, you can explicitly add VPC IDs that the name resolver will use.

    • Use HTTPS Proxy. If checked, all traffic to the AWS API will go through this proxy.

      • Address. Specify an HTTPS proxy in the format: https://<server>:<port>

Azure Resolvers

Complete the following fields to enter the parameters for resolving azure:// resource names:

  • Update Interval (seconds). Resolver polling frequency: the number of seconds before the Gateway queries the Azure API to get the latest IP address information for hostnames. This will affect how quickly the Gateway will respond to changes. Defaults to 60 seconds.

  • Access Method. Select Use Managed Identities if all Gateways on the Sites have Azure system assigned managed identities.

    • Use Managed Identities. Please refer to Cloud API resolvers for more information about how to configure system assigned managed identities.

    • Use App Registration. Please refer to Cloud API resolvers for more information about where to obtain the required parameters.

  • Tenant ID. Directory (tenant) ID can be obtained in the Azure portal App registration summary screen.

  • Client ID. Application (client) ID can be obtained in the Azure portal App registration summary screen.

  • Secret. For Azure App registrations, this is done by creating a 'New client secret' and capturing the value.

GCP Resolvers

Complete the following fields to enter the parameters for resolving gcp:// resource names. Refer to Cloud API resolvers for more information about where to obtain the required parameters.

  • Update Interval (seconds). Resolver polling frequency: the number of seconds before the Gateway queries the API to get the latest IP address information for hostnames. This will affect how quickly the Gateway will respond to changes. Defaults to 60 seconds.

  • Projects Filter. Enter project names or labels. Here are 3 examples; name:uk*, label:devops, label.type:production.

  • Instances Filter. Enter a filter expression. It must specify the field name, a comparison operator and the filtering value. For example: name:saturn.

  • Forwarding Rules Filter. Enter a filter expression relating to GCP load balancers. Here are 2 examples; name:testlb, region:"${REGION_PROJECT_URL}europe-*".

Illumio Resolvers

Complete the following fields to enter the parameters for resolving illumio:// resource names. To use the Illumio REST APIs, you must be an authorized Illumio user and have session credentials to sign in to the Policy Compute Engine (PCE).

  • Update Interval (seconds). Resolver polling frequency: the number of seconds before the Gateway queries the API to get the latest IP address information for hostnames.

  • Hostname. Enter the hostname of the Illumio instance.

  • Port. Enter the port number; defaults to 8443.

  • Organization ID. Enter the Organization ID to be used with REST API calls. On-premises PCE deployments will have an Organization ID of 1. The Illumio Secure Cloud (SaaS) service gives each customer a unique org ID.

  • Username. A service account with rights to make PCE API queries.

  • Password. Enter the Password relating to the Username

VMware vSphere Resolvers

Complete the following fields to enter the parameters for resolving esx:// resource names. This resolver may require a that a certificate is uploaded to Trusted Certificates if vSphere is using a self signed certificate. This should be the root CA certificate.

  • Update Interval (seconds). DNS resolver polling frequency (seconds) to get the latest IP address information. This will affect how quickly the Gateway will respond to changes. Defaults to 60 seconds.

  • Hostname. Enter the hostname of the ESXi / VCentre server.

  • Username. A service account with read only rights to Folders and Instances.

  • Password. Enter the Password relating to the Username.

Related articles
  • Cloud Resolvers
    Admin Guide > Admin Guide v6.7 > Admin UI  > System > Sites > Configure Sites
  • Cloud Resolvers
    Admin Guide > Admin Guide v6.5 > Admin UI > System > Sites > Configure Sites
  • Resource names
    Admin Guide > Admin Guide v6.6 > General administration > Access management > Using Entitlements > Defining Host(s)