Cloud API resolvers

  • 2 minute read
Prev Next

Setting up a name resolver can be a bit more complex than setting up a DNS resolver, since you need to configure the Appgate SDP system to use the relevant Cloud APIs. This might include hostname, access keys, or regions. Once a name resolver is specified, you can then use resource names when defining Entitlement Actions.

Why use Cloud API resolvers?

When resource names are used you can automate the configuration within . This allows network resources to be populated by external systems. The Appgate SDP system makes API calls that return the instances currently active in a specific Cloud environment. This allows the firewall rules to be populated in near real time and avoids the need to manually update Entitlements every time a new server instance is created or removed.

Functionality

Appgate SDP supports AWS, Azure, GCP, Illumio, and VSphere. Once configured correctly, the Gateway will automatically adjust the allowed access rules in response to changing assets and IP addresses within any virtualized environment. The name resolver re-checks the results every 60 seconds to see if they have changed. If so, the Entitlement and Access Criteria scripts are re-run and the firewall rules are updated to suit. If a hostname is returned, the Name Resolver will then use DNS to resolve this. API calls are rate limited and cached to ensure the respective host platforms do not block these queries at busy times.

Configuration

When you use resource names instead of IP addresses or hostnames, you will often have to set up the Appgate SDP system in conjunction with the virtualization/Cloud environment you are using to handle API calls from the Appgate SDP system. Name resolvers update every 60 seconds, so some consideration has to be given to any API call rationing that some cloud providers operate.

  • Within the hosting environment (such as AWS), use tags and security groups to identify the instances, network interfaces, or load balancers.

  • Set permissions in, or obtain credentials from, the hosting environment that grants the API user the rights to use all relevant REST API calls.

  • Set up the different types of cloud resolvers in Sites > Cloud Resolvers so they are ready to be used by the Gateway(s).

  • Define the Host(s) in Entitlements > Actions using the special resource name syntax

  • You can test your name resolver syntax in the Sites page. There is a Test Name Resolver action button for each site. The syntax for testing the resolver will be exactly the same as the syntax that you configure in your actions.

NOTE

To minimize the number of Cloud API calls made by the Gateways, Cloud API calls now return all resources and filter them in the Gateway as required. This means it is important to set the right permissions for the resolver even if you are not using a specific type (i.e., "ec2:DescribeNetworkInterfaces" (AWS), "Microsoft.Network/networkInterfaces/read" (Azure)).

Use the Sites>Name Resolvers UI to configure a resolver.

Related articles
  • Cloud API resolvers
    Admin Guide > Admin Guide v6.6 > General administration > System configuration > Cloud API resolvers
  • DNS and name resolution
    Admin Guide > Admin Guide v6.5 > General administration > System configuration > DNS and name resolution