Network Configuration
IP Address Assignment for Internal, External and Management Interfaces
Each interface in AWS can have private and public IP addresses. Sample CloudFormation Templates provided by Ivanti Policy Secure creates the Ivanti Policy Secure Virtual Appliance with public and private IP addresses for external and management interfaces and only private IP address for internal interface. More details about IP address types on AWS can be seen at: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html.
IP Addressing Modes
When Ivanti Policy Secure gets deployed by using the sample templates provided by Ivanti, Inc., Ivanti Policy Secure comes up with multiple interfaces. If you take an example of a template “pulsesecure-IPS-3-nics.zip” provided by Ivanti, Inc., you notice the following things.
Ivanti Policy Secure external interface and Ivanti Policy Secure management interface have both Elastic and Private IP addresses.
Modifying Network Parameters After Deployment
Since Networking Infrastructure is provided by AWS, a Ivanti Policy Secure admin cannot change Networking configuration after deployment. Hence, both admin UI and ssh do not support changing network configuration.
Controlling the Selection of Internal, External and Management Interfaces
Sample CloudFormation template, provided by Ivanti, Inc., requests AWS fabric to create three Network Interfaces. While running this template, AWS fabric creates interfaces named eth0, eth1 and eth2 and attaches them to Ivanti Policy Secure Virtual Interface.
So, the question is, among eth0, eth1 and eth2 which network interface will become external, internal or management interface? Below table answers this question.
|
Interface Name |
Ivanti Policy Secure Interface |
|---|---|
|
eth0 |
internal interface |
|
eth1 |
external interface |
|
eth2 |
management interface |
Then, question is how you can control the order of network interfaces named eth0, eth1 and eth2 created through CloudFormation template?
The Ivanti Policy Secure Virtual Appliance is qualified with internal interface as primary and other two are secondary. In the following code snippet, three network interfaces get assigned to VM. These three NICs with ID “nic1”, “nic2” and “nic3” are internally mapped to ‘eth0’, ‘eth1’, and ‘eth2’ respectively.
"EC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {"Ref": "IPSImageAMIId"},
"KeyName": {"Ref": "KeyName"},
"InstanceType": {"Ref": "InstanceType"},
"NetworkInterfaces": [
{"NetworkInterfaceId": {"Ref": "Eth0"}, "DeviceIndex": "0"},
{"NetworkInterfaceId": {"Ref": "Eth1"}, "DeviceIndex": "1"},
{"NetworkInterfaceId": {"Ref": "Eth2"}, "DeviceIndex": "2"}
],
"Tags" : [
{"Key": "Name",
"Value": {"Fn::Join": [ "-", [ { "Ref": "AWS::StackName" }, "IPSvAWS" ] ] }
}
],
"UserData": {"Fn::Base64": {"Fn::Join": ["", [{"Ref": "IPSConfigData"}]]}}
}
},
Ivanti Policy Secure converts eth0 to int0, eth1 to ext0 and eth2 to mgmt0. This means, the network interface with ID nic1 will be internal interface, nic2 will be external interface and nic3 will be management interface.
The below table depicts this scenario well:
|
Interface Name |
Ivanti Policy Secure Interface |
Network ID |
|---|---|---|
|
eth0 |
internal interface |
nic1 |
|
eth1 |
external interface |
nic2 |
|
eth2 |
management interface |
nic3 |