Topics on this page
Verify deployment prerequisites
The Verify network asset page in the Get Started wizard provides a list of prerequisite items that you must meet in your AWS environment before you can create a CloudFormation deployment script and deploy Network Security to protect your Cloud assets.
The following table provides a detailed description of all of the prerequisite items that must be met before you can deploy Network Security with Edge protection deployment. Most of these prerequisites should be completed from the management console in your AWS account.
NOTE
Only the prerequisites that have not been met will appear on the Verify network asset page.
Prerequisite | Detailed description | To meet the requirement | |
---|---|---|---|
1 | An Internet gateway is attached to VPC | Because this deployment option primarily protects traffic from the Internet, this prerequisite ensures that an Internet gateway is attached to the VPC, and that the Internet gateway can be protected. | Attach an Internet gateway to the VPC you want to protect. |
2 | The public subnet in the AZ includes an Internet gateway route | This deployment option requires that the Internet traffic of public subnets routed from the Internet gateway is re-routed to the Network Security virtual appliance for inspection. This prerequisite ensures that the VPC contains at least one public subnet with an Internet gateway route in each AZ where the appliance will be deployed. |
Add at least one public subnet that has an associated route table with a route to the Internet gateway. |
3 | IPv6 CIDR blocks are not included in this VPC | Network Security does not support IPv6 CIDR blocks. This prerequisite ensures that the selected VPC does not have IPv6 CIDR blocks configured. |
If the VPC that you selected contains IPv6 routes, you must select a different VPC to continue with deployment. |
4 | IPv6 routes are not include in the public subnet route table | This prerequisite ensures that the public subnet route tables in this VPC do not contain IPv6 routes. This deployment option does not support IPv6. | Remove any IPv6 routes from the route table or select a VPC that does not include IPv6 routes. |
5 | An SSH key pair is created for this region | This prerequisite ensures that there is at least one SSH key pair in the same region as the VPC that needs protection so that the Network Security virtual appliance is accessible. | Create an SSH key pair in the same region as the VPC. |
6 | There is sufficient CIDR space in this VPC | For this deployment option, CloudFormation creates two subnets in the VPC, the inspection and management subnet, so the VPC needs to have at least two /28 CIDR blocks available. This prerequisite ensures that the VPC includes enough CIDR space to create the inspection and management subnets, which are required for this deployment. |
Create additional CIDR space for the VPC. |
7 | Network Security AMIs are available in this region | This prerequisite ensures that the Network Security virtual appliance AMI is published and available in the same region as this VPC. | If the Network Security AMI is not already available in your region, contact the Trend Micro support team to share AMIs in this region. From the Network Security management interface, click Help → Support. |
8 | There is a NAT gateway in each AZ | For this deployment option, traffic from the management subnet is routed through a NAT gateway. This prerequisite ensures that the VPC contains a NAT gateway in each AZ that contains a public subnet. A NAT gateway is needed for the Network Security virtual appliance to be able to communicate. |
Create a NAT gateway for each AZ with a public subnet. |
9 | Edge association is disabled for the route table | For this deployment option, the routes for the Internet gateway are modified to send traffic to an inspection subnet instead of the public subnet. Because an edge association between the route table and the Internet gateway cannot be removed during CloudFormation, this prerequisite ensures that the VPC does not use an edge association for the route table that routes Internet traffic to the public subnets. |
Remove the route table edge association with the Internet gateway. A new route table is associated during CloudFormation. |
10 | The Internet Gateway route is not in the main route table | For this deployment option, the routes that send traffic from the public subnets to the Internet gateway are modified so that Internet traffic is sent to an inspection subnet instead of the public subnet. This prerequisite ensures that the VPC does not use the main route table to route Internet traffic to the public subnets. If the main route table includes the Internet gateway route, the VPC is not completely protected when new subnets are created. |
If the main route table includes a route of Internet traffic to the public subnets, remove this route, or designate a different route table as the main route table. |
11 | The Trend Micro Cloud One account is below the maximum virtual appliance limit | For this deployment option, a Network Security virtual appliance is deployed in each AZ that needs to be protected, but there is a limit to how many virtual appliances can be deployed in each account. This prerequisite ensures that deployment will not create more virtual appliances than the maximum number allowed for this Trend Micro Cloud One account. |
From the Network Security management interface, click Help → Support to contact the Trend Micro support team to request a limit increase. |
12 | IP addresses are available in each public subnet | For this deployment option, Network Security creates an ENI within each public subnet to route Internet traffic to the virtual appliance for inspection. This prerequisite ensures that the public subnets contain at least one IP address so that an ENI can be attached to the subnet. |
Create a new public subnet, use a different public subnet, or delete unused resources from the subnet. |
13 | The provided AZs contain public subnets | This prerequisite ensures that each AZ in the provided list of AZs that need protection includes a public subnet. | Only include AZs with public subnets in the provided list of AZs that need protection. |