Skip to main content
Installing to Cloud Providers

Search

Cequence Bridge on AWS ECS

© 2024 Cequence Security. All Rights Reserved.

Cequence Bridge on AWS ECS

  • Updated on
  • ~ minute read
Download PDF

The procedures in this article deploy Cequence Bridge into the AWS Elastic Container Service (ECS) using Terraform. You can deploy Cequence Bridge in AWS ECS using Fargate or on Amazon Elastic Compute Cloud (EC2).

Prerequisites

Confirm that your environment meets the following prerequisites before you begin deploying Cequence Bridge.

Cequence UAP Platform

Confirm that the Cequence Unified API Protection (UAP) platform is installed and working properly before deploying Cequence Bridge. On a new install, a member of the Cequence Customer Success team can confirm that the Cequence UAP platform is working properly.

Confirm that you have access to the credentials for a user account on the Cequence UAP platform with the privileges to create a client token for traffic ingestion through the User Management menu.

Network Communication

The Cequence UAP platform and the Cequence Bridge communicate over HTTPS. Confirm that HTTPS communication is enabled.

Depending on the third party integration, Cequence Bridge in ECS communicates to third-party devices using TLS over TCP, ICAP, HTTP or HTTPS on user-defined ports. Confirm that the communication using the protocol relevant to your third-party device integration is enabled.

Amazon Web Services

Deploying to AWS requires access to the AWS CLI tool and an IAM user with privileges to deploy to AWS ECS.

AWS ECS pulls the container images from AWS Elastic Container Registry (ECR). Please confirm that you have the AWS ECR repository URL and are able to access it. You will need credentials for AWS ECR to push new images, specifically the Cequence Bridge container image. You will also need an IAM role that has privileges to pull the Cequence Bridge container image to run in AWS ECR.

To use TLS over TCP or HTTPS, deploy an AWS Application Load Balancer (ALB) and attach your SSL certificates to the AWS ALB when using AWS ECS with Fargate. Refer to the AWS documentation for creating SSL certificates using AWS Certificate Manager. Confirm that you have the Amazon Resource Name (ARN) for the certificate you are going to attach to the AWS ALB.

The privileges that the AWS CLI user requires when using the Cequence provided Terraform to create all of the required infrastructure are outlined below:

  • Compute
    • Full control over ECS cluster, service, and task definition management.
    • If using EC2, full control over EC2 instances, key pairs, security groups, VPCs, and networking components.
  • Networking
    • Creation and management of load balancers, target groups, listeners, and related resources.
  • Container Registry
    • Full repository lifecycle management, including image uploads, downloads, and policies.
  • Logging
    • Create log groups, streams, and write log events in AWS CloudWatch.
  • Identity Management
    • Create and manage IAM roles, policies, and instance profiles.
    • Enable roles to be passed to ECS and EC2 under controlled conditions.

AWS IAM role JSON

The JSON specification of the AWS IAM role lists the required privileges.

{
    "Version": "2012-10-17",
    "Statement": [
        {
           "Effect": "Allow",
           "Action": [
               "ec2:DescribeInstances",
               "ec2:RunInstances",
               "ec2:CreateKeyPair",
               "ec2:DeleteKeyPair",
               "ec2:CreateSecurityGroup",
               "ec2:AuthorizeSecurityGroupIngress",
               "ec2:AuthorizeSecurityGroupEgress",
               "ec2:RevokeSecurityGroupIngress",
               "ec2:RevokeSecurityGroupEgress",
               "ec2:CreateLaunchTemplate",
               "ec2:DescribeLaunchTemplates",
               "ec2:DeleteLaunchTemplate",
               "ec2:CreateVpc",
               "ec2:CreateSubnet",
               "ec2:CreateInternetGateway",
               "ec2:AttachInternetGateway",
               "ec2:CreateRoute",
               "ec2:CreateRouteTable",
               "ec2:AssociateRouteTable",
               "ec2:CreateNatGateway",
               "ec2:AllocateAddress",
               "elasticloadbalancing:CreateLoadBalancer",
               "elasticloadbalancing:DeleteLoadBalancer",
               "elasticloadbalancing:DescribeLoadBalancers",
               "elasticloadbalancing:CreateTargetGroup",
               "elasticloadbalancing:DeleteTargetGroup",
               "elasticloadbalancing:DescribeTargetGroups",
               "elasticloadbalancing:RegisterTargets",
               "elasticloadbalancing:DeregisterTargets",
               "elasticloadbalancing:CreateListener",
               "elasticloadbalancing:DeleteListener",
               "elasticloadbalancing:DescribeListeners",
               "ecs:CreateCluster",
               "ecs:DeleteCluster",
               "ecs:DescribeClusters",
               "ecs:CreateService",
               "ecs:DeleteService",
               "ecs:DescribeServices",
               "ecs:UpdateService",
               "ecs:DescribeTaskDefinition",
               "ecs:RegisterTaskDefinition",
               "ecs:DeregisterTaskDefinition",
               "ecr:GetAuthorizationToken",
               "ecr:BatchCheckLayerAvailability",
               "ecr:GetDownloadUrlForLayer",
               "ecr:BatchGetImage",
               "ecr:CreateRepository",
               "ecr:DeleteRepository",
               "ecr:DescribeRepositories",
               "ecr:PutImageScanningConfiguration",
               "ecr:PutLifecyclePolicy",
               "ecr:GetLifecyclePolicy",
               "ecr:DeleteLifecyclePolicy",
               "ecr:SetRepositoryPolicy",
               "ecr:GetRepositoryPolicy",
               "ecr:TagResource",
               "ecr:UntagResource",
               "logs:CreateLogGroup",
               "logs:CreateLogStream",
               "logs:PutLogEvents",
               "iam:CreateRole",
               "iam:AttachRolePolicy",
               "iam:PutRolePolicy",
               "iam:CreateInstanceProfile",
               "iam:AddRoleToInstanceProfile"
           ],
           "Resource": "*"
       },
       {
           "Effect": "Allow",
           "Action": [
               "iam:PassRole"
           ],
           "Resource": [
               "arn:aws:iam::*:role/*"
           ],
           "Condition": {
               "StringEqualsIfExists": {
                   "iam:PassedToService": [
                       "ecs.amazonaws.com",
                       "ec2.amazonaws.com"
                   ]
               }
           }
       }
   ]
}

NOTE: The Cequence provided Terraform scripts enables the use of existing infrastructure. You can adjust the AWS IAM role accordingly. 

Cequence Bridge

Confirm that you have access to the credentials for Cequence image repository on Gitlab to pull the latest Cequence Bridge container image. Your Cequence sales team or customer success team can provide these credentials.

The Cequence Bridge needs to authenticate with the Cequence UAP platform before sending traffic to  the platform. Confirm that you have the subdomain for the Cequence UAP platform deployment. The subdomain will be used to setup the AUTH (for authentication) and EDGE (for traffic ingestion) endpoints that the Cequence Bridge needs to communicate with.

Other prerequisites

Confirm that Terraform release v1.9.8 or later is available on the host used for the installation.

Confirm that the AWS CLI tool (awscli) release 2.14.0 or later is available on the host used for the installation.

If you need to upload the Cequence Bridge container image into AWS ECR, Docker must be available on the host in order to pull the image from the Cequence container registry and push the image into AWS ECR. 

Deploying Cequence Bridge

The procedures in this section outline the deployment of the Cequence Bridge into AWS ECS. The configuration of the Cequence Bridge depends on the presence of third-party integrations, such as API gateways or load balancers.

Step 1: Create a Client ID and Client Secret on the UAP platform

Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.

  1. Log in to the UAP management portal UI.
    The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name.
  2. Select General Settings > User Management.
    The User Management pane appears.
  3. Click the Clients tab.
  4. Click Add New Client.
    The new client dialog box appears.
  5. Type the client name in the Client Name field.
    This name is the client ID. Note the client ID for later use.
  6. Enable the Traffic Management toggle.
  7. (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
  8. Click Save.
    A dialog box with the client secret appears.
  9. Click the blue Copy icon to copy the secret to the clipboard, then click Close.
    The client is now set up. Note the client name for future use.
    The client list appears.
  10. Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.

Step 2: Download the Cequence Terraform bundle

  1. Download the compressed AWS ECS Bridge deployment bundle.
  2. Unarchive the bundle. 
    tar -xvzf cequence-bridge-aws-ecs-xxxxxxx.tar.gz

Step 3: Uploading Cequence Bridge container image to AWS ECR

  1. Run the following commands to export the AWS credentials for the AWS CLI user.
  2. export BRIDGE_VERSION="5.3.2"
    export AWS_REGION="your region" (use the same region as in terraform.tfvars)
    export AWS_ACCESS_KEY_ID="xxx"
    export AWS_SECRET_ACCESS_KEY="xxxx"
  3. (OPTIONAL) Create an ECR repository for the Cequence Bridge container image.
    1. Run the following commands to validate the Terraform configuration for the ECR repository creation. 
      • cd cequence-bridge/ecr-repo
        vi main.tf
    2. Run the following commands to execute the Terraform script to create the repository. 
      • terraform init
        terraform plan
        terraform apply
    3. Run the following command to export the newly created ECR repository URL for further use. 
      • export ECR_REPO=$(terraform output repository_url | sed 's/\"//g')
  4. Run the following command to export an existing ECR repository URL to upload the Cequence Bridge container image.
  5. export ECR_REPO=<ECR-Repo-URL>
  6. Run the following commands to pull the Cequence Bridge container image and push the image to the ECR repo.
  7. docker pull registry.gitlab.com/cequence/releases/dataplane/cequence-bridge:${BRIDGE_VERSION} --platform=linux/amd64
    docker tag registry.gitlab.com/cequence/releases/dataplane/cequence-bridge:${BRIDGE_VERSION} ${ECR_REPO}:latest
    aws ecr get-login-password --region=${AWS_REGION} | docker login --username AWS --password-stdin ${ECR_REPO}
    docker push ${ECR_REPO}:latest

Step 4: Deploying Cequence Bridge to AWS ECR

  1. Run the following commands to review the terraform.tfvars file and update the variables for your environment.
    cd cequence-bridge/bridge-ecs
    vi terraform.tfvars
  2. Run the following commands to Execute the Terraform script to deploy the Cequence Bridge.
    terraform init
    terraform plan
    terraform apply
  3. Choose the method that matches your deployment setup to get the Cequence Bridge URL or Public IP.
    1. For Cequence Bridge deployed on EC2 without a AWS ALB, run the following command to get the public IP.
      terraform output public_ip
    2. For Cequence Bridge deployed on Fargate without a AWS ALB, run the following command to get the public IP. 
      terraform output ecs_cluster_name
      ./bridge_ip.sh <ecs-cluster-name>
      The Cequence Bridge listens on port 9443 for HTTP.
    3. For Cequence Bridge with an AWS ALB deployed, the following command provides the DNS name for the ALB.
      terraform output alb_url
      The AWS ALB listens on port 443 for HTTPS. Cequence Bridge listens on port 9443 for HTTP from the AWS ALB.

Step 5: Configure the integration to use Cequence Bridge

  • For your integration to send traffic to the Cequence Bridge deployed in ECS, change the Cequence Edge URL in the configuration of the integration to use one of the below based on how it was deployed.
    • For Cequence Bridge without a AWS ALB
    • http://<public-ip>:9443
    • For Cequence Bridge with a AWS ALB
    • https://<alb_url>

 

 

 

Was this article helpful?
Japanese (Japan)