More and more organizations today are moving towards dynamic infrastructure deployments in cloud environments or using microservices. In such environments, instances and services are created and terminated as needed and this can be very frequent. Keeping up with updates to these components in a rapidly changing environment becomes a challenge for SecOps teams and an agile, scalable and automated solution has become a vital requirement.
Suppose an access rule configured on the Cisco Secure Firewall allows traffic from one service to another based on their IP addresses. It is effective as long as the configuration does not change, but if the destination node goes down or becomes unreachable, another node will spin up in its place, rendering the access rule ineffective. The access rule does not dynamically change on the firewall, it requires an administrator to log into the device and manually change the rule unless dynamic objects are configured on the Cisco Secure Firewall Management Center (CMF).
If dynamic objects are configured on the FMC, any modification of the dynamic IP addresses can take place programmatically using the Cisco Secure Dynamic Attribute Connector (CSDAC) without the need to deploy this change to the firewall.
Alternatively, IP addresses in Smart Objects on FMC can be automatically created, updated, and deleted using Hashicorp’s Consul-Terraform-Sync solution. For customers using the Consul infrastructure, this is the preferred solution.
Hashicorp’s Consul is a service mesh solution that provides service discovery, configuration, and segmentation capabilities across multiple environments. Its service discovery feature allows Consul agents to register services in a central registry called the Consul Service Catalog.
The Consul-Terraform-Sync service uses the Consul Catalog as a data source that contains network information about services and monitors Consul state changes at the application layer (based on service state changes, new instances deployed, etc.) and passes the data to a Consul-Terraform-Sync compatible Terraform Module which triggers automatically.
Terraform is used as the underlying automation tool and leverages the Terraform vendor ecosystem to make relevant changes to the network infrastructure. The terraform module used here is the dynamic objects module based on FMC terraform provider.
Please refer to this link to get started with Consul-terraform-sync.
When the Consul Terraform-Sync solution is used in conjunction with the Smart Object, the FMC is updated with the IP address mappings received by the Terraform module from the Smart Objects. This, in turn, updates the access rules on the FMC containing this object, which ensures that the correct access is always provided to the correct services.
This partnership between Cisco and Hashicorp provides an agile solution to keep up with dynamic changes in the cloud environment. Terraform module with detailed usage and workflow can be found here.
We’d love to hear what you think. Ask a question, comment below, and stay connected with Cisco Secure on social media!
Cisco Secure Social Channels