BlueCat Cloud

Discovery for AWS

 BlueCat Cloud Discovery for AWS

Purpose:
This document serves as a high-level script to use when demonstrating BlueCat’s Cloud
Discovery for AWS Gateway workflow. This document is not designed to explain how customers
should configure their BlueCat Address Manager, BlueCat Gateway, or their Amazon AWS
environments.

Requirements:
 BlueCat Address Manager (BAM):
 BlueCat DNS/DHCP Server (BDDS) with master role for the zone deployed (Force DNS Full
Deployment):
 BlueCat Gateway Appliance:
 BlueCat Gateway Workflow – discovery_and_visibility_AWS
 1 VPC
 1 EC2
 Access to AWS account with MFA, SQS, CloudWatch as needed.

Cloud Discovery and Visibility for AWS

1. BlueCat Gateway workflow configuration

a. AWS Credentials
i. Basic AWS Parameters – These are the access keys used to make secure
REST or HTTP Query protocol requests to the AWS service APIs from your
AWS account.
1. AWS Access Key ID
2. AWS Secret Access Key
ii. Advanced AWS Parameters
1. If multifactor authentication is needed, enter the Assigned MFA
device Amazon Resource Name (ARN)
2. If required, enter the appropriate role assumption ARN
b. Configuration Options
i. AWS Region/BlueCat Configuration – By default, Cloud Discovery imports all
of the AWS infrastructure into a single BlueCat configuration named after the
AWS region being discovered. This can be overwritten by manually entering
a new configuration name
ii. Per VPC Configuration Mode – If VPC subnets are overlapping in the AWS
region, the per VPC Configuration Mode should be enabled. A unique
BlueCat configuration will be created for each VPC during the discovery
c. Discovery Options
i. Discover AWS Resources – Granular options available to import EC2
instances, ELBv2 load-balancers and EC2 DNS records
ii. BlueCat Target Zone – When discovery of Amazon EC2 instance DNS
records is enabled, the discovery records will also be created on a new
BlueCat target zone
1. Discovery will utilize any AWS name tag placed on the EC2 instance
as the hostname on the target zone, if it’s DNS compliant. If a name
tag is not defined or invalid, the EC2 instanceID will be used
d. Visibility Options
i. Enable Visibility After Discovery – Allows ongoing synchronization between
AWS and BlueCat leveraging Amazon CloudWatch and SQS
ii. Update DNS (Selective Deployment) – Automatically deploys DNS changes
to the primary DNS server for the zone

www.bluecatnetworks.com 2
 BlueCat Cloud Discovery for AWS

iii. BlueCat Username/Password – These are the BlueCat Gateway credentials

with the appropriate API permissions
iv. AWS Service Account – This is an AWS account used to provide continuous
monitoring of EC2 changes. This account must not have multi-factor
authentication enabled
2. Start Discovery
a. When starting the discovery for the first time per regions, you will be prompted for
your MFA token code
b. Show the real time status logs at the top of the page
c. When discovery is complete, review the Discovery History & Visibility Status and
History item and explain what was imported
3. Walk through BlueCat Address Manager
a. Show any newly created configurations
i. Single configuration mode creates a single configuration for all AWS address
space in an AWS region
ii. If Per VPC configuration mode is enabled, a BlueCat configuration is created
for each VPC
b. EC2 devices are created, AWS metadata is added, IP addresses are mapped to DNS
records
c. Public and private IPs in the AWS address space are all mapped in BlueCat

d. Public and Private DNS views are created for Amazon DNS and Route53

e. If a valid DNS label is provided on the AWS Name Tag, it will be used for DNS. If not,
the EC2 instanceID is used

www.bluecatnetworks.com 3
 BlueCat Cloud Discovery for AWS

4. Continuous Visibility
a. In order to keep BlueCat up to date with AWS EC2 changes, CloudWatch and Simple
Queue Service (SQS) are enabled

b. The workflow will read these messages in sequence to update the EC2 device and
associated records in BlueCat
c. EC2 compute devices in BlueCat only have published DNS records when running
d. Continuous synchronization will update the device in BlueCat when an instance is
created, started, stopped or terminated
e. The workflow will provide feedback when processing the update message from AWS
SQS queue
5. Selective Deployment
a. Launch or Start an EC2 instance in AWS
i. Show the real-time status log in Gateway will detect the instance state
change
ii. Once the EC2 is started, dig the hostname against your primary DNS server,
explain how it automatically resolved the correct public IP
b. Stop the instance in AWS
i. Show the real-time status log in Gateway will detect the instance state
change
ii. Once the EC2 is stopped, dig the hostname against your primary DNS server
and explain how the public IP address and associated records have been
removed

www.bluecatnetworks.com 4
 BlueCat Cloud Discovery for AWS

Screen shots of Gateway workflow configurations:

AWS Credentials:

Configuration Options:

www.bluecatnetworks.com 5
 BlueCat Cloud Discovery for AWS

Discovery Options:

Visibility Options:

www.bluecatnetworks.com 6
 BlueCat Cloud Discovery for AWS

Example EC2 Instance View:

Example BAM View:

www.bluecatnetworks.com 7