Test 2

Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
Manually Create the AWS Network

Environment
The following section describes the process for manually creating the architecture discussed in
the AWS Architecture for Privileged Access Manager - Self-Hosted Deployment section. This
environment can be created automatically according to the procedure described in
Automatically Create the CyberArk Network Environment.
Create a VPC for the PAM - Self-Hosted Vault

This section describes how to configure a Virtual Private Cloud (VPC) with a public subnet and
private subnets. The instances in the public subnet can send outbound traffic directly to the
Internet, whereas the Vault instances in the private subnets cannot. Instead, the Vault instances
can connect to the Internet to access the AWS KMS service using a private link, but the
Internet cannot establish connections to the Vault servers.
Create the VPC

1. Open the Amazon VPC console
2. From the navigation pane, select Your VPCs > Create VPC.
3. Enter a Name tag for the PAM - Self-Hosted VPC.
4. Enter an IPV4 CIDR block. For example, 10.0.0.0/16 allocates 65536 IP addresses for
your instances.
5. Select Yes, Create.
Create the Primary Vault subnet

1. From the navigation pane, select Subnets > Create Subnet.
2. Enter a Name tag for the private Subnet where the Primary Vault instance will reside,
select the PAM - Self-Hosted VPC and select an Availability Zone.
3. Enter an IPV4 CIDR block. For example, 10.0.1.0/24 allocates 256 IP addresses within
this Subnet.
Create the Vault DR subnet

1 de 18 12/03/2024, 11:17
2. Enter a Name tag for the private Subnet where the Vault DR instance will reside.
Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main Vault Subnet.
this Subnet.
Create the main CPM subnet

2. Enter a Name tag for the private Subnet where the main CPM instance will reside,
this Subnet.
Create the CPM DR subnet

2. Enter a Name tag for the private Subnet where the CPM DR instance will reside.
Note
the main CPM Subnet.
this Subnet.
Create the main PVWA subnet

2. Enter a Name tag for the private Subnet where the main PVWA instance will reside,
2 de 18 12/03/2024, 11:17
this Subnet.
Create the secondary PVWA subnet

2. Enter a Name tag for the private Subnet where the secondary PVWA instance will
reside.
Note
the main PVWA Subnet.
this Subnet.
Create the main PSM subnet

2. Enter a Name tag for the private Subnet where the main PSM instance will reside,
this Subnet.
3 de 18 12/03/2024, 11:17
Create the secondary PSM subnet

2. Enter a Name tag for the private Subnet where the secondary PSM instance will reside.
Note
the main PSM Subnet.
this Subnet.
Create the main PSM for SSH subnet

2. Enter a Name tag for the private Subnet where the main PSM for SSH instance will
reside, select the PAM - Self-Hosted VPC and select an Availability Zone.
this Subnet.
Create the secondary PSM for SSH subnet

2. Enter a Name tag for the private Subnet where the secondary PSM for SSH instance
will reside.
Note
the main PSM for SSH Subnet.
3. Enter an IPV4 CIDR block. For example, 10.0.10.0/24 allocates 256 IP addresses
within this Subnet.
Create the main PTA subnet

4 de 18 12/03/2024, 11:17
2. Enter a Name tag for the private Subnet where the main PTA instance will reside, select
the PAM - Self-Hosted VPC and select an Availability Zone.
within this Subnet.
Create the PTA DR subnet

2. Enter a Name tag for the private Subnet where the PTA DR instance will reside.
Note
the main PTA Subnet.
within this Subnet.
Create and configure the Private Link

For the PAM - Self-Hosted VPC , create the following private links to allow access to AWS
services:
Create the Security Group for private link

1. Open the Amazon VPC console.
2. From the navigation pane, select Security Groups > Create Security Group.
3. Specify PrivateLinkPASSG as the name of the security group, and enter a description.
For VPC, select the ID of the PAM - Self-Hosted VPC.
4. Click Yes, Create.
5. Select the PrivateLinkPASSG security group that you created. The details pane displays
the details for the security group, and the tabs for editing the inbound and outbound
rules.
6. On the Inbound Rules tab, select Edit to add rules for inbound traffic:
Protocol/
Rule Description IP Address Mandatory Remarks
Port
5 de 18 12/03/2024, 11:17
Protocol/
Rule Description IP Address Mandatory Remarks
Port
Security group for PAM - Self-Hosted TCP/443 0.0.0.0/0 Yes Allow SSL to and
VPC to access AWS resources by from the internet
VPC Endpoint
1. GW Private Link to access the S3 bucket AWS service.
For instructions, see the Creating a Gateway Endpoint section in Gateway VPC Endpoints.
2. Interface Private Link to access the KMS, SSM, CloudWatch, and CloudFormation AWS
services.
For instructions, see the To create an interface endpoint to an AWS service using the
console section in Interface VPC Endpoints (AWS PrivateLink).
Note
Enable Private DNS Name.
Select PrivateLinkPASSG as the security group
Create a new private route table for the PAM - Self-Hosted VPC
1. Select Create Route Table.
2. Optionally, in the Create Route Table dialog box, name your Route Table. Select the
PAM - Self-Hosted VPC .
4. Select the Route Table that you just created.
5. On the Routes tab, select Edit and add the following route:
Destination Target
Select your Regional S3 Bucket

Select your VPC Endpoint
6. Select Save.
7. On the Subnet Associations tab, select Edit and select the PAM - Self-Hosted VPC
subnets.
8. Click Save.
Create the Security Group for the Vault instances

1. Open the Amazon VPC console.
6 de 18 12/03/2024, 11:17
3. Specify Vault-SG as the name of the security group, and enter a description. For VPC,
select the ID of the PAM - Self-Hosted VPC.
4. Click Yes, Create.
5. Select the Vault-SG security group that you created. The details pane displays the
details for the security group, and the tabs for editing the inbound and outbound rules.
Rule Protocol/
IP address Mandatory Remarks
description Port
Vault TCP/1858 ■ Vault Yes Allows communication

Protocol subnets between Vaults
Vault TCP/1858 ■ Component Yes Allows communication from

Protocol subnets CyberArk components to the
Vault
■ Admin
subnets
■ Web
subnets
ICMPv4 ICMPv4 ■ Vault Yes Allows the DR components to

subnets monitor the Primary Vault
Remote TCP/3389 ■ Vault Yes Allows the Vault administrator

Desktop UDP/3389 Management to connect to the Vault with
RDP through the Vault
Instance management instance
■ Admin
subnets
Remote TCP/9022 Remote Control No Must be opened if the

Control Agent Client IP Remote Control Agent is
configured on the Vault
7. Click Save
8. On the Outbound Rules tab, select Edit to add rules for outbound traffic:
Rule Protocol/
description Port
Vault Protocol TCP/1858 ■ Vault Yes Allows communication between

subnets Vaults
7 de 18 12/03/2024, 11:17
Rule Protocol/
description Port
ICMPv4 ICMPv4 ■ Vault Yes Allows the DR components to

subnets monitor the Primary Vault
HTTPS HTTPS/443 0.0.0.0/0 Yes Allows communication from

outbound CyberArk instances to AWS
services
Syslog TCP/514 Syslog Server No Must only be opened if Syslog is

outbound IP integrated with the Vault (in TCP
(TCP) mode)
Syslog UDP/514 Syslog Server No Must only be opened if Syslog is

outbound IP integrated with the Vault (in UDP
(UDP) mode)
To send syslog messages to

PTA, allow communication to the
PTA security group
LDAPS TCP/636 LDAP Server IP No Must be opened if the Vault is

outbound integrated with an LDAP server
(port=636)
RADIUS TCP/1812 RADIUS Server No Must be opened if the Vault is

outbound IP integrated with a RADIUS server
SMTP TCP/25 SMTP server IP No Must be opened if the ENE

outbound service is configured to send
mails from the Vault
SMTP UDP/162 SNMP server No Must be opened if the Remote

outbound IP Control Agent is configured to
send SNMP traps from the Vault
9. Select Save.
Create Security Groups for the components instances

1. Open the Amazon VPC console .
3. Specify the name of the security group, and enter a description. For VPC, select the ID
of the PAM - Self-Hosted VPC.
5. Select the security group that you created. The details pane displays the details for the
8 de 18 12/03/2024, 11:17
security group, and tabs for editing the inbound and outbound rules.
PVWA Security Group
Role Protocol/Port Source Mandatory Remarks
Security Group Name: PVWA-SG
Web interface TCP/443 PVWA Yes Access to PAM - Self-Hosted users
PSM Security Group
Protocol/
Role Source Mandatory Remarks
Port
Security Group Name: PSM-SG
Incoming TCP/3389 All client Yes RDP session from

connections machines client machines
PSM for SSH Security Group
Protocol/
Role Source Mandatory Remarks
Port
Security Group Name: PSMP-SG
Incoming TCP/SSH All client Yes SSH session from

connections machines client machines
PTA Security Group
Port
Type Protocol Destination Description
range
Security Group Name: PTA-SG
HTTP TCP Admin

80 Allow incoming HTTP
CIDR communication for the PTA web
PVWA
This is redirected to HTTPS by
security
the Tomcat Web Server
group
Custom TCP Admin

8080 Allow incoming HTTP
TCP rule CIDR communication for the PTA web
9 de 18 12/03/2024, 11:17
Port
range
PVWA
This is redirected to HTTPS by
security
the Tomcat Web Server
group
SSH TCP Admin

22 Allow remote access to the
CIDR machine (SSH), for both secure
PTA telnet and SFTP
security
group
Custom TCP Admin

8443 Allow incoming HTTPS
TCP rule CIDR communication for the PTA web
PVWA and REST APIs using TLS1.2
security with strong ciphers
group
Custom UDP
67-68 0.0.0.0/0 Allow incoming data from the
UDP rule
DHCP server
Custom TCP
27017 PTA security Allow incoming replication to the
TCP rule
group Secondary PTA Server from the
Primary PTA Server in a
disaster recovery environment
Custom TCP
7514 0.0.0.0/0 Allow incoming secure syslog
TCP rule
messages for the PTA Windows
Agent connection
HTTPS TCP Admin

4443 Allow incoming HTTPS
CIDR communication for the PTA web
PVWA and REST APIs using TLS1.2
security with strong ciphers
group
Custom TCP
6514 0.0.0.0/0 Allow incoming secure syslog
TCP rule
messages for the PTA Windows
Agent connection
Custom TCP Allow incoming syslog

514 Vault security
TCP rule messages
group
10 de 18 12/03/2024, 11:17
Port
range
Custom UDP Allow incoming syslog

514 Vault security
UDP rule messages
group
Custom TCP 0.0.0.0/0 Allow incoming syslog

11514
TCP rule messages
Custom UDP 0.0.0.0/0 Allow incoming syslog

11514
UDP rule messages
7. Click Save
8. On the Outbound Rules tab, select Edit to add rules for outbound traffic:
Note
It is mandatory to set all the following rules
CPM Security Group

Role Protocol/Port Destination Remarks
Security Group Name: CPM-SG
Vault TCP/1858 Vault

communication
Managed Allow list of the All managed Manage passwords on

targets minimum required targets target devices
set of protocols
HTTPS HTTPS/443 0.0.0.0/0 Allows communication from

outbound CyberArk instances to
AWS services
PVWA Security Group
Protocol/
Role Destination Remarks
Port
Security Group Name: PVWA-SG
11 de 18 12/03/2024, 11:17
Protocol/
Port

communication
HTTPS HTTPS/ 0.0.0.0/0 Allows communication from

outbound 443 CyberArk instances to AWS
services
To communicate with PTA using

REST, allow communication to the
PTA security group
HTTPS HTTPS/ PTA security To communicate with PTA using

outbound 8443 group REST, allow communication to the
PTA security group
PSM Security Group
Role Protocol/Port Destination Remarks
Security Group Name: PSM-SG

communication
Managed Allow list of the All managed Enable connections to

targets minimum required targets target devices
set of protocols
HTTPS HTTPS/443 0.0.0.0/0 Allows communication from

outbound CyberArk instances to
AWS services
PSM for SSH Security Group
Protocol/
Port
Security Group Name: PSMP-SG
12 de 18 12/03/2024, 11:17
Protocol/
Port

communication
Managed targets SSH/22 All managed Enable connections to target

targets devices
HTTPS HTTPS/ 0.0.0.0/0 Allows communication from

outbound 443 CyberArk instances to AWS
services
PTA Security Group
Port
range
Security Group Name: PTA-SG
HTTPS TCP
80 PVWA Allow an outgoing HTTP
security connection to CyberArk
group PVWA for a specific IP
address
DNS UDP
53 0.0.0.0/0 Allow outgoing DNS requests
LDAP TCP
389 0.0.0.0/0 LDAP for specific IP address
Custom UDP 123 0.0.0.0/0 Allow outgoing NTP requests

UDP rule
HTTPS TCP
443 0.0.0.0/0 Allow an outgoing HTTPS
connection to CyberArk
PVWA for a specific IP
address
Custom TCP Allow sending syslog

514 0.0.0.0/0
TCP rule messages through port 514
Custom TCP LDAP for specific IP address

3268-3269 0.0.0.0/0
TCP rule
13 de 18 12/03/2024, 11:17
Port
range
Custom UDP Allow sending syslog

514 0.0.0.0/0
UDP rule messages in port 514
Custom UDP Allow outgoing connection to

1858 Vault CIDR
UDP rule the CyberArk Vault for a
specific IP address
SSH TCP Allow outgoing

22 0.0.0.0/0
connection to the PTA
Network Sensor for a
specific IP address
Enable outgoing SSH
connection in a disaster
recovery environment
SMTP TCP Allow sending SMTP (email)

25
messages for a specific IP
address
Custom TCP Allow outgoing connection to

1858 Vault CIDR
TCP rule the CyberArk Vault for a
specific IP address
Custom TCP PTA security Allow outgoing replication to

27017
TCP rule group the Secondary PTA Server
from the Primary PTA Server
in a disaster recovery
environment
Custom TCP 0.0.0.0/0 LDAP for a specific IP

636
TCP rule address
Custom TCP
587 0.0.0.0/0 Allow sending SMTP (email)
TCP rule
messages for a specific IP
address
9. Select Save.
Configure peering between the VPCs

To connect between the Vault instances and the Components, we configure peering between
these VPCs. A VPC peering connection is a networking connection between two VPCs that
enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.
Instances in either VPC can communicate with each other as if they are within the same
14 de 18 12/03/2024, 11:17
network.
Create a VPC peering connection in your account:

1. Open the Amazon VPC console .
2. From the navigation pane, select Peering Connections > Create VPC Peering
Connection.
3. In the Peering Connections dialog box, configure the following
Name tag: Optionally, you can name your VPC peering connection. Doing so
creates a tag with a key of Name and a value that you specify.
Local VPC to peer: Select the Components VPC in your account you want to
create the VPC peering connection.
Select a VPC to peer with: Ensure My account is selected. Select the Vault VPC
from VPC. Only VPCs in the current region are displayed.
4. Select Create VPC Peering Connection.
Note
Ensure that your VPCs do not have overlapping IPv4 CIDR blocks. If they do,
the status of the VPC peering connection is set to failed
5. In the confirmation dialog box, select OK.
6. Select the VPC peering connection that you created. Select Actions > Accept
Request.
7. In the confirmation dialog, Select Yes, Accept.
8. In the second confirmation dialog, select Modify my route tables now to directly go to
the route tables page, or select Close to do this later.
Update the routing tables for a VPC peering connection

To send traffic from your instance to an instance in a peer VPC using private IPv4 addresses,
add a route to the route table associated with the subnet in which the instance resides. This
route points to the CIDR block, or portion of the CIDR block, of the other VPC in the VPC
peering connection.
In this configuration, you should edit the Routing Tables of both the Vault private Subnets and
the Components private Subnets.
Update routing tables

1. In the navigation pane, choose Route Tables.
15 de 18 12/03/2024, 11:17
2. Select the route table associated with the private Components Subnets.
Note
If you do not have a route table associated with that subnet, select the main route
table for the VPC, as the subnet then uses it by default.
3. Select Routes > Edit > Add Route.
4. For Destination, enter the IPv4 address range to direct network traffic in the VPC
peering connection. You can specify the entire IPv4 CIDR block of the Vault VPC, a
specific range, or an individual IPv4 address, such as the IP addresses of the Vault
instances with which to communicate. For example, if the CIDR block of the Vault VPC
is 10.0.0.0/16, you can specify a portion 10.0.0.0/28, or a specific IP address
10.0.0.7/32.
5. Select the VPC peering connection from Target. Click Save.
6. Select the route table associated with the private Vault Subnets.
7. Select Routes > Edit > Add Route.
8. For Destination, enter the IPv4 address range to direct network traffic in the VPC
peering connection. You can specify the entire IPv4 CIDR block of the Components
VPC, a specific range, or an individual IPv4 address, such as the IP addresses of the
Components instances with which to communicate. For example, if the CIDR block of
the Components VPC is 10.10.0.0/16, you can specify a portion 10.10.0.0/28, or a
specific IP address 10.10.0.50/32.
9. Select the VPC peering connection from Target. Click Save.
Create a Transit Gateway

Perform this section if you are using one of the following architectures.
Shared VPN (Transit) VPC
Direct VPN between components and resources
1. Create a Transit Gateway, using the following command:
aws ec2 create-transit-gateway --region <Region>
The following table explains the parameters that must be replaced:
Parameter Description
16 de 18 12/03/2024, 11:17
Region The Region where the Transit Gateway resides
2. Create a Transit Gateway VPC attachment to attach the Transit VPC and its Subnet(s) to
the Transit Gateway:
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id

<TransitGwID> --vpc-id <TransitVPCID> --subnet-id / --subnet-ids
<TransitSubnetID>
The following table explains the parameters that must be replaced:
TransitGwID The Transit Gateway ID (output from the first command)
TransitVPCID The Transit VPC ID to attach to the Transit Gateway
TransitSubnetID The Transit Subnet ID(s) to attach to the Transit Gateway
3. Create a Transit Gateway VPC attachment to attach the Component VPC and its Subnet(s)
to the Transit Gateway:
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id

<TransitGwID> --vpc-id <ComponentsVPCID> --subnet-id / --subnet-ids
<ComponentsSubnetID1 ComponentsSubnetID2>
The following table explains the parameters that must be replaced
TransitGwID The Transit Gateway ID (output from the first command)
ComponentsVPCID The Component VPC ID to attach to the Transit Gateway
ComponentsSubnetID The Component Subnet ID(s) to attach to the Transit Gateway,

separated by spaces
4. Add a new route for each of the following Route Tables, using the command below.
Components Private Route Table

Transit VPC Route Table
17 de 18 12/03/2024, 11:17
aws ec2 create-route --route-table-id <RouteTableID> --destination-

cidr-block <VPCCidrBlock> --transit-gateway-id <TransitGWID>
For example, using the following examples of IDs and blocks, you would run the two
commands below.
Components Private Route Table ID - rtb-d80a75b0

Transit VPC Route Table ID - rtb-0306796b
Components VPC Cidr Block – 10.10.0.0/16
Transit VPC Cidr Block – 30.30.0.0/16
Transit Gateway ID – tgw-1a2b3c4dVPC
aws ec2 create-route --route-table-id rtb-d80a75b0 --destination-

cidr-block 30.30.0.0/16 --transit-gateway-id tgw-1a2b3c4d
aws ec2 create-route --route-table-id rtb-0306796b --destination-
cidr-block 10.10.0.0/16 --transit-gateway-id tgw-1a2b3c4d
18 de 18 12/03/2024, 11:17

Test 2

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Test 2

Uploaded by

Copyright:

Available Formats

Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Manually Create the AWS Network

Create a VPC for the PAM - Self-Hosted Vault

Create the VPC

3. Enter a Name tag for the PAM - Self-Hosted VPC.

5. Select Yes, Create.

Create the Primary Vault subnet

4. Select Yes, Create.

Create the Vault DR subnet

4. Select Yes, Create.

Create the main CPM subnet

4. Select Yes, Create.

Create the CPM DR subnet

4. Select Yes, Create.

Create the main PVWA subnet

4. Select Yes, Create.

Create the secondary PVWA subnet

4. Select Yes, Create.

Create the main PSM subnet

4. Select Yes, Create.

Create the secondary PSM subnet

4. Select Yes, Create.

Create the main PSM for SSH subnet

4. Select Yes, Create.

Create the secondary PSM for SSH subnet

4. Select Yes, Create.

Create the main PTA subnet

4. Select Yes, Create.

Create the PTA DR subnet

4. Select Yes, Create.

Create and configure the Private Link

Create the Security Group for private link

1. GW Private Link to access the S3 bucket AWS service.

3. Select Yes, Create.

4. Select the Route Table that you just created.

Select your Regional S3 Bucket

Create the Security Group for the Vault instances

4. Click Yes, Create.

Vault TCP/1858 ■ Vault Yes Allows communication

Vault TCP/1858 ■ Component Yes Allows communication from

ICMPv4 ICMPv4 ■ Vault Yes Allows the DR components to

Remote TCP/3389 ■ Vault Yes Allows the Vault administrator

Remote TCP/9022 Remote Control No Must be opened if the

Vault Protocol TCP/1858 ■ Vault Yes Allows communication between

ICMPv4 ICMPv4 ■ Vault Yes Allows the DR components to

HTTPS HTTPS/443 0.0.0.0/0 Yes Allows communication from

Syslog TCP/514 Syslog Server No Must only be opened if Syslog is

Syslog UDP/514 Syslog Server No Must only be opened if Syslog is

To send syslog messages to

LDAPS TCP/636 LDAP Server IP No Must be opened if the Vault is

RADIUS TCP/1812 RADIUS Server No Must be opened if the Vault is

SMTP TCP/25 SMTP server IP No Must be opened if the ENE

SMTP UDP/162 SNMP server No Must be opened if the Remote

Create Security Groups for the components instances

4. Select Yes, Create.

PVWA Security Group

Role Protocol/Port Source Mandatory Remarks

Security Group Name: PVWA-SG

Web interface TCP/443 PVWA Yes Access to PAM - Self-Hosted users

PSM Security Group

Security Group Name: PSM-SG

Incoming TCP/3389 All client Yes RDP session from