Professional Documents
Culture Documents
Test 2
Test 2
2. From the navigation pane, select Your VPCs > Create VPC.
4. Enter an IPV4 CIDR block. For example, 10.0.0.0/16 allocates 65536 IP addresses for
your instances.
2. Enter a Name tag for the private Subnet where the Primary Vault instance will reside,
select the PAM - Self-Hosted VPC and select an Availability Zone.
3. Enter an IPV4 CIDR block. For example, 10.0.1.0/24 allocates 256 IP addresses within
this Subnet.
1 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
2. Enter a Name tag for the private Subnet where the Vault DR instance will reside.
Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main Vault Subnet.
3. Enter an IPV4 CIDR block. For example, 10.0.2.0/24 allocates 256 IP addresses within
this Subnet.
2. Enter a Name tag for the private Subnet where the main CPM instance will reside,
select the PAM - Self-Hosted VPC and select an Availability Zone.
3. Enter an IPV4 CIDR block. For example, 10.0.3.0/24 allocates 256 IP addresses within
this Subnet.
2. Enter a Name tag for the private Subnet where the CPM DR instance will reside.
Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main CPM Subnet.
3. Enter an IPV4 CIDR block. For example, 10.0.4.0/24 allocates 256 IP addresses within
this Subnet.
2. Enter a Name tag for the private Subnet where the main PVWA instance will reside,
select the PAM - Self-Hosted VPC and select an Availability Zone.
3. Enter an IPV4 CIDR block. For example, 10.0.5.0/24 allocates 256 IP addresses within
2 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
this Subnet.
2. Enter a Name tag for the private Subnet where the secondary PVWA instance will
reside.
Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main PVWA Subnet.
3. Enter an IPV4 CIDR block. For example, 10.0.6.0/24 allocates 256 IP addresses within
this Subnet.
2. Enter a Name tag for the private Subnet where the main PSM instance will reside,
select the PAM - Self-Hosted VPC and select an Availability Zone.
3. Enter an IPV4 CIDR block. For example, 10.0.7.0/24 allocates 256 IP addresses within
this Subnet.
3 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
2. Enter a Name tag for the private Subnet where the secondary PSM instance will reside.
Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main PSM Subnet.
3. Enter an IPV4 CIDR block. For example, 10.0.8.0/24 allocates 256 IP addresses within
this Subnet.
2. Enter a Name tag for the private Subnet where the main PSM for SSH instance will
reside, select the PAM - Self-Hosted VPC and select an Availability Zone.
3. Enter an IPV4 CIDR block. For example, 10.0.9.0/24 allocates 256 IP addresses within
this Subnet.
2. Enter a Name tag for the private Subnet where the secondary PSM for SSH instance
will reside.
Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main PSM for SSH Subnet.
3. Enter an IPV4 CIDR block. For example, 10.0.10.0/24 allocates 256 IP addresses
within this Subnet.
4 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
2. Enter a Name tag for the private Subnet where the main PTA instance will reside, select
the PAM - Self-Hosted VPC and select an Availability Zone.
3. Enter an IPV4 CIDR block. For example, 10.0.11.0/24 allocates 256 IP addresses
within this Subnet.
2. Enter a Name tag for the private Subnet where the PTA DR instance will reside.
Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main PTA Subnet.
3. Enter an IPV4 CIDR block. For example, 10.0.12.0/24 allocates 256 IP addresses
within this Subnet.
6. On the Inbound Rules tab, select Edit to add rules for inbound traffic:
Protocol/
Rule Description IP Address Mandatory Remarks
Port
5 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
Protocol/
Rule Description IP Address Mandatory Remarks
Port
Security group for PAM - Self-Hosted TCP/443 0.0.0.0/0 Yes Allow SSL to and
VPC to access AWS resources by from the internet
VPC Endpoint
For instructions, see the Creating a Gateway Endpoint section in Gateway VPC Endpoints.
2. Interface Private Link to access the KMS, SSM, CloudWatch, and CloudFormation AWS
services.
For instructions, see the To create an interface endpoint to an AWS service using the
console section in Interface VPC Endpoints (AWS PrivateLink).
Note
Enable Private DNS Name.
Select PrivateLinkPASSG as the security group
Create a new private route table for the PAM - Self-Hosted VPC
1. Select Create Route Table.
2. Optionally, in the Create Route Table dialog box, name your Route Table. Select the
PAM - Self-Hosted VPC .
5. On the Routes tab, select Edit and add the following route:
Destination Target
6. Select Save.
7. On the Subnet Associations tab, select Edit and select the PAM - Self-Hosted VPC
subnets.
8. Click Save.
6 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
2. From the navigation pane, select Security Groups > Create Security Group.
3. Specify Vault-SG as the name of the security group, and enter a description. For VPC,
select the ID of the PAM - Self-Hosted VPC.
5. Select the Vault-SG security group that you created. The details pane displays the
details for the security group, and the tabs for editing the inbound and outbound rules.
6. On the Inbound Rules tab, select Edit to add rules for inbound traffic:
Rule Protocol/
IP address Mandatory Remarks
description Port
■ Admin
subnets
7. Click Save
8. On the Outbound Rules tab, select Edit to add rules for outbound traffic:
Rule Protocol/
IP address Mandatory Remarks
description Port
7 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
Rule Protocol/
IP address Mandatory Remarks
description Port
9. Select Save.
2. From the navigation pane, select Security Groups > Create Security Group.
3. Specify the name of the security group, and enter a description. For VPC, select the ID
of the PAM - Self-Hosted VPC.
5. Select the security group that you created. The details pane displays the details for the
8 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
security group, and tabs for editing the inbound and outbound rules.
6. On the Inbound Rules tab, select Edit to add rules for inbound traffic:
Protocol/
Role Source Mandatory Remarks
Port
Protocol/
Role Source Mandatory Remarks
Port
Port
Type Protocol Destination Description
range
9 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
Port
Type Protocol Destination Description
range
PVWA
This is redirected to HTTPS by
security
the Tomcat Web Server
group
Custom UDP
67-68 0.0.0.0/0 Allow incoming data from the
UDP rule
DHCP server
Custom TCP
27017 PTA security Allow incoming replication to the
TCP rule
group Secondary PTA Server from the
Primary PTA Server in a
disaster recovery environment
Custom TCP
7514 0.0.0.0/0 Allow incoming secure syslog
TCP rule
messages for the PTA Windows
Agent connection
Custom TCP
6514 0.0.0.0/0 Allow incoming secure syslog
TCP rule
messages for the PTA Windows
Agent connection
10 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
Port
Type Protocol Destination Description
range
7. Click Save
8. On the Outbound Rules tab, select Edit to add rules for outbound traffic:
Note
It is mandatory to set all the following rules
Protocol/
Role Destination Remarks
Port
11 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
Protocol/
Role Destination Remarks
Port
Protocol/
Role Destination Remarks
Port
12 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
Protocol/
Role Destination Remarks
Port
Port
Type Protocol Destination Description
range
HTTPS TCP
80 PVWA Allow an outgoing HTTP
security connection to CyberArk
group PVWA for a specific IP
address
DNS UDP
53 0.0.0.0/0 Allow outgoing DNS requests
LDAP TCP
389 0.0.0.0/0 LDAP for specific IP address
HTTPS TCP
443 0.0.0.0/0 Allow an outgoing HTTPS
connection to CyberArk
PVWA for a specific IP
address
13 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
Port
Type Protocol Destination Description
range
Custom TCP
587 0.0.0.0/0 Allow sending SMTP (email)
TCP rule
messages for a specific IP
address
9. Select Save.
14 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
network.
2. From the navigation pane, select Peering Connections > Create VPC Peering
Connection.
Name tag: Optionally, you can name your VPC peering connection. Doing so
creates a tag with a key of Name and a value that you specify.
Local VPC to peer: Select the Components VPC in your account you want to
create the VPC peering connection.
Select a VPC to peer with: Ensure My account is selected. Select the Vault VPC
from VPC. Only VPCs in the current region are displayed.
Note
Ensure that your VPCs do not have overlapping IPv4 CIDR blocks. If they do,
the status of the VPC peering connection is set to failed
6. Select the VPC peering connection that you created. Select Actions > Accept
Request.
8. In the second confirmation dialog, select Modify my route tables now to directly go to
the route tables page, or select Close to do this later.
In this configuration, you should edit the Routing Tables of both the Vault private Subnets and
the Components private Subnets.
15 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
2. Select the route table associated with the private Components Subnets.
Note
If you do not have a route table associated with that subnet, select the main route
table for the VPC, as the subnet then uses it by default.
4. For Destination, enter the IPv4 address range to direct network traffic in the VPC
peering connection. You can specify the entire IPv4 CIDR block of the Vault VPC, a
specific range, or an individual IPv4 address, such as the IP addresses of the Vault
instances with which to communicate. For example, if the CIDR block of the Vault VPC
is 10.0.0.0/16, you can specify a portion 10.0.0.0/28, or a specific IP address
10.0.0.7/32.
6. Select the route table associated with the private Vault Subnets.
8. For Destination, enter the IPv4 address range to direct network traffic in the VPC
peering connection. You can specify the entire IPv4 CIDR block of the Components
VPC, a specific range, or an individual IPv4 address, such as the IP addresses of the
Components instances with which to communicate. For example, if the CIDR block of
the Components VPC is 10.10.0.0/16, you can specify a portion 10.10.0.0/28, or a
specific IP address 10.10.0.50/32.
Parameter Description
16 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
Parameter Description
2. Create a Transit Gateway VPC attachment to attach the Transit VPC and its Subnet(s) to
the Transit Gateway:
Parameter Description
3. Create a Transit Gateway VPC attachment to attach the Component VPC and its Subnet(s)
to the Transit Gateway:
Parameter Description
4. Add a new route for each of the following Route Tables, using the command below.
17 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...
For example, using the following examples of IDs and blocks, you would run the two
commands below.
18 de 18 12/03/2024, 11:17