IT评测·应用市场-qidao123.com

标题: Panorama系列--(2)AWS上搭建Panorama测试情况 [打印本页]
作者: tsx81428    时间: 2024-8-14 19:42
标题: Panorama系列--(2)AWS上搭建Panorama测试情况
Panorama系列--(2)AWS上搭建Panorama测试情况

  个人B站主页:https://space.bilibili.com/408773931
  微信公众号:自刘地

  
     
   
  一、注意事项

  
  二、利用CloudFormation部署实验情况

  Panorama重要用来管理多台防火墙,在AWS云上,对流量做集中安全检测一般会有多台防火墙,以是这里利用CloudFormation搭建了流量集中检测的LAB情况,然后利用Panorama管理这两台防火墙。
  只启动两台防火墙和一台Panorama,也可以做大部分的测试,搭建流量集中检测情况是为了更加模拟真实情况。
  利用CloudFormation创建实验情况,CloudFormation代码中不会创建Panorama,必要自行手动创建,也不会对Paloalto防火墙做初始化。
     
    上传堆栈模板文件。

  设置堆栈名称,选择EC2密钥。

  答应创建IAM资源。

  CloudFormation模板内容。堆栈必要七分钟左右创建完成,堆栈创建完成后,别的防火墙必要四分钟左右启动。
  1. Mappings:<br>  RegionMap:<br>    cn-northwest-1:<br>      PA1022h2NWCD: ami-0738eadeed7e6b0fa<br><br>Parameters:<br>  EC2InstanceAmiId:<br>    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id><br>    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'<br>  Environment:<br>    Type: String<br>    AllowedValues:<br>      - dev<br>      - prod<br>    Default: dev<br>  MyKeyPair:<br>    Description: Amazon EC2 Key Pair<br>    Type: AWS::EC2::KeyPair::KeyName<br>    Default: CloudFormation-Test-Key<br>  PaloaltoVersion:<br>    Description: Choice Paloalto Firewall Version Type<br>    Type: String<br>    Default: PA1022h2NWCD<br>    AllowedValues:<br>      - PA1022h2NWCD<br>  PaloaltoInstanceType:<br>    Description: Choice Paloalto Instance Type<br>    Type: String<br>    Default: m5.large<br>    AllowedValues:<br>      - m5.large<br>      - m5.4xlarge<br>Resources:<br>  BastionSsmRole:<br>    Type: AWS::IAM::Role<br>    Properties:<br>      AssumeRolePolicyDocument:<br>        Statement:<br>          - Effect: Allow<br>            Principal:<br>              Service:<br>                - ec2.amazonaws.com<br>            Action:<br>              - 'sts:AssumeRole'<br>      Path: /<br><br>  BastionSsmPolicy:<br>    Type: AWS::IAM::Policy<br>    Properties:<br>      PolicyName: PrivatelianceInstanceAccess<br>      PolicyDocument:<br>        Statement:<br>          - Effect: Allow<br>            Action:<br>              - ssm:DescribeAssociation<br>              - ssm:GetDeployablePatchSnapshotForInstance<br>              - ssm:GetDocument<br>              - ssm:DescribeDocument<br>              - ssm:GetManifest<br>              - ssm:GetParameter<br>              - ssm:GetParameters<br>              - ssm:ListAssociations<br>              - ssm:ListInstanceAssociations<br>              - ssm:PutInventory<br>              - ssm:PutComplianceItems<br>              - ssm:PutConfigurePackageResult<br>              - ssm:UpdateAssociationStatus<br>              - ssm:UpdateInstanceAssociationStatus<br>              - ssm:UpdateInstanceInformation<br>            Resource: "*"<br>          - Effect: Allow<br>            Action:<br>              - ssmmessages:CreateControlChannel<br>              - ssmmessages:CreateDataChannel<br>              - ssmmessages:OpenControlChannel<br>              - ssmmessages:OpenDataChannel<br>            Resource: "*"<br>          - Effect: Allow<br>            Action:<br>              - ec2messages:AcknowledgeMessage<br>              - ec2messages:DeleteMessage<br>              - ec2messages:FailMessage<br>              - ec2messages:GetEndpoint<br>              - ec2messages:GetMessages<br>              - ec2messages:SendReply<br>            Resource: "*"<br>      Roles:<br>        - !Ref BastionSsmRole<br><br>  BastionSsmProfile:<br>    Type: AWS::IAM::InstanceProfile<br>    Properties:<br>      Path: /<br>      Roles:<br>        - !Ref BastionSsmRole<br><br>#=============SecVpc============#<br># 创建SecVpc<br>  SecVpc:<br>    Type: AWS::EC2::VPC<br>    Properties:<br>      CidrBlock: 10.100.10.0/16<br>      EnableDnsSupport: 'true'<br>      EnableDnsHostnames: 'true'<br>      Tags:<br>       - Key: Name<br>         Value: !Sub ${AWS::StackName}-SecVpc<br><br># 创建IGW并且关联到VPC<br>  SecVpcIGW:<br>    Type: "AWS::EC2::InternetGateway"<br>    Properties:<br>      Tags:<br>        - Key: Name<br>          Value: !Sub ${AWS::StackName}-SecVpcIGW<br><br>  SecVpcAttachIgw:<br>    Type: "AWS::EC2::VPCGatewayAttachment"<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      InternetGatewayId: !Ref SecVpcIGW<br><br>#-----------------SecVpc创建6个子网------------------#<br><br># SecVpc AZ1内创建公有子网<br>  SecVpcAz1PublicSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.10.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 0<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ1-Public-Subnet<br><br># SecVpc AZ2内创建公有子网<br>  SecVpcAz2PublicSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.20.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 1<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ2-Public-Subnet<br><br># SecVpc AZ1内创建私有子网<br>  SecVpcAz1PrivateSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.30.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 0<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ1-Private-Subnet<br><br># SecVpc AZ2内创建私有子网<br>  SecVpcAz2PrivateSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.40.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 1<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ2-Private-Subnet<br><br># SecVpc AZ1内创建TGW子网<br>  SecVpcAz1TgwSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.50.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 0<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ1-TGW-Subnet<br><br># SecVpc AZ2内创建TGW子网<br>  SecVpcAz2TgwSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.60.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 1<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ2-TGW-Subnet<br><br>#-----------------SecVpc创建路由表------------------#<br><br># 公有子网路由表及关联<br>  SecVpcAz1PublicRouteTable:<br>    Type: "AWS::EC2::RouteTable"<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      Tags:<br>        - Key: Name<br>          Value: !Sub ${AWS::StackName}-SecVpc-AZ1-Public-RouteTable<br><br>  SecVpcAz1PublicRouteTableAssociation:<br>    Type: "AWS::EC2::SubnetRouteTableAssociation"<br>    Properties:<br>      RouteTableId: !Ref SecVpcAz1PublicRouteTable<br>      SubnetId: !Ref SecVpcAz1PublicSubnet<br><br>  SecVpcAz2PublicRouteTable:<br>    Type: "AWS::EC2::RouteTable"<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      Tags:<br>        - Key: Name<br>          Value: !Sub ${AWS::StackName}-SecVpc-AZ2-Public-RouteTable<br><br>  SecVpcAz2PublicRouteTableAssociation:<br>    Type: "AWS::EC2::SubnetRouteTableAssociation"<br>    Properties:<br>      RouteTableId: !Ref SecVpcAz2PublicRouteTable<br>      SubnetId: !Ref SecVpcAz2PublicSubnet<br><br># Private子网路由表及关联<br>  SecVpcAz1PrivateRouteTable:<br>  
复制代码
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。



欢迎光临 IT评测·应用市场-qidao123.com (https://dis.qidao123.com/) Powered by Discuz! X3.4