Grant Flow Log Access

This topic provides an overview of allowing Illumio CloudSecure access to your cloud account flow logs.

CloudSecure uses flow logs to display the flows. Granting access to flow logs allows CloudSecure to use these flow logs. For AWS you can enable SG flow logs, and for Azure you can enable NSG and VNet flow logs. For instructions on how to grant flow log access to Illumio, see the in-application help. For instructions on how to set up flow logs, see Set up Flow Logs in AWS and Azure.

Prerequisites

To use this feature of the Onboarding page, you need the following items, which you used when you onboarded your cloud accounts:

  • AWS Flow Logs
  • To grant access, you will need:
    • Your Account ID, which you can select from a list
    • Your service account name, which you can select from a drop-down menu in the Grant Access... dialog box
    • Your CloudFormation Stack, which you need to create or download, similar to how you created or downloaded it when you onboarded your AWS account. See Onboard an AWS Cloud Account for information.
  • Azure Flow Logs
  • To grant access, you will need:
    • Your Account ID, which you can select from a list
    • Your service account name, which you can select from a drop-down menu in the Grant Access... dialog box
    • Your service account token
    • Your Azure portal open in a browser window, so that you can run the PowerShell script in the Grant Access... dialog box. See Onboard an Azure Cloud Account for information.

Review and Grant Flow Log Access

The main Flow Log Access page shows your account IDs, the type of access currently in effect (None, Partial, or Full), and the available flow logs. Click Flow Log Access on the Onboarding page to begin. This action opens the Flow Log Access page. You can:

  • Mouse over the entries to see how many logs are accessible for a given account ID, view individual log basic details, and copy individual log destinations
  • Click on the "+ n more" element to expand the full list of flow logs available for a given account ID
  • Filter your results by Account ID, Access, and Cloud

Review Flow Log Access Details and Grant Access

Both before and after you grant access, you may want to review the flow log access in more detail.

  1. Find the Account ID you want and click on that row.
  2. Review the details per the below guidelines. You will see two tabs where you can filter results:
    • By Log Destination Account
      This tab lists destinations belonging to the selected account, along with the list of log sources pushing flows to their respective destinations. You can filter by Destination, Source, Region, and Access.
    • By Log Source Account
      This tab lists flow logs going to the selected account, along with the source and the destination to which they are sent and stored. You can filter by Source, Destination, Region, and Access.
  3. If you wish to grant access, click Grant Access and use the above prerequisite information in the Grant Access... dialog box, as explained in the in-application help. After granting access, you can test that access as described below in Test Flow Log Access.

Guidelines for Reviewing Flow Log Access Details

The following items are guidelines for reviewing access details:

  • Before granting access, the access is not granted by default, but you will still see the Flow Log ID, VPC, S3 Bucket, Region, etc.
  • Once you grant access, you will see either Granted Access or Partially Granted in the Access Status column
  • If you see that access is partially granted for an account, you might want to review your cloud account settings for any child flow logs that are listed as not granted in the access details
  • You might need to refresh the Flow Log Access Details page immediately after granting access to make sure that the updated status appears promptly

Test Flow Log Access

You grant Illumio CloudSecure permission to access flow logs using the Grant Access feature, for which you run a script (CloudFormation for AWS and PowerShell for Azure). To ensure that Illumio CloudSecure has relevant permissions to the flow logs for which you enabled Full or Partial access, click the Test Access button.

This feature is enabled at the account level, where it checks relevant permissions to all the destinations (S3/storage accounts) in that account. For each account, the response tells you if the permissions are compatible with granting access. If not, you will receive an appropriate error message detailing the issue for each destination. You can then take actions to make sure that all relevant permissions are provided to Illumio CloudSecure.

Note: The Test Access button is enabled for accounts with access described as Full/Partial.

Caveats

To use the traffic analysis feature in CloudSecure, you need to provide access to flow logs. It is important to note that CloudSecure does not enable or configure flow logs in your accounts during onboarding. This is something that needs to be set up in the cloud, either before or after onboarding. Note that for AWS, CloudSecure can read flows from S3 buckets only, so it is important to configure these accordingly. Once the flow logs are configured in the cloud console, the flow details will be displayed in the flow log access page of CloudSecure. It's worth noting that this might take up to 5 minutes to appear on the page. By granting access to flow logs, you will allow CloudSecure to read the flows and provide details about network traffic in the traffic analysis page.

Note the following regarding flow log access for AWS:

  • Once you select your S3 buckets and Illumio generates a Cloud Formation Template, the template is available to download or run for only 15 minutes. After 15 minutes, you have to re-start the grant flow log access process to generate the template again.

Note the following regarding the Test Flow Log Access feature:

  • For AWS, the feature works only for S3 buckets as destinations
  • If the flow logs in one account are configured to be sent to a destination in a different account, the feature will give an error saying that CloudSecure cannot access it

The following are known limitations of CloudSecure's flow log reading capability:

  • In AWS, CloudSecure supports reading flow logs that are stored in S3 buckets only. Currently, other storage destinations are not supported.
  • For S3 storage, CloudSecure does not support reading from custom paths or nested folders inside S3 buckets
  • For both AWS and Azure, if the VPC/NSG flow logs from one account are configured to be stored in S3/storage accounts in another account, then the destination account should be onboarded into CloudSecure. If the account that owns the S3 bucket is not onboarded, CloudSecure will not be able to fetch the flow logs of that S3 bucket.

Every 10 minutes the map ingests traffic flows in 60-minute chunks. Flows are shown only for completed chunks. This means that if flow log access has just been enabled, you would need to wait at least an hour to see the flows in the Cloud Map, Traffic, and Inventory pages. However, if you enabled flow log access some time ago and already have previous 60-minute flow chunks, you would see the updated flow within 10 minutes.