- Planning an IVM deployment involving multiple sites across multiple data centers in difference geographic regions.
- Is it possible and/or recommended to deploy the IVM Console in AWS (i.e. EC2)?
- What are some considerations with this approach?
Observations and thoughts:
- Did not see Insight API documentation referencing InsightVM.
- Insight Agent can talk directly to the Insight API and take advantage of loose egress network ACLs … but I didn’t find anything mentioning that scan engines can do this?
- Not sure how long any of these data centers are going to be around; with M&A being what it is, we have shifting scope and responsibilities for which data centers we’re covering and we don’t want to have to move/re-deploy the console if one of the data centers goes away.
The type of deployment you’re referencing is a typical deployment. It is actually the model that we use for our managed services. We even have an AMI for the console in AWS (Read more here).
What you would do is deploy the console in AWS and then deploy scan engines in each of the data centers if necessary. Depending on the count of assets in these data centers you may not need a scan engine in each of the locations as long as you can use one scan engine to reach all of the assets from a separate scan engine. Of course this would require planning around networking and firewall rules.
The scan engines can connect directly to the platform as well but the main communication is directly to the console. There are two methods of communication for the scan engines: Console-to-Engine or Engine-to-Console. For your use case I would typically suggest Engine-to-Console communication which happens over port 40815 and has the Engine polling the Console for scanning jobs. (Read more here)
The InsightVM API documentation is found here
With this method you will not need to move or re-deploy the console at all, the AMI also starts out at a small size so you will want to size it out according to your environment following these requirements here
Thank you for sharing this John – we are confident in moving forward with this approach given your insight!