An AWS account with permissions to create, update, and
delete CloudFormation templates (CFT) and associated VPC resources.
The
following JSON file can used to create an IAM policy to give the
appropriate permissions used by the CloudBlade. This can then be
assigned to the user/role that has programmatic access.
To
import this file in the AWS console navigate to and
paste the complete JSON below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:SetStackPolicy",
"cloudformation:CreateStack",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:DeleteStack",
"cloudformation:SetStackPolicy",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:SetStackPolicy",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:SetStackPolicy",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"ec2:DeleteTransitGatewayConnectPeer",
"ec2:CreateTransitGatewayConnect",
"ec2:CreateNatGateway",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:ModifyTransitGateway",
"ec2:CreateTransitGatewayConnectPeer",
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:DeleteTransitGatewayVpcAttachment",
"ec2:CreateRoute",
"ec2:DeleteTransitGatewayConnect",
"ec2:DeleteNatGateway",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:TerminateInstances",
"ec2:AttachVpnGateway",
"ec2:DeleteRoute",
"ec2:DeleteNetworkInterface",
"ec2:CreateRouteTable",
"ec2:RunInstances",
"ec2:AttachInternetGateway",
"ec2:DeleteRouteTable",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:CreateInternetGateway",
"ec2:DeleteSecurityGroup",
"ec2:DeleteInternetGateway",
"ec2:CreateSubnet",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeAccountAttributes",
"ec2:DescribeTransitGateways",
"ec2:DescribeNatGateways",
"ec2:DescribeTransitGatewayConnects",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGatewayConnectPeers",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:DisassociateAddress",
"ec2:CreateTags",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable",
"ec2:DescribeSecurityGroups",
"ec2:AllocateAddress",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"s3:GetObject",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateInternetGateway",
"sts:DecodeAuthorizationMessage",
"ec2:ModifyVpcAttribute",
"ec2:DeleteVpc",
"ec2:AssociateAddress"
],
"Resource": "*"
}
]
}
The AWS account must have sufficient permissions to generate
AWS access keys.
In an upgrade
scenario from version 2.0.0 to version 2.1.0 of the CloudBlade,
existing deployments will not be impacted, however, any new deployments
will require to subscribe to this marketplace.
The AWS account must have at least 2 Elastic IP addresses
available per region for allocation.
An existing Transit Gateway in the regions where you wish
to deploy a Prisma SD-WAN Data center.
The AWS Transit
Gateway CloudBlade creates the transit gateway attachment between
the Prisma SD-WAN VPC and the Transit Gateway. It also configures
the BGP peering between the Prisma SD-WAN Data center IONs and the
Transit Gateway.
Routing from the application VPCs to reach Prisma SD-WAN
remote networks and the VPC attachment between Application VPCs
and the Transit Gateway must be configured by the customer.
