Overview

Consider these three options for configuring AWS VPC flow logs and onboarding them to Fusion as traffic sources:

1. Manual Onboarding (AWS Console and Fusion Console, aws CLI, and/or Single-Stack CloudFormation)

Follow step-by-step documentation on configuring AWS and Fusion to onboard each VPC.

Best For: Organizations with a small number of VPCs that rarely change or for an initial PoC.

Next Steps:

Quickstart: AWS

AWS VPC via S3 Setup (AWS Console method)

AWS VPC via S3 Setup (CloudFormation method)

AWS VPC via Kinesis Setup

2. Netography Cloud Onboarding Automation for AWS Organizations

🤖

Using Terraform to automate onboarding

Access Netography's Terraform automation at our GitHub repo: https://github.com/netography/neto-onboarding. For access to the repo, email support@netography.com. with your GitHub ID or with a request for access to the latest release package.

Netography provides a Terraform project, neto-onboarding, that provides Netography Fusion Cloud Onboarding Automation for AWS Organizations, Azure Tenants, and GCP Organizations.

This automation provides the following capabilties, which you can use in whole or part:

• Enables and configure AWS VPC flow logs, Azure VNet flow logs, and GCP VPC flow logs based on a simple policy and tags that defines which VPC/VNet are in scope.
• Deploy all the infrastructure required to integrate to Fusion across multiple accounts (AWS), subscriptions (Azure), and projects (GCP) in a single deployment
• Adds VPCs/VNets configured for flow logging to Netography Fusion as traffic sources.
• Deploys a single AWS Lambda function, Azure Function, or Google Function that provides context enrichment across all the accounts/subscriptions/projects as an outbound push from your cloud to the Fusion API, eliminating the need to add context integrations from the Fusion portal, to grant Netography permissions to directly enumerate resource properties, or to add individual context integrations in Fusion for each cloud account.
• Monitor for VPC/VNet changes and trigger enabling and configuring flow logs, and onboarding to Fusion new VPCs/VNets that are in scope, and offboarding VPCs/VNets that are removed or no longer in scope.

Best For: Organizations that want a complete, supported, end-to-end solution for managing flow log configurations and onboarding to Fusion that can be deployed easily. If you are multi-cloud, have a large dynamic cloud environment, and/or also want to handle context enrichment or Route53 DNS ingest, this will save you a significant amount of time compared to options 1 or 2.

Next Steps:

E-mail support@netography.com requesting access to the GitHub repo (providing your GitHub ID) or the latest release package.

3. Custom IaC Automation

Leverage your existing automation pipelines or scripts to:

• Deploy the IAM policy and custom role needed for Netography to read flow logs from S3 bucket(s)
• Configure VPC Flow Logs on each VPC to write to the S3 bucket
• Call the Fusion API to create a new Fusion traffic source for each VPC (or each account/region when using a centralized S3 log destination) with flow logs configured

Best For: Organizations experienced at developing IaC for AWS that already create VPCs and/or VPC flow log configurations through IaC and want to extend that to onboard the flow logs to Netography.

Next Steps:

Netography AWS Onboarding Guide for Cloud Automation Engineers