Setting up an AMI-Based Edge Service in AWS

Step-by-step instructions on setting up Delve-published AMIs for Edge Service setup in AWS

ES Process AWS Post Configured

Request a configuration only Edge Service in Delve

To request the creation of a configuration only URL for a generic Edge Service virtual machine, go to the "Settings" panel and click on the "Edge Services" link in the "System settings" box.

31916053In the "Manage Edge Services" panel displayed on the right, use the "+" button to request the creation of a new Edge Service.

From the window that appears, select the "Virtualization Platform" dropdown and choose the Configuration Only generation.

After a few minutes, the configuration URL will be accessible through the cog icon that appears at the right of the Edge Service name.

9ae7ab7b-359b-4111-8b2f-c70f833bda98

While the configuration URL gets generated, you can immediately note the AMI ID of a generic unconfigured Edge Service image that corresponds to your AWS region.

Once the cog icon appears, you can click on it to obtain further instructions and copy the Edge Service Configuration URL

download

Once the Edge Service has been created, Delve will wait for a connection from the Edge Service. The Status icon in the "Manage Edge Services" panel will stay orange when it isn't connected.

31916054​_

Get the right AMI ID for your AWS Region

With the configuration URL copied, note the AMI ID of a generic unconfigured Edge Service image that corresponds to your AWS region.

Setup a new Instance in AWS with this AMI ID

Select the appropriate AWS Region in your environment and navigate to your EC2 console.

Choose "Launch Instance":

In Step 1, search for the AMI ID noted above, and click on the result from "Community AMIs"

When you click on the result, you should be presented with the Delve Labs Edge Service AMI information:


Click on "Select" to start the AMI creation process, then choose the instance size fitting with your deployment. We recommend at minimum a t2.small instance but you can use the following guidelines for the instance size:

  • t2.small: up to 100 scans/day
  • t2.medium: between 100-200 scans/day
  • t2.large: between 200-300 scans/day
  • t2.xlarge: between 300-500 scans/day
  • t2.2xlarge: 500+ scans/day

Next: Configure Instance Details these should be filled according to your VPC configuration, but there are the important settings to consider:

network / subnet: Choose a VPC where the ES will have access to the machines it needs to discover and scan.

As well, for the finalization of the setup and to link the generic ES that you started to your Delve instance, you need to have HTTP (port 80) access to the ES from your browser. This is only needed temporarily for the setup.

Auto-assign Public IP: You will need to access the ES through HTTP (port 80) to finalize the setup and link the generic ES that you started to your Delve instance. Consider if you want to do this configuration through the Internet (secured through a security group restricting access to only your personal IP), or through a local jump-box in the same VPC.

Next: Add Storage, the default settings from the AMI  (49GB SSD) should be set by default.

Next: Add Tags, you can add a "Name" tag if you want to be able to find your EC2 instance easily.

Next: Configure Security Groups, make sure you're setting the ES in a security group that allows:

  • Access to the assets in the VPC where the discoveries & scans will take place.
  • Access to the HTTP (port 80) interface for the ES from your browser to finalize the setup and link the generic ES that you started to your Delve instance. This is only needed temporarily for the setup.

Review and Launch, if asked about installing a key by AWS you can choose to "proceed without a keypair".

Navigate back to your EC2 console to confirm that the ES is running, if you get a console screenshot you should see that it's waiting on the HTTP interface for final configuration step:

screenshot_aws

Assign an Elastic IP to the AMI

  • Navigate to “Networking & Security>Elastic IPs”

  • Assign from one of your existing Elastic IPs, you can re-use one that you're not currently making use of

    • right click the image using it > Dissassociate

    • right click your new ES image > associate > pick your IP > associate

  • Alternatively you can request for more IPs to AWS's support, this is generally a request that is answered pretty quickly.

Use the configuration URL to finalize the Edge Service setup

The ES will expose a single-use temporary configuration interface that should be accessible on your local network (or publicly if you used an Amazon public IP) at the following address:

http://<IP-of-the-Edge-Service>/

This temporary configuration interface will be automatically turned OFF as soon as the Edge Service is successfully configured.

If you need to change previous settings, you can always reset the AMI configuration and request a re-generation of a different configuration URL for the same Edge Service through the "regenerate" icon in Delve.

353a8585-e8be-4dcb-b978-9f8cf5a3294d

Once you have accessed the temporary configuration interface, you should be presented with the following screen to select the desired local network configuration for the Edge Service:

Then press "submit" and on the next page, you can now enter the configuration URL you were given in Delve's interface by clicking on the cog icon in your Delve account.

Once you press "submit", the Edge Service will download the custom keys in addition to the configuration it needs to run and will be associated to your Delve account.

Soon after, you will see the message "Client keys were downloaded successfully." and the web interface will be turned off immediately.

If you chose a static IP configuration, the machine will reboot automatically, otherwise for DHCP you can just close the tab.

The machine console should now have changed and show connectivity to your Delve account.

It can take a couple of minutes for the status message to change to "connected properly".

Screenshot from 2020-01-07 16-23-29

Resolving potential connectivity issues

Once your Edge Service is up and running, it should connect to Delve automatically if your networking has been configured accordingly.

The Edge Service icon visible in Delve will turn green if the connection is successful.

If you run into connectivity issues, you can try and debug following these suggestions.

74.217.31.64/26 is our public IP range from which the Internet scans will originate, and is also the range to which the ES will connect.


It is recommended to whitelist traffic to and from this subnet for your perimeter scans in order to ensure scan results consistency and to allow egress traffic from the ES to this IP range.