Automate multi-account IP address management in AWS with BlueCat and AWS Control Tower
As your AWS footprint grows and your business needs evolve, having a multi-account strategy is a best practice to achieve better segregation of workloads, improved agility, and tighter governance.
On top of managing multiple Virtual Private Clouds (VPC) in AWS, many customers also have hybrid environments where on-premises networks are connected to AWS via site-to-site virtual private networks or Direct Connect. Traditionally, network administrators have had to perform their own IP address management (IPAM), often using homegrown or spreadsheet-based tools that are time-consuming to maintain, as they require manual updates and synchronization across interconnected networks.
Instead, some of our customers have taken advantage of BlueCat Integrity, an intelligent Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and IP Address Management (DDI) platform that can help manage IP-based resources to eliminate complexity and provide visibility within your AWS accounts and other environments.
AWS Control Tower uses AWS best practices to establish a well-architected, multi-account baseline and enables governance across your AWS accounts. Many of our customers use AWS Control Tower to manage and govern multi-account AWS environments. For more information about managing multi-account AWS environments with AWS Control Tower, see Getting Started with AWS Control Tower.
In this post, we describe a new solution that integrates BlueCat Integrity with AWS Control Tower. This solution provides comprehensive visibility of IP-based resources across your multi-account environment. It also ensures that new and existing AWS accounts are onboarded automatically, simplifying provisioning and configuration.
BlueCat Integrity delivers feature-rich recursive and authoritative DNS, dual-stack supported DHCP, and IP Address Management (IPAM). It provides a source of intelligence and insight into the relationship between all the devices, users, and IP addresses on the network.
BlueCat Cloud Discovery and Visibility (CD&V) is an adaptive application that works with BlueCat Integrity to provide a single view of resources and records across on-premises and cloud environments.
By deploying BlueCat Address Manager (BAM, part of BlueCat Integrity) and BlueCat CD&V in a shared networking account of AWS Control Tower, administrators gain visibility of their cloud assets. CD&V monitors resources within AWS Control Tower, recording any newly created accounts, as well as future changes within those accounts. This consistent observability pipeline feeds IPAM data to BAM for network administrators to centrally manage and analyze.
The following architecture diagram shows an AWS Control Tower environment with a multi-account structure. As per the multi-account best practice, a networking account within an Infrastructure Organizational Unit (OU) is created and used for all shared networking resources. As BAM and CD&V are specifically focused on network resources management, you deploy them in a Virtual Private Cloud (VPC) within the networking account. The AWS Control Tower integration solution covered in this blog post is deployed in the AWS Control Tower management account.
These are the key components of the solution:
- AWS Lambda function deployed in the AWS Control Tower Management account to listen for AWS Control Tower lifecycle events (that is, CreateManagedAccount and UpdateManagedAccount)
- BAM deployed in the networking account
- CD&V deployed in the networking account
Once the solution is deployed, the following steps are executed automatically upon the creation of a new AWS account in AWS Control Tower:
- An AWS Control Tower lifecycle event CreateManagedAccount is generated as an Amazon EventBridge event, which serves as a trigger for the Lambda function. Refer to the following diagram.
- The Lambda function then creates an AWS CloudFormation StackSet instance to deploy an IAM role required by the BlueCat software to invoke APIs in the new member account.
- The Lambda function then authenticates with the BlueCat software using the provided credentials and invokes the APIs, passing the account ID of the newly created account. Refer to the following diagram.
- This triggers the discovery process whereby BlueCat calls AWS APIs on the new account to discover all resources and then starts a continuous visibility job. During the visibility job creation, it creates an Amazon Simple Notification Service (Amazon SNS) topic and an Amazon Simple Queue Service (Amazon SQS) queue to receive future events about AWS resource changes within the account. These are fed back to BlueCat CD&V and visible via the IP Address Manager portal. Refer to the following diagram.
While this architecture shows BlueCat’s software deployed in a networking account in AWS, some customers may have the software deployed on-premises. In such cases, the solution can integrate with the on-premises BlueCat components.
Solution walkthrough: Automate multi-account IP address management in AWS with BlueCat and AWS Control Tower
- Ensure that AWS Control Tower is set up in your AWS account.
- Create a networking account within AWS Control Tower. This is a shared account used for hosting shared networking resources, as per the multi-account best practice.
- Create a VPC with public subnets in the networking account.
- Set up BAM in the networking account. You need the public IP address of the EC2 instance.
- Set up CD&V in the networking account. You need the public IP address of the EC2 instance.
1. Deploy the solution for BlueCat integration with AWS Control Tower
To deploy this solution, follow these steps:
- Sign in to the AWS Control Tower management account.
- Launch the BlueCat template from the AWS CloudFormation console.
- To launch an AWS CloudFormation template from the console, start the Create Stack wizard by following these steps.
- In the parameters section, provide the following parameters:
- BAMurl: The portal URL of BAM. This is normally of the form https://<publicIPBAM> , where publicIPBAM is the public IP address of the EC2 instance where BAM is deployed.
- Gatewayurl: The portal URL of BlueCat CD&V. This is normally of the form https://<publicIPCDV>, where publicIPCDV is the public IP address of the EC2 instance where CD&V is deployed.
- Username/Password: These are the BlueCat credentials used for signing in to the CD&V portal.
- Access Key: This is the AWS IAM access key of an IAM user created within the AWS account where the BlueCat software is deployed.
- Secret Key: This is the AWS IAM secret key of an IAM user created within the AWS account where the BlueCat software is deployed.
- BlueCatAccountID: The AWS account ID where the BlueCat software has been deployed.
- BlueCatConfiguration: User-friendly name for the configuration. This gets displayed in the CD&V portal, and discovery and visibility items appear under this configuration. This helps with segregation if you have several environments configured within the BlueCat solution.
- BlueCatTemplateURL: The URL of the CloudFormation template, which specifies the BlueCat IAM role permissions needed in managed accounts for CD&V to work.
- Region: Specify the Region within which you want to perform the BlueCat discovery and visibility.
2. Test the solution
Test your integration by adding a new managed account and creating a lifecycle event.
- Create a new managed account:
- Sign in to the AWS Control Tower management account and navigate to the AWS Control Tower console.
- To enroll a new managed account in the AWS Control Tower organization, in the navigation pane, choose Account Factory.
- Enter values for Account email, Display name, AWS SSO email, AWS SSO user name, and Organizational unit.
- Choose Enroll account.
- It can take up to 30 minutes for the account to be created and the AWS Control Tower lifecycle event to trigger.
- Test the integration:
- Once the account is created, sign in to the BlueCat CD&V portal. Access the portal via: https://<publicIPCDV>/.
- On the left under Amazon Web Services, select the Discovery tab and validate that a new discovery session has been created for the new AWS account. Under Discovery Status, you should see the Discovery ID and a status of completed.
- Sign in to the BAM portal. The BAM portal can be accessed via: https://<publicIPBAM>/.
- On the left under Amazon Web Services, select Devices. You should see the discovered devices from your onboarded AWS accounts.
- You can see how quickly the resources are detected by this integration by creating a test EC2 instance.
- Go to the AWS Management Console of the newly created account.
- Create an EC2 instance by following these steps.
- Return to the BAM portal, select the Devices tab, and observe that the newly created instance appears on the dashboard. Changes typically take around 30 seconds to appear.
In this post, we showed you how to automatically enroll new AWS Control Tower managed accounts with BlueCat. As you spin up additional accounts to support diverse application teams and business units, this solution provides an automated way to discover IP address usage across those accounts. It also ensures ranges are efficiently planned and utilized. For more information about this solution, see Solutions for AWS Control Tower in AWS Marketplace.