Before You Begin
You can also orchestrate a Transit Gateway through the Multicloud Defense Gateway or attach an existing Transit Gateway.
Cloud Service Provider Prerequisites and Limitations
Prerequisites
The supported cloud service providers (AWS, Azure, GCP, OCI) are separate entities that use their own vocabulary and gateway environment. Not every option available in the Multicloud Defense Controller is compatible with your cloud service provider. For example, AWS uses its own Transit Gateway and you can add VPCs to it while Azure utilizes a load- balancer to manage web traffic and applications and you can add VNets to it. Keep this in mind when proceeding.
Note | For AWS environments, when securing spoke VPCs in centralized mode, Multicloud Defense attaches VPCs to the Transit Gateway that is associated to the service VPC. By default, Multicloud Defense will randomly select a subnet in each availability zone for Transit Gateway attachment. You can change this option when you add a VPC or you can modify a VPC that is already assigned to the gateway. |
Limitations
Be aware of the following limitations when creating a Multicloud Defense Gateway:
-
If you deploy a Multicloud Defense Gateway that uses a site-to-site VPN tunnel containing an IPSec profile, you must deploy the gateway with a service VPC or service VNet and without a Network Address Translation (NAT) gateway on either side of the VPN connection.
-
Autoscaling is not supported for gateways containing an IPSec profile.
-
Policy rules within the gateway must be Forwarding only.
-
If you intend to include an IPSec profile in a Multicloud Defense Gateway for an AWS or Azure account, the gateway instance must be configured with
core 8
. Multicloud Defense Gateway does not currently support gateways with core 2 or core 4 options.
Preview Only FTDv Prerequisites and Limitations
Multicloud Defense orchestrates only the process of creating, deploying and maintaining the gateway. Any policy or rule creation occurs in Cloud-delivered Firewall Management Center. If you have a Secure Firewall threat defense (FTDv) device and want to create a gateway for your device without using a device manager, consider the following prerequistes, limitations, and recommendations to support the integration of both managerial products.
Prerequisites
You must have the following completed and configured before you create a Multicloud Defense Gateway for your FTDv:
-
You must create a new Service VPC. VPCs created before this feature do not support this functionality; note that when you create a new VPC it can still be used for both Multicloud Defense gateways or FTDv gateways.
-
You must have a cloud service provider onboarded to your Multicloud Defense tenant.
-
If you are using an AWS account as your designated cloud service provider for the FTDv gateway, you must manually accept the AWS Marketplace Terms of Service. Without it, the Multicloud Defense Controller cannot send the required API requests.
-
You must have at least one license purchased through your Cisco Smart Account.
-
You must have a subscription to Cloud-delivered Firewall Management Center.
For limitations and requirements for this environment, please refer to (Preview Only) Secure Firewall Threat Defense.