About Multicloud Defense
Multicloud Defense (MCD) is a comprehensive security solution consisting of two primary components: the Multicloud Defense Controller and Multicloud Defense Gateway. These components collaborate to establish a secure multicloud environment
Multicloud Defense currently supports Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), and Oracle OCI cloud accounts. The range of support for these platforms vary.
In essence, Multicloud Defense offers a sophisticated and streamlined security framework, harmonizing controller orchestration, gateway communication, and optimized datapath processing for a robust and efficient multicloud protection mechanism.
This documentation has been prepared for practitioners who have a basic understanding of public cloud networking and security concepts, and participate in various functional teams, including:
-
Development Operations (DevOps and DevSecOps)
-
Security Operation Centers (SOCs)
-
Security Architects Info
-
Sec Architects Cloud Architects
Additional Multicloud Defense Documentation
You can find additional information about Multicloud Defense in the following documents:
Multicloud Defense Naming Conventions
Multicloud Defense interacts with a variety of cloud service providers and in order to provide a universal experience across the platforms,
limits the character count when you create gateways and objects. Gateways and objects that exist outside of Multicloud Defense have ciscomcd
prepended to the name, which may cause issues if the original gateway or object name is too long.
Consider the following character limitations when naming your gateways or objects, both inside and outside of Multicloud Defense:
Multicloud Defense Feature |
Character Limit |
---|---|
Gateway Instance |
55 |
Object Name |
63 |
Note |
The values above indicate the character limit for names without the prepended Multicloud Defense tag. You are not responsible for including the tag when you name the gateway or object. |
Supported Regions
Multicloud Defense supports the following regions:
-
United States (US) - us-west-2
-
Europe (EU) - eu-central-1
-
Tokyo (APJ) - ap-northeast-1
-
Sydney (APJ) - ap-southeast-2
-
Mumbai (APJ) - ap-south-1
Recommended Versions of Multicloud Defense Components
We recommend keeping your components up to date with the latest upgrades and updates for enhancements and new features, as well as bug fixes. For more information on what updates and upgrades are available, and what each package addresses, see the Cisco Multicloud Defense Release Notes.
Third Party Product Support and Versioning
Multicloud Defense utlilizes additional products and functions. For optimal operations, consider using the appropriate versions listed.
Internet Browsers
At this time Multicloud Defense supports and recommends using a Chrome browser when viewing the controller dashboard.
Instance Metadata Service For AWS
The Instance Metadata Service (IMDS) is used to access instance metadata from an Amazon EC2 instance. The Multicloud Defense Controller version 23.10 sets up IMDSv2 to be Required or Optional depending on the corresponding Multicloud Defense Gatewayversion.
We strongly recommend upgrading to a Multicloud Defense Gateway version that specifically supports IMDSv2 in the Required mode for optimal security with Amazon EC2 instances.
Note |
The Multicloud Defense Controller version 23.10 forces Multicloud Defense Gateway versions 23.04 and later to default to IMDSv2 for EC2 instances. |
Use the table below to determine which IMDS version will be setup inside the EC2 instance for your environment:
Multicloud Defense Gateway Version |
Required IMDS Version |
---|---|
23.08 |
IMDSv2 (required) |
23.06 |
IMDSv2 (required) |
23.04 |
IMDSv2 (required) |
23.02 |
IMDSv1 IMDSv2 (optional) |
22.12 |
IMDSv1 IMDSv2 (optional) |
For more information on IMDS versions and how to migrate to the version of your choice, see AWS documentation.
Supported Disk Size
Consider the following disk size support for the appropriate gateway versions:
Gateway Version |
Supported Disk Size |
---|---|
23.12 and later |
128GB |
up to 23.10 |
256GB |
Multicloud Defense in Cisco Security Provisioning and Administration
Security Provisioning and Administration is a web application that provides centralized management of Cisco Secure product instances, user identity, and user access management across Cisco Security Cloud. Security Provisioning and Administration administrators can create new Security Cloud enterprises, manage users in an enterprise, claim domains, and integrate their organization’s SSO identity provider, among other tasks.
When you enroll in a Multicloud Defense, Security Provisioning and Administration creates an account for your tenancy by default to better manager your enterprises across the board. The Security Cloud enterprise supports the following cases: if you have purchased a license and already have a Multicloud Defense account, and if you have purchased a license but currently do not have a Multicloud Defense account.
Note that
You must complete the following steps in the Security Provisioning and Administration dashboard; feel free to refer to the Cisco Security Provisioning and Administration User Guide for more information for any of these steps:
-
Buy a subscription license. Once this is purchase, you or the designated system administrator receives an email with a subscription claim code. Do not lose this email.
-
Claim the subscription. You need the claim code from the email mentioned above. See the "Managing products and subscriptions" for more information.
-
Activate the instance. This "instance" refers to a Multicloud Defense account that is attached to a tenant in Cisco Security Cloud Control . See "Activating a product instance" for more information.
Warning
You will be prompted to activate a new or existing instance; to apply the license to a Multicloud Defense account that is not already in the enterprise, select Activate a new instance. The Apply license to an existing instance option applies the license to a Multicloud Defense instance that is already enrolled in the Security Cloud enterprise
Note
If you do not already have a Multicloud Defense account associated with your Security Cloud Control tenant, select No when asked "
Do you have an existing Cisco Security Cloud Control Account to associate with your Multicloud Defense License?
". This generates a request for a Security Cloud Control tenant; you can then request and enable a Multicloud Defense. If you select No, disregard step 4.
-
Confirm the activation. This step is done in Security Cloud Control; you must confirm the activation by clicking the activation button. This button appears as a new banner located near the top of the dashboard window as depicted below:
Note
Once you confirm the activation, you must select the performance tier of the Multicloud Defense account. Depending on whether you have a trial or a full license for the product, the options you see may differ from this screenshot: