Getting Access to Cloud Hosted Controllers
Cisco managed Cloud Hosted controllers are by default closed for management access. Cisco does not allow access to 0.0.0.0/0 to the Cloud Hosted Cisco Catalyst SD-WAN Controllers for security reasons. It is expected that you have specific public IP prefixes within your enterprise VPN that you access from and hence only those will be allowed to be opened for access. You can restrict access by requesting to allow only https and ssh to be on the allowed list, for your given source IP prefixes.
Cloud-hosted controllers have private IP addresses on their interfaces. Each private IP address has a 1:1 NAT mapped to a public IP address on the cloud. These IP addresses do not change irrespective of whether the interface is configured to use static IP or DHCP. The IP addresses only change when the instance is recovered or replaced.
The allowed-list is applied to all the network interfaces of all the controllers that have public IP addresses.
Update Inbound Rules
You can update the allowed-list applied to your cloud-hosted controller set based on the overlay type.
-
Shared tenant overlay: To update or view the allowed-list applied to your cloud-hosted controller set, open a case with Cisco TAC support.
You can request support for the following:
-
Provide upto 5 IP prefixes to be allowed on the access-list
-
Allow only
https
access to the IP prefixes for the web login to the Cisco SD-WAN Manager portal
-
-
Dedicated Overlay: To enable Cisco-hosted, cloud-based, single tenant dedicated controllers to add, delete, or modify cloud security group allowed-lists, use one of the following options:
-
You can login into the Cisco Catalyst SD-WAN Portal at https://ssp.sdwan.cisco.com and manage the access-list. You need to be the Cisco PNP Smart Account admin for the Smart Account where the overlay controller profile is based.
-
You can provide up to 200 IP prefixes to be allowed on the access-list.
-
You can open a Cisco TAC support case and provide the following information:
-
Overlay/VA name
-
Cisco SD-WAN Manager IP/FQDN
-
IP address
-
Specify whether to mark an IP address as allowed for all traffic or selected traffic (for example https, SSH, and so on).
-
-
Only the Smart Account administrator can access the Cisco Catalyst SD-WAN Portal which is used to view and perform operational tasks related to a customer's hosted-controller infrastructure, such as viewing the controllers’ IP addresses and modifying the controllers' IP access lists. To disable SA administrator privileges for users, go to the Manage Smart Account section in Cisco Software Central, and remove the users as Smart Account administrators. Alternatively, use the IDP (identity provider) onboarding feature to grant trusted users access to the Cisco Catalyst SD-WAN Portal.