Skip to main content
McAfee MVISION Cloud

Associate VPC Endpoints with Pop Services

AWS VPC Endpoints can be associated with the PoP services in CWPP in several ways:

  • An interface VPC endpoint which is elastic network interface is created with a private IP address from the IP address range of the subnet. It serves as an entry point for traffic destined to VPC endpoint service. Interface endpoints are powered by AWS PrivateLink. 

  • DNS hosted zone is associated to interface endpoint after its creation. This hosted zone contains the record set for endpoint-specific DNS hostname (cwpp.mcafee). This enables to request the service with default DNS hostname or endpoint-specific DNS hostname.  

  • A network load balancer which is created in VPC as part of PoP deployment receives and routes requests from endpoints. This network load balancer needs to be specified in VPC endpoint service configuration to establish a connection between them. 

  • AWS PrivateLink service I.e., endpoint service that accepts TCP traffic is created and is hosted behind a Network Load Balancer, and then the service is made available. 

  • Thus, the client services hosted in one VPC and availability zone (AZ1) can access the PoP services in other VPC and same (AZ1) or different availability zone (AZ2) through interface VPC endpoint which is powered by AWS privateLink service. This endpoint service is configured with load balancer which receives and routes the requests to PoP services. 

  • PoP services residing in the instances of private subnet are enabled to access the information from MVISION Cloud through NATGateway present in public subnet within the VPC. An Elastic IP address is associated with NAT gateway after creation.  

  • The NAT gateway sends the traffic to the internet gateway using the NAT gateway’s Elastic IP (intellectual property) address as the source IP address. Internet gateway allows communication between VPC and MVISION Cloud. 

  • Was this article helpful?