Skip to main content
McAfee MVISION Cloud

Establish connectivity between Secure VPC and Agent VPC via VPC endpoints

 The PoP Client Configuration package contains the Helper Scripts CloudFormation Template (CFT) that automatically configures the association with  Secure VPC and the Agents VPC.

The Helper Script is located at Infrastructure > Aws_HelperScriptEndpoint.json.  

To establish connectivity between the PoP and the VPC where the Agents are located:

  1. In MVISION Cloud, go to Settings > PoP Management
  2. Select the PoP where you want to install CWPP Agents. 
  3. In the Cloud Card, under Client Configuration Package, click Download to establish the connectivity between PoP and Agents. 
  4. Extract the ClientConfiguration.tar. Then under Infrastructure.tar locate the file Aws_HelperScriptEndpoint.json.
  5. Go to CloudFormation > Create Stack > With new resources (Standard) > Template is ready > Upload a template file and select the file Aws_HelperScriptEndpoint.json. 
  6. Enter the following parameters for the CloudFormation stack:  
    • PoPName. This is the same as provided in the prerequisite stack. 
    • PrivateSubnet. Enter the private subnet where the endpoint must be created. Overlapping subnet to be present for the PoP services VPC and endpoints VPC to create endpoints.  ??
    • VPC. Enter the VPC ID where endpoints must be created. This is the VPC that hosts the Workloads to be protected by CWPP. 
    • VPCCIDR. Enter the CIDR address assigned to VPC. 
  7. Wait for the CloudFormation stack to complete.

Once the deployment is completed, endpoints for CWPP services (connector and CICD) are created. A private DNS zone associated with the agent VPC is created with record sets of endpoints. The following resources are also created after the CloudFormation stack is completed:

  • CwppconnectorVPCEndpoint. An interface VPC Endpoint for PoP connector service. 
  • CwppcicdVPCEndpoint. An interface VPC Endpoint for PoP CICD service. 
  • DNS. A private hosted zone in the specified VPC. 
  • CwppcicdDNSRecord. A record set for the CICD endpoint, cwpp-cicd.cwpp.mcafee, and a record set for the connector endpoint, cwpp-connector.cwpp.mcafeed
  1. Accept the Endpoint Connections for the newly created Endpoints. Refer to AWS documentation for more information: https://docs.aws.amazon.com/vpc/late...-requests.html.
  • Was this article helpful?