Guides

Existing VPC Network Guide

This guide helps you to prepare your VPC and debug networking issues using the fulfillment option Existing VPC.

You can stop reading if you use the fulfillment option Dedicated public VPC or Dedicated private VPC.

Required outbound communication

To reach AWS APIs, allow outbound TCP/443. If you use bucketAV in a VPC with enableDnsSupport set to false, you also have to allow outbound TCP/53 and UDP/53 to reach DNS.

The following outbound requests are made (replace REGION with AWS Region, e.g., us-east-1; get the value from the top right in the AWS UI).

Endpoint	VPC Interface/Gateway service name	Description
`https://sns.REGION.amazonaws.com`	`com.amazonaws.REGION.sns`	SNS API to publish scan results to the Findings Topic.
`https://events.REGION.amazonaws.com`	`com.amazonaws.REGION.events`	EventBridge API to publish scan results (if ReportEventBridge configuration parameter is set to `true`).
`https://sqs.REGION.amazonaws.com`	`com.amazonaws.REGION.sqs`	SQS API to read from the Scan Queue.
`https://s3.REGION.amazonaws.com`	`com.amazonaws.REGION.s3`	S3 API to interact with files; also required for `cfn-init` and `cfn-signal` tools and Amazon Linux 2023 repository.
`https://s3.amazonaws.com`	`com.amazonaws.REGION.s3`	S3 API to interact with files; also required for `cfn-init` and `cfn-signal` tools and Amazon Linux 2023 repository.
`https://autoscaling.REGION.amazonaws.com`	`com.amazonaws.REGION.autoscaling`	EC2 Auto Scaling API to use ASG lifecycle hooks.
`https://monitoring.REGION.amazonaws.com`	`com.amazonaws.REGION.monitoring`	CloudWatch API to publish memory, disk, and swap metrics.
`https://logs.REGION.amazonaws.com`	`com.amazonaws.REGION.logs`	CloudWatch Logs API to publish logs.
`https://cloudformation.REGION.amazonaws.com`	`com.amazonaws.REGION.cloudformation`	CloudFormation API required for `cfn-init` and `cfn-signal` tools.
`https://ssm.REGION.amazonaws.com`	`com.amazonaws.REGION.ssm`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://ssmmessages.REGION.amazonaws.com`	`com.amazonaws.REGION.ssmmessages`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://ec2messages.REGION.amazonaws.com`	`com.amazonaws.REGION.ec2messages`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://dynamodb.REGION.amazonaws.com`	`com.amazonaws.REGION.dynamodb`	DynamoDB API to fetch account information (if AWSAccountRestriction or AWSOrganizationRestriction configuration parameter is configured).
`https://sts.REGION.amazonaws.com`	`com.amazonaws.REGION.sts`	STS API to assume IAM roles in other accounts (if AWSAccountRestriction or AWSOrganizationRestriction configuration parameter is configured).
`https://metering.marketplace.REGION.amazonaws.com`	not available, use HttpsProxy configuration parameter or NAT Gateway	AWS Marketplace Metering API to to report usage.
`https://REGION.savmirror.bucketav.com`	not available, use HttpsProxy configuration parameter or NAT Gateway	bucketAV API to fetch Sophos manifest for signtures and engine update.
`https://organizations.us-east-1.amazonaws.com`	`com.amazonaws.REGION.organizations`	Organizations API to access information about AWS organization (if LambdaSubnets and AWSAccountRestriction or AWSOrganizationRestriction configuration parameter is configured).
`https://states.REGION.amazonaws.com`	`com.amazonaws.REGION.states`	Step Functions API (if LambdaSubnets configuration parameter is configured).
`https://securityhub.REGION.amazonaws.com`	`com.amazonaws.REGION.securityhub`	Security Hub API (if SecurityHubIntegration is set to `true` and LambdaSubnets configuration parameter is configured).

Endpoint	VPC Interface/Gateway service name	Description
`https://sns.REGION.amazonaws.com`	`com.amazonaws.REGION.sns`	SNS API to publish scan results to the Findings Topic.
`https://events.REGION.amazonaws.com`	`com.amazonaws.REGION.events`	EventBridge API to publish scan results (if ReportEventBridge configuration parameter is set to `true`).
`https://sqs.REGION.amazonaws.com`	`com.amazonaws.REGION.sqs`	SQS API to read from the Scan Queue.
`https://s3.REGION.amazonaws.com`	`com.amazonaws.REGION.s3`	S3 API to interact with files; also required for `cfn-init` and `cfn-signal` tools and Amazon Linux 2023 repository.
`https://s3.amazonaws.com`	`com.amazonaws.REGION.s3`	S3 API to interact with files; also required for `cfn-init` and `cfn-signal` tools and Amazon Linux 2023 repository.
`https://autoscaling.REGION.amazonaws.com`	`com.amazonaws.REGION.autoscaling`	EC2 Auto Scaling API to use ASG lifecycle hooks.
`https://monitoring.REGION.amazonaws.com`	`com.amazonaws.REGION.monitoring`	CloudWatch API to publish memory, disk, and swap metrics.
`https://logs.REGION.amazonaws.com`	`com.amazonaws.REGION.logs`	CloudWatch Logs API to publish logs.
`https://cloudformation.REGION.amazonaws.com`	`com.amazonaws.REGION.cloudformation`	CloudFormation API required for `cfn-init` and `cfn-signal` tools.
`https://ssm.REGION.amazonaws.com`	`com.amazonaws.REGION.ssm`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://ssmmessages.REGION.amazonaws.com`	`com.amazonaws.REGION.ssmmessages`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://ec2messages.REGION.amazonaws.com`	`com.amazonaws.REGION.ec2messages`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://dynamodb.REGION.amazonaws.com`	`com.amazonaws.REGION.dynamodb`	DynamoDB API to fetch account information (if AWSAccountRestriction or AWSOrganizationRestriction configuration parameter is configured).
`https://sts.REGION.amazonaws.com`	`com.amazonaws.REGION.sts`	STS API to assume IAM roles in other accounts (if AWSAccountRestriction or AWSOrganizationRestriction configuration parameter is configured).
`https://organizations.us-east-1.amazonaws.com`	`com.amazonaws.REGION.organizations`	Organizations API to access information about AWS organization (if LambdaSubnets and AWSAccountRestriction or AWSOrganizationRestriction configuration parameter is configured).
`https://states.REGION.amazonaws.com`	`com.amazonaws.REGION.states`	Step Functions API (if LambdaSubnets configuration parameter is configured).
`https://securityhub.REGION.amazonaws.com`	`com.amazonaws.REGION.securityhub`	Security Hub API (if SecurityHubIntegration is set to `true` and LambdaSubnets configuration parameter is configured).

Endpoint	VPC Interface/Gateway service name	Description
`https://sns.REGION.amazonaws.com`	`com.amazonaws.REGION.sns`	SNS API to publish scan results to the Findings Topic.
`https://events.REGION.amazonaws.com`	`com.amazonaws.REGION.events`	EventBridge API to publish scan results (if ReportEventBridge configuration parameter is set to `true`).
`https://sqs.REGION.amazonaws.com`	`com.amazonaws.REGION.sqs`	SQS API to read from the Scan Queue.
`https://s3.REGION.amazonaws.com`	`com.amazonaws.REGION.s3`	S3 API to interact with files; also required for `cfn-init` and `cfn-signal` tools and Amazon Linux 2023 repository.
`https://s3.amazonaws.com`	`com.amazonaws.REGION.s3`	S3 API to interact with files; also required for `cfn-init` and `cfn-signal` tools and Amazon Linux 2023 repository.
`https://autoscaling.REGION.amazonaws.com`	`com.amazonaws.REGION.autoscaling`	EC2 Auto Scaling API to use ASG lifecycle hooks.
`https://monitoring.REGION.amazonaws.com`	`com.amazonaws.REGION.monitoring`	CloudWatch API to publish memory, disk, and swap metrics.
`https://logs.REGION.amazonaws.com`	`com.amazonaws.REGION.logs`	CloudWatch Logs API to publish logs.
`https://cloudformation.REGION.amazonaws.com`	`com.amazonaws.REGION.cloudformation`	CloudFormation API required for `cfn-init` and `cfn-signal` tools.
`https://ssm.REGION.amazonaws.com`	`com.amazonaws.REGION.ssm`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://ssmmessages.REGION.amazonaws.com`	`com.amazonaws.REGION.ssmmessages`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://ec2messages.REGION.amazonaws.com`	`com.amazonaws.REGION.ec2messages`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://dynamodb.REGION.amazonaws.com`	`com.amazonaws.REGION.dynamodb`	DynamoDB API to fetch account information (if AWSAccountRestriction or AWSOrganizationRestriction configuration parameter is configured).
`https://sts.REGION.amazonaws.com`	`com.amazonaws.REGION.sts`	STS API to assume IAM roles in other accounts (if AWSAccountRestriction or AWSOrganizationRestriction configuration parameter is configured).
`https://secretsmanager.REGION.amazonaws.com`	`com.amazonaws.REGION.secretsmanager`	SecretsManager API to access Cloudflare API token and secret key.
`https://metering.marketplace.REGION.amazonaws.com`	not available, use HttpsProxy configuration parameter or NAT Gateway	AWS Marketplace Metering API to to report usage.
`https://REGION.savmirror.bucketav.com`	not available, use HttpsProxy configuration parameter or NAT Gateway	bucketAV API to fetch Sophos manifest for signtures and engine update.
`https://CLOUDFLARE_ACCOUNT_ID.r2.cloudflarestorage.com`	not available, use HttpsProxy configuration parameter or NAT Gateway	Cloudflare API to access R2 buckets.
`https://api.cloudflare.com`	not available, use HttpsProxy configuration parameter or NAT Gateway	CloudFlare API to manage event notifications and queueus. (if LambdaSubnets configuration parameter is configured).

Endpoint	VPC Interface/Gateway service name	Description
`https://sns.REGION.amazonaws.com`	`com.amazonaws.REGION.sns`	SNS API to publish scan results to the Findings Topic.
`https://events.REGION.amazonaws.com`	`com.amazonaws.REGION.events`	EventBridge API to publish scan results (if ReportEventBridge configuration parameter is set to `true`).
`https://sqs.REGION.amazonaws.com`	`com.amazonaws.REGION.sqs`	SQS API to read from the Scan Queue.
`https://s3.REGION.amazonaws.com`	`com.amazonaws.REGION.s3`	S3 API to interact with files; also required for `cfn-init` and `cfn-signal` tools and Amazon Linux 2023 repository.
`https://s3.amazonaws.com`	`com.amazonaws.REGION.s3`	S3 API to interact with files; also required for `cfn-init` and `cfn-signal` tools and Amazon Linux 2023 repository.
`https://autoscaling.REGION.amazonaws.com`	`com.amazonaws.REGION.autoscaling`	EC2 Auto Scaling API to use ASG lifecycle hooks.
`https://monitoring.REGION.amazonaws.com`	`com.amazonaws.REGION.monitoring`	CloudWatch API to publish memory, disk, and swap metrics.
`https://logs.REGION.amazonaws.com`	`com.amazonaws.REGION.logs`	CloudWatch Logs API to publish logs.
`https://cloudformation.REGION.amazonaws.com`	`com.amazonaws.REGION.cloudformation`	CloudFormation API required for `cfn-init` and `cfn-signal` tools.
`https://ssm.REGION.amazonaws.com`	`com.amazonaws.REGION.ssm`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://ssmmessages.REGION.amazonaws.com`	`com.amazonaws.REGION.ssmmessages`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://ec2messages.REGION.amazonaws.com`	`com.amazonaws.REGION.ec2messages`	SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to `true`)
`https://dynamodb.REGION.amazonaws.com`	`com.amazonaws.REGION.dynamodb`	DynamoDB API to fetch account information (if AWSAccountRestriction or AWSOrganizationRestriction configuration parameter is configured).
`https://sts.REGION.amazonaws.com`	`com.amazonaws.REGION.sts`	STS API to assume IAM roles in other accounts (if AWSAccountRestriction or AWSOrganizationRestriction configuration parameter is configured).
`https://secretsmanager.REGION.amazonaws.com`	`com.amazonaws.REGION.secretsmanager`	SecretsManager API to access Cloudflare API token and secret key.
`https://CLOUDFLARE_ACCOUNT_ID.r2.cloudflarestorage.com`	not available, use HttpsProxy configuration parameter or NAT Gateway	Cloudflare API to access R2 buckets.
`https://api.cloudflare.com`	not available, use HttpsProxy configuration parameter or NAT Gateway	CloudFlare API to manage event notifications and queueus. (if LambdaSubnets configuration parameter is configured).

You can’t restrict the IP address range. The resolved IP addresses change frequently.

If you are using an endpoint policy to protect your S3 VPC gateway interface, you must allowlist the S3 buckets you want bucketAV to access and the bucketAV S3 bucket to download signature updates from (replace REGION with AWS Region, e.g., us-east-1; get the value from the top right in the AWS UI).

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::bucketav-clamav-mirror-REGION/*"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::bucketav-sophos-mirror-REGION/*"
  }]
}

If you set the SophosLiveProtectionCloudLookups configuration parameter to true, DNS queries for *.sophosxl.net must be resolvable.

Debug network issues

If you follow the Setup Guide, we advise you to skip the CloudFormation Configure stack options step and tell you to “Scroll to the bottom of the page and click on Next”. To debug a networking issue, you must set the Stack failure options to Preserve successfully provisioned resources to avoid a stack rollback. After fixing the issues, please remove the CloudFormation stack and start from scratch.

Connect to one of the bucketAV EC2 instances (Session Manager is likely not working if the network configuration is not yet complete).

To avoid instance termination because of a scale-in, set the AutoScalingMinSize configuration parameter to 1.

Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.8.0, bucketAV for Amazon S3 powered by Sophos® version >= 2.0.0, bucketAV for Cloudflare R2 powered by ClamAV® version >= 2.0.0, or bucketAV for Cloudflare R2 powered by Sophos® version >= 2.0.0.
To update to the latest version, follow the Update Guide.

Run the test script:

sudo /home/ec2-user/networktest.sh

The script output should look like this.

[SUCCESS] Connected to SNS successfully.
[SUCCESS] Connected to SQS successfully.
[SUCCESS] Connected to S3 (Region) successfully.
[SUCCESS] Connected to S3 (HTTP) successfully.
[SUCCESS] Connected to S3 (Global) successfully.
[SUCCESS] Connected to EC2 Auto Scaling successfully.
[SUCCESS] Connected to CloudWatch Monitoring successfully.
[SUCCESS] Connected to CloudWatch Logs successfully.
[SUCCESS] Connected to CloudFormation successfully.
[SUCCESS] Connected to SSM successfully.
[SUCCESS] Connected to SSM Messages successfully.
[SUCCESS] Connected to EC2 Messages successfully.
[SUCCESS] Connected to DynamoDB successfully.
[SUCCESS] Connected to STS successfully.
[SUCCESS] Connected to SecretsManager successfully.
[SUCCESS] Connected to Marketplace Metering successfully.
[SUCCESS] Connected to ClamAV Mirror successfully.
[SUCCESS] Connected to Sophos mirror successfully.
[SUCCESS] Connected to Sophos mirror successfully.
[SUCCESS] Connected to Amazon Linux 2 Repository successfully.

Watch out for [FAILURE] messages.

Fixing networking issues

As network configurations differ, we cannot provide a solution but give you some hints.

Internet Gateway

Check the routing table attached to the subnet of a bucketAV instance. In case the route table contains an entry for 0.0.0.0/0 pointing to an Internet Gateway (igw-) you are deploying bucketAV into a public subnet.

In this case, you must ensure that bucketAV attaches a public IP address when launching an EC2 instance. Set the AssociatePublicIpAddress configuration parameter to true.

Also, ensure that all subnets used by bucketAV (see the Subnets configuration parameter) use a routing table with an entry pointing to the Internet Gateway.

NAT Gateway

If you deployed bucketAV into a subnet without an Internet Gateway, you might use a typical VPC configuration with private and public subnets. Again, check the routing table attached to the subnet of a bucketAV instance. In case the route table contains an entry for 0.0.0.0/0 pointing to a NAT Gateway (ngw-) you are deploying bucketAV into a private subnet with access to a NAT Gateway.

Verify that the Network Access Control List attached to the subnet used by bucketAV and the NAT Gateway allow outbound traffic on port 443 (HTTPS) as well as inbound traffic on high ports.
Verify that all subnets used by bucketAV (see the Subnets configuration parameter) use a routing table with an entry pointing to the NAT Gateway.

VPC Endpoint

If the subnets are neither connected with an Internet Gateway nor a NAT Gateway, we recommend configuring VPC Endpoints for the AWS services required by bucketAV as described above.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email