Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Manually Create the AWS Network

Environment
The following section describes the process for manually creating the architecture discussed in
the AWS Architecture for Privileged Access Manager - Self-Hosted Deployment section. This
environment can be created automatically according to the procedure described in
Automatically Create the CyberArk Network Environment.

Create a VPC for the PAM - Self-Hosted Vault

This section describes how to configure a Virtual Private Cloud (VPC) with a public subnet and
private subnets. The instances in the public subnet can send outbound traffic directly to the
Internet, whereas the Vault instances in the private subnets cannot. Instead, the Vault instances
can connect to the Internet to access the AWS KMS service using a private link, but the
Internet cannot establish connections to the Vault servers.

Create the VPC

1. Open the Amazon VPC console

2. From the navigation pane, select Your VPCs > Create VPC.

3. Enter a Name tag for the PAM - Self-Hosted VPC.

4. Enter an IPV4 CIDR block. For example, 10.0.0.0/16 allocates 65536 IP addresses for
your instances.

5. Select Yes, Create.

Create the Primary Vault subnet

1. From the navigation pane, select Subnets > Create Subnet.

2. Enter a Name tag for the private Subnet where the Primary Vault instance will reside,
select the PAM - Self-Hosted VPC and select an Availability Zone.

3. Enter an IPV4 CIDR block. For example, 10.0.1.0/24 allocates 256 IP addresses within
this Subnet.

4. Select Yes, Create.

Create the Vault DR subnet

1. From the navigation pane, select Subnets > Create Subnet.

1 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

2. Enter a Name tag for the private Subnet where the Vault DR instance will reside.

Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main Vault Subnet.

3. Enter an IPV4 CIDR block. For example, 10.0.2.0/24 allocates 256 IP addresses within
this Subnet.

4. Select Yes, Create.

Create the main CPM subnet

1. From the navigation pane, select Subnets > Create Subnet.

2. Enter a Name tag for the private Subnet where the main CPM instance will reside,
select the PAM - Self-Hosted VPC and select an Availability Zone.

3. Enter an IPV4 CIDR block. For example, 10.0.3.0/24 allocates 256 IP addresses within
this Subnet.

4. Select Yes, Create.

Create the CPM DR subnet

1. From the navigation pane, select Subnets > Create Subnet.

2. Enter a Name tag for the private Subnet where the CPM DR instance will reside.

Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main CPM Subnet.

3. Enter an IPV4 CIDR block. For example, 10.0.4.0/24 allocates 256 IP addresses within
this Subnet.

4. Select Yes, Create.

Create the main PVWA subnet

1. From the navigation pane, select Subnets > Create Subnet.

2. Enter a Name tag for the private Subnet where the main PVWA instance will reside,
select the PAM - Self-Hosted VPC and select an Availability Zone.

3. Enter an IPV4 CIDR block. For example, 10.0.5.0/24 allocates 256 IP addresses within

2 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

this Subnet.

4. Select Yes, Create.

Create the secondary PVWA subnet

1. From the navigation pane, select Subnets > Create Subnet.

2. Enter a Name tag for the private Subnet where the secondary PVWA instance will
reside.

Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main PVWA Subnet.

3. Enter an IPV4 CIDR block. For example, 10.0.6.0/24 allocates 256 IP addresses within
this Subnet.

4. Select Yes, Create.

Create the main PSM subnet

1. From the navigation pane, select Subnets > Create Subnet.

2. Enter a Name tag for the private Subnet where the main PSM instance will reside,
select the PAM - Self-Hosted VPC and select an Availability Zone.

3. Enter an IPV4 CIDR block. For example, 10.0.7.0/24 allocates 256 IP addresses within
this Subnet.

4. Select Yes, Create.

3 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Create the secondary PSM subnet

1. From the navigation pane, select Subnets > Create Subnet.

2. Enter a Name tag for the private Subnet where the secondary PSM instance will reside.

Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main PSM Subnet.

3. Enter an IPV4 CIDR block. For example, 10.0.8.0/24 allocates 256 IP addresses within
this Subnet.

4. Select Yes, Create.

Create the main PSM for SSH subnet

1. From the navigation pane, select Subnets > Create Subnet.

2. Enter a Name tag for the private Subnet where the main PSM for SSH instance will
reside, select the PAM - Self-Hosted VPC and select an Availability Zone.

3. Enter an IPV4 CIDR block. For example, 10.0.9.0/24 allocates 256 IP addresses within
this Subnet.

4. Select Yes, Create.

Create the secondary PSM for SSH subnet

1. From the navigation pane, select Subnets > Create Subnet.

2. Enter a Name tag for the private Subnet where the secondary PSM for SSH instance
will reside.

Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main PSM for SSH Subnet.

3. Enter an IPV4 CIDR block. For example, 10.0.10.0/24 allocates 256 IP addresses
within this Subnet.

4. Select Yes, Create.

Create the main PTA subnet

1. From the navigation pane, select Subnets > Create Subnet.

4 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

2. Enter a Name tag for the private Subnet where the main PTA instance will reside, select
the PAM - Self-Hosted VPC and select an Availability Zone.

3. Enter an IPV4 CIDR block. For example, 10.0.11.0/24 allocates 256 IP addresses
within this Subnet.

4. Select Yes, Create.

Create the PTA DR subnet

1. From the navigation pane, select Subnets > Create Subnet.

2. Enter a Name tag for the private Subnet where the PTA DR instance will reside.

Note
Select the PAM - Self-Hosted VPC and select an Availability Zone. The
Availability Zone should be a different zone from the one from you selected for
the main PTA Subnet.

3. Enter an IPV4 CIDR block. For example, 10.0.12.0/24 allocates 256 IP addresses
within this Subnet.

4. Select Yes, Create.

Create and configure the Private Link

For the PAM - Self-Hosted VPC , create the following private links to allow access to AWS
services:

Create the Security Group for private link

1. Open the Amazon VPC console.
2. From the navigation pane, select Security Groups > Create Security Group.
3. Specify PrivateLinkPASSG as the name of the security group, and enter a description.
For VPC, select the ID of the PAM - Self-Hosted VPC.
4. Click Yes, Create.
5. Select the PrivateLinkPASSG security group that you created. The details pane displays
the details for the security group, and the tabs for editing the inbound and outbound
rules.

6. On the Inbound Rules tab, select Edit to add rules for inbound traffic:

Protocol/
Rule Description IP Address Mandatory Remarks
Port

5 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Protocol/
Rule Description IP Address Mandatory Remarks
Port

Security group for PAM - Self-Hosted TCP/443 0.0.0.0/0 Yes Allow SSL to and
VPC to access AWS resources by from the internet
VPC Endpoint

1. GW Private Link to access the S3 bucket AWS service.

For instructions, see the Creating a Gateway Endpoint section in Gateway VPC Endpoints.

2. Interface Private Link to access the KMS, SSM, CloudWatch, and CloudFormation AWS
services.

For instructions, see the To create an interface endpoint to an AWS service using the
console section in Interface VPC Endpoints (AWS PrivateLink).

Note
Enable Private DNS Name.
Select PrivateLinkPASSG as the security group

Create a new private route table for the PAM - Self-Hosted VPC
1. Select Create Route Table.

2. Optionally, in the Create Route Table dialog box, name your Route Table. Select the
PAM - Self-Hosted VPC .

3. Select Yes, Create.

4. Select the Route Table that you just created.

5. On the Routes tab, select Edit and add the following route:

Destination Target

Select your Regional S3 Bucket

Select your VPC Endpoint

6. Select Save.

7. On the Subnet Associations tab, select Edit and select the PAM - Self-Hosted VPC
subnets.

8. Click Save.

Create the Security Group for the Vault instances

1. Open the Amazon VPC console.

6 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

2. From the navigation pane, select Security Groups > Create Security Group.

3. Specify Vault-SG as the name of the security group, and enter a description. For VPC,
select the ID of the PAM - Self-Hosted VPC.

4. Click Yes, Create.

5. Select the Vault-SG security group that you created. The details pane displays the
details for the security group, and the tabs for editing the inbound and outbound rules.

6. On the Inbound Rules tab, select Edit to add rules for inbound traffic:

Rule Protocol/
IP address Mandatory Remarks
description Port

Vault TCP/1858 ■ Vault Yes Allows communication

Protocol subnets between Vaults

Vault TCP/1858 ■ Component Yes Allows communication from

Protocol subnets CyberArk components to the
Vault
■ Admin
subnets
■ Web
subnets

ICMPv4 ICMPv4 ■ Vault Yes Allows the DR components to

subnets monitor the Primary Vault

Remote TCP/3389 ■ Vault Yes Allows the Vault administrator

Desktop UDP/3389 Management to connect to the Vault with
RDP through the Vault
Instance management instance

■ Admin
subnets

Remote TCP/9022 Remote Control No Must be opened if the

Control Agent Client IP Remote Control Agent is
configured on the Vault

7. Click Save

8. On the Outbound Rules tab, select Edit to add rules for outbound traffic:

Rule Protocol/
IP address Mandatory Remarks
description Port

Vault Protocol TCP/1858 ■ Vault Yes Allows communication between

subnets Vaults

7 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Rule Protocol/
IP address Mandatory Remarks
description Port

ICMPv4 ICMPv4 ■ Vault Yes Allows the DR components to

subnets monitor the Primary Vault

HTTPS HTTPS/443 0.0.0.0/0 Yes Allows communication from

outbound CyberArk instances to AWS
services

Syslog TCP/514 Syslog Server No Must only be opened if Syslog is

outbound IP integrated with the Vault (in TCP
(TCP) mode)

Syslog UDP/514 Syslog Server No Must only be opened if Syslog is

outbound IP integrated with the Vault (in UDP
(UDP) mode)

To send syslog messages to

PTA, allow communication to the
PTA security group

LDAPS TCP/636 LDAP Server IP No Must be opened if the Vault is

outbound integrated with an LDAP server
(port=636)

RADIUS TCP/1812 RADIUS Server No Must be opened if the Vault is

outbound IP integrated with a RADIUS server

SMTP TCP/25 SMTP server IP No Must be opened if the ENE

outbound service is configured to send
mails from the Vault

SMTP UDP/162 SNMP server No Must be opened if the Remote

outbound IP Control Agent is configured to
send SNMP traps from the Vault

9. Select Save.

Create Security Groups for the components instances

1. Open the Amazon VPC console .

2. From the navigation pane, select Security Groups > Create Security Group.

3. Specify the name of the security group, and enter a description. For VPC, select the ID
of the PAM - Self-Hosted VPC.

4. Select Yes, Create.

5. Select the security group that you created. The details pane displays the details for the

8 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

security group, and tabs for editing the inbound and outbound rules.

6. On the Inbound Rules tab, select Edit to add rules for inbound traffic:

PVWA Security Group

Role Protocol/Port Source Mandatory Remarks

Security Group Name: PVWA-SG

Web interface TCP/443 PVWA Yes Access to PAM - Self-Hosted users

PSM Security Group

Protocol/
Role Source Mandatory Remarks
Port

Security Group Name: PSM-SG

Incoming TCP/3389 All client Yes RDP session from

connections machines client machines

PSM for SSH Security Group

Protocol/
Role Source Mandatory Remarks
Port

Security Group Name: PSMP-SG

Incoming TCP/SSH All client Yes SSH session from

connections machines client machines

PTA Security Group

Port
Type Protocol Destination Description
range

Security Group Name: PTA-SG

HTTP TCP Admin

80 Allow incoming HTTP
CIDR communication for the PTA web
PVWA
This is redirected to HTTPS by
security
the Tomcat Web Server
group

Custom TCP Admin

8080 Allow incoming HTTP
TCP rule CIDR communication for the PTA web

9 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Port
Type Protocol Destination Description
range

PVWA
This is redirected to HTTPS by
security
the Tomcat Web Server
group

SSH TCP Admin

22 Allow remote access to the
CIDR machine (SSH), for both secure
PTA telnet and SFTP
security
group

Custom TCP Admin

8443 Allow incoming HTTPS
TCP rule CIDR communication for the PTA web
PVWA and REST APIs using TLS1.2
security with strong ciphers
group

Custom UDP
67-68 0.0.0.0/0 Allow incoming data from the
UDP rule
DHCP server

Custom TCP
27017 PTA security Allow incoming replication to the
TCP rule
group Secondary PTA Server from the
Primary PTA Server in a
disaster recovery environment

Custom TCP
7514 0.0.0.0/0 Allow incoming secure syslog
TCP rule
messages for the PTA Windows
Agent connection

HTTPS TCP Admin

4443 Allow incoming HTTPS
CIDR communication for the PTA web
PVWA and REST APIs using TLS1.2
security with strong ciphers
group

Custom TCP
6514 0.0.0.0/0 Allow incoming secure syslog
TCP rule
messages for the PTA Windows
Agent connection

Custom TCP Allow incoming syslog

514 Vault security
TCP rule messages
group

10 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Port
Type Protocol Destination Description
range

Custom UDP Allow incoming syslog

514 Vault security
UDP rule messages
group

Custom TCP 0.0.0.0/0 Allow incoming syslog

11514
TCP rule messages

Custom UDP 0.0.0.0/0 Allow incoming syslog

11514
UDP rule messages

7. Click Save

8. On the Outbound Rules tab, select Edit to add rules for outbound traffic:

Note
It is mandatory to set all the following rules

CPM Security Group

Role Protocol/Port Destination Remarks

Security Group Name: CPM-SG

Vault TCP/1858 Vault

communication

Managed Allow list of the All managed Manage passwords on

targets minimum required targets target devices
set of protocols

HTTPS HTTPS/443 0.0.0.0/0 Allows communication from

outbound CyberArk instances to
AWS services

PVWA Security Group

Protocol/
Role Destination Remarks
Port

Security Group Name: PVWA-SG

11 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Protocol/
Role Destination Remarks
Port

Vault TCP/1858 Vault

communication

HTTPS HTTPS/ 0.0.0.0/0 Allows communication from

outbound 443 CyberArk instances to AWS
services

To communicate with PTA using

REST, allow communication to the
PTA security group

HTTPS HTTPS/ PTA security To communicate with PTA using

outbound 8443 group REST, allow communication to the
PTA security group

PSM Security Group

Role Protocol/Port Destination Remarks

Security Group Name: PSM-SG

Vault TCP/1858 Vault

communication

Managed Allow list of the All managed Enable connections to

targets minimum required targets target devices
set of protocols

HTTPS HTTPS/443 0.0.0.0/0 Allows communication from

outbound CyberArk instances to
AWS services

PSM for SSH Security Group

Protocol/
Role Destination Remarks
Port

Security Group Name: PSMP-SG

12 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Protocol/
Role Destination Remarks
Port

Vault TCP/1858 Vault

communication

Managed targets SSH/22 All managed Enable connections to target

targets devices

HTTPS HTTPS/ 0.0.0.0/0 Allows communication from

outbound 443 CyberArk instances to AWS
services

PTA Security Group

Port
Type Protocol Destination Description
range

Security Group Name: PTA-SG

HTTPS TCP
80 PVWA Allow an outgoing HTTP
security connection to CyberArk
group PVWA for a specific IP
address

DNS UDP
53 0.0.0.0/0 Allow outgoing DNS requests

LDAP TCP
389 0.0.0.0/0 LDAP for specific IP address

Custom UDP 123 0.0.0.0/0 Allow outgoing NTP requests

UDP rule

HTTPS TCP
443 0.0.0.0/0 Allow an outgoing HTTPS
connection to CyberArk
PVWA for a specific IP
address

Custom TCP Allow sending syslog

514 0.0.0.0/0
TCP rule messages through port 514

Custom TCP LDAP for specific IP address

3268-3269 0.0.0.0/0
TCP rule

13 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Port
Type Protocol Destination Description
range

Custom UDP Allow sending syslog

514 0.0.0.0/0
UDP rule messages in port 514

Custom UDP Allow outgoing connection to

1858 Vault CIDR
UDP rule the CyberArk Vault for a
specific IP address

SSH TCP Allow outgoing

22 0.0.0.0/0
connection to the PTA
Network Sensor for a
specific IP address
Enable outgoing SSH
connection in a disaster
recovery environment

SMTP TCP Allow sending SMTP (email)

25
messages for a specific IP
address

Custom TCP Allow outgoing connection to

1858 Vault CIDR
TCP rule the CyberArk Vault for a
specific IP address

Custom TCP PTA security Allow outgoing replication to

27017
TCP rule group the Secondary PTA Server
from the Primary PTA Server
in a disaster recovery
environment

Custom TCP 0.0.0.0/0 LDAP for a specific IP

636
TCP rule address

Custom TCP
587 0.0.0.0/0 Allow sending SMTP (email)
TCP rule
messages for a specific IP
address

9. Select Save.

Configure peering between the VPCs

To connect between the Vault instances and the Components, we configure peering between
these VPCs. A VPC peering connection is a networking connection between two VPCs that
enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.
Instances in either VPC can communicate with each other as if they are within the same

14 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

network.

Create a VPC peering connection in your account:

1. Open the Amazon VPC console .

2. From the navigation pane, select Peering Connections > Create VPC Peering
Connection.

3. In the Peering Connections dialog box, configure the following

Name tag: Optionally, you can name your VPC peering connection. Doing so
creates a tag with a key of Name and a value that you specify.

Local VPC to peer: Select the Components VPC in your account you want to
create the VPC peering connection.

Select a VPC to peer with: Ensure My account is selected. Select the Vault VPC
from VPC. Only VPCs in the current region are displayed.

4. Select Create VPC Peering Connection.

Note
Ensure that your VPCs do not have overlapping IPv4 CIDR blocks. If they do,
the status of the VPC peering connection is set to failed

5. In the confirmation dialog box, select OK.

6. Select the VPC peering connection that you created. Select Actions > Accept
Request.

7. In the confirmation dialog, Select Yes, Accept.

8. In the second confirmation dialog, select Modify my route tables now to directly go to
the route tables page, or select Close to do this later.

Update the routing tables for a VPC peering connection

To send traffic from your instance to an instance in a peer VPC using private IPv4 addresses,
add a route to the route table associated with the subnet in which the instance resides. This
route points to the CIDR block, or portion of the CIDR block, of the other VPC in the VPC
peering connection.

In this configuration, you should edit the Routing Tables of both the Vault private Subnets and
the Components private Subnets.

Update routing tables

1. In the navigation pane, choose Route Tables.

15 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

2. Select the route table associated with the private Components Subnets.

Note
If you do not have a route table associated with that subnet, select the main route
table for the VPC, as the subnet then uses it by default.

3. Select Routes > Edit > Add Route.

4. For Destination, enter the IPv4 address range to direct network traffic in the VPC
peering connection. You can specify the entire IPv4 CIDR block of the Vault VPC, a
specific range, or an individual IPv4 address, such as the IP addresses of the Vault
instances with which to communicate. For example, if the CIDR block of the Vault VPC
is 10.0.0.0/16, you can specify a portion 10.0.0.0/28, or a specific IP address
10.0.0.7/32.

5. Select the VPC peering connection from Target. Click Save.

6. Select the route table associated with the private Vault Subnets.

7. Select Routes > Edit > Add Route.

8. For Destination, enter the IPv4 address range to direct network traffic in the VPC
peering connection. You can specify the entire IPv4 CIDR block of the Components
VPC, a specific range, or an individual IPv4 address, such as the IP addresses of the
Components instances with which to communicate. For example, if the CIDR block of
the Components VPC is 10.10.0.0/16, you can specify a portion 10.10.0.0/28, or a
specific IP address 10.10.0.50/32.

9. Select the VPC peering connection from Target. Click Save.

Create a Transit Gateway

Perform this section if you are using one of the following architectures.

Shared VPN (Transit) VPC

Direct VPN between components and resources

1. Create a Transit Gateway, using the following command:

aws ec2 create-transit-gateway --region <Region>

The following table explains the parameters that must be replaced:

Parameter Description

16 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

Parameter Description

Region The Region where the Transit Gateway resides

2. Create a Transit Gateway VPC attachment to attach the Transit VPC and its Subnet(s) to
the Transit Gateway:

aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id

<TransitGwID> --vpc-id <TransitVPCID> --subnet-id / --subnet-ids
<TransitSubnetID>

The following table explains the parameters that must be replaced:

Parameter Description

TransitGwID The Transit Gateway ID (output from the first command)

TransitVPCID The Transit VPC ID to attach to the Transit Gateway

TransitSubnetID The Transit Subnet ID(s) to attach to the Transit Gateway

3. Create a Transit Gateway VPC attachment to attach the Component VPC and its Subnet(s)
to the Transit Gateway:

aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id

<TransitGwID> --vpc-id <ComponentsVPCID> --subnet-id / --subnet-ids
<ComponentsSubnetID1 ComponentsSubnetID2>

The following table explains the parameters that must be replaced

Parameter Description

TransitGwID The Transit Gateway ID (output from the first command)

ComponentsVPCID The Component VPC ID to attach to the Transit Gateway

ComponentsSubnetID The Component Subnet ID(s) to attach to the Transit Gateway,

separated by spaces

4. Add a new route for each of the following Route Tables, using the command below.

Components Private Route Table

Transit VPC Route Table

17 de 18 12/03/2024, 11:17
Manually Create the AWS Network Environment | CyberArk Docs https://docs.cyberark.com/pam-self-hosted/Latest/en/Content/PAS%2...

aws ec2 create-route --route-table-id <RouteTableID> --destination-

cidr-block <VPCCidrBlock> --transit-gateway-id <TransitGWID>

For example, using the following examples of IDs and blocks, you would run the two
commands below.

Components Private Route Table ID - rtb-d80a75b0

Transit VPC Route Table ID - rtb-0306796b
Components VPC Cidr Block – 10.10.0.0/16
Transit VPC Cidr Block – 30.30.0.0/16
Transit Gateway ID – tgw-1a2b3c4dVPC

aws ec2 create-route --route-table-id rtb-d80a75b0 --destination-

cidr-block 30.30.0.0/16 --transit-gateway-id tgw-1a2b3c4d
aws ec2 create-route --route-table-id rtb-0306796b --destination-
cidr-block 10.10.0.0/16 --transit-gateway-id tgw-1a2b3c4d

18 de 18 12/03/2024, 11:17