Virus and Malware Scan API (Self-hosted on AWS): Existing VPC Network Guide
This guide helps you to prepare your VPC and debug networking issues using the Existing VPC fulfillment option.
You can stop reading if you use the fulfillment option Dedicated Public VPC.
Required outbound communication (#)
To reach AWS APIs, allow outbound TCP/443. If you use bucketAV in a VPC with enableDnsSupport set to false, you also have to allow outbound TCP/53 and UDP/53 to reach DNS.
The following outbound requests are made (replace REGION with AWS Region, e.g., us-east-1; get the value from the top right in the AWS UI).
| Endpoint | VPC Interface/Gateway service name | Description |
|---|---|---|
https://s3.REGION.amazonaws.com | com.amazonaws.REGION.s3 | S3 API to interact with files; also required for cfn-init and cfn-signal tools and Amazon Linux 2023 repository. |
https://s3.amazonaws.com | com.amazonaws.REGION.s3 | S3 API to interact with files; also required for cfn-init and cfn-signal tools and Amazon Linux 2023 repository. |
https://autoscaling.REGION.amazonaws.com | com.amazonaws.REGION.autoscaling | EC2 Auto Scaling API to use ASG lifecycle hooks. |
https://monitoring.REGION.amazonaws.com | com.amazonaws.REGION.monitoring | CloudWatch API to publish memory, disk, and swap metrics. |
https://logs.REGION.amazonaws.com | com.amazonaws.REGION.logs | CloudWatch Logs API to publish logs. |
https://cloudformation.REGION.amazonaws.com | com.amazonaws.REGION.cloudformation | CloudFormation API required for cfn-init and cfn-signal tools. |
https://ssm.REGION.amazonaws.com | com.amazonaws.REGION.ssm | SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to true) |
https://ssmmessages.REGION.amazonaws.com | com.amazonaws.REGION.ssmmessages | SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to true) |
https://ec2messages.REGION.amazonaws.com | com.amazonaws.REGION.ec2messages | SSM API for Session Manager (if SystemsManagerAccess configuration parameter is set to true) |
https://metering.marketplace.REGION.amazonaws.com | not available, use HttpsProxy configuration parameter or NAT Gateway | AWS Marketplace Metering API to to report usage. |
https://REGION.savmirror.bucketav.com | not available, use HttpsProxy configuration parameter or NAT Gateway | attachmentAV API to fetch Sophos manifest for signtures and engine update. |
You can’t restrict the IP address range. The resolved IP addresses change frequently.
If you are using an endpoint policy to protect your S3 VPC gateway interface, you must allowlist the S3 buckets you want bucketAV to access and the bucketAV S3 bucket to download signature updates from (replace REGION with AWS Region, e.g., us-east-1; get the value from the top right in the AWS UI).
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketav-sophos-mirror-REGION/*"
}]
}
If you set the SophosLiveProtectionCloudLookups configuration parameter to true, DNS queries for *.sophosxl.net must be resolvable.
Fixing networking issues (#)
As network configurations differ, we cannot provide a solution but give you some hints.
Internet Gateway (#)
Check the routing table attached to the subnet of a attachmentAV instance. In case the route table contains an entry for 0.0.0.0/0 pointing to an Internet Gateway (igw-) you are deploying attachmentAV into a public subnet.
In this case, you must ensure that attachmentAV attaches a public IP address when launching an EC2 instance. Set the AssociatePublicIpAddress configuration parameter to true.
Also, ensure that all subnets used by attachmentAV (see the Subnets configuration parameter) use a routing table with an entry pointing to the Internet Gateway.
NAT Gateway (#)
If you deployed attachmentAV into a subnet without an Internet Gateway, you might use a typical VPC configuration with private and public subnets. Again, check the routing table attached to the subnet of a attachmentAV instance. In case the route table contains an entry for 0.0.0.0/0 pointing to a NAT Gateway (ngw-) you are deploying attachmentAV into a private subnet with access to a NAT Gateway.
- Verify that the Network Access Control List attached to the subnet used by attachmentAV and the NAT Gateway allow outbound traffic on port
443(HTTPS) as well as inbound traffic on high ports. - Verify that all subnets used by attachmentAV (see the Subnets configuration parameter) use a routing table with an entry pointing to the NAT Gateway.
VPC Endpoint (#)
If the subnets are neither connected with an Internet Gateway nor a NAT Gateway, we recommend configuring VPC Endpoints for the AWS services required by attachmentAV as described above.