Qualys Virtual Scanner Appliance deployed on Amazon EC2-Classic must be able to reach the Qualys Cloud Platform over HTTPS on port 443 for management in order to operate. Scanner Appliance: Management Communications provides more detail on this requirement. A working network configuration may involve NICs, IP addressing, DNS, routing, firewall rules, and possibly proxy configuration and authentication/authorization settings.
Synopsis: Because of the very open outbound communications, a Qualys Virtual Scanner Appliance deployed on EC2-Classic is expected to be able to communicate with the Qualys Cloud Platform by default, with no need for any special network considerations or configurations.
EC2-Classic Network Configuration
An instance deployed on EC2-Classic may only have a single NIC interface, which will be attached to the virtual scanner by default.
Every EC2-Classic instance interface is assigned a private IP address by AWS DHCP services from a 10.x.x.x network shared among all EC2-Classic tenants within that EC2 Region (e.g., US East). Therefore, default settings should provide the virtual scanner with a valid private IP address.
Every EC2-Classic instance is dynamically assigned a public IP address by AWS from public IP space owned by AWS. This public IP address is associated with each instance via a one-to-one NAT association. Therefore, default settings should provide the virtual scanner appliance with a valid public IP address which will allow it to communicate with the Qualys Cloud Platform.
The customer may electively choose to associate an Elastic IP (an AWS public IP reserved for a given AWS customer's use) with the virtual scanner appliance as a replacement for the dynamically-assigned public IP address. However, this is not necessary to facilitate successful communications between the scanner and the Qualys Cloud Platform.
AWS DHCP services will provide the virtual scanner with Amazon-provided DNS servers. AWS DNS servers have shown themselves to be able to resolve Qualys Private Cloud platform services URLs. No special settings should be necessary to allow the virtual scanner appliance to communicate with the Platform.
AWS does not provide any native means to configure network routing for EC2-Classic. Default settings should be expected to allow virtual scanner appliances to successfully route to the internet and to the Qualys Cloud Platform.
ACLs and Firewall Rules
EC2-Classic does not provide any native means to filter outbound network access via ACLs or Security Groups. EC2 Security Groups are only available for filtering Inbound traffic. Thus, the virtual scanner appliance should be able to communicate outbound with the Platform, regardless of the EC2 Security Groups it is a member of.
No specific proxy server solution is native to EC2-Classic. However, if the customer has a proxy server available, then a Qualys virtual scanner can be configured to use it.
For proxy support guidelines see Scanner Appliance FAQs
For step-by-step instructions see How to configure a virtual scanner using Amazon EC2/VPC