About the Cisco Secure Dynamic Attributes Connector

The Cisco Secure Dynamic Attributes Connector enables you to use service tags and categories from various cloud service platforms in Cisco Defense Orchestrator (CDO) access control rules.

Network constructs such as IP address are not reliable in virtual, cloud and container environments due to the dynamic nature of the workloads and the inevitability of IP address overlap. Customers require policy rules to be defined based on non-network constructs such as VM name or security group, so that firewall policy is persistent even when the IP address or VLAN changes.

We currently support:

Amazon Web Services (AWS) service tags

For more information, see a resource like Tagging AWS resources on the Amazon documentation site
GitHub
Microsoft Azure

For more information, see this page on the Azure documentation site.
Microsoft Azure service tags

For more information, see a resource like Virtual network service tags on Microsoft TechNet
Office 365

For more information, see Office 365 URLs and IP address ranges on docs.microsoft.com.

The following figure shows how the system functions at a high level.

"The Cisco Secure Dynamic Attributes Connector queries cloud services such as AWS and provides information such as VLANs, networks, and tags to the FMC to use as selection criteria in access control rules. This way, you don't have to constantly update FMC network objects when IP address information (for example) in your cloud systems change"

Connectors (currently, AWS, Azure, GitHub, Google Cloud, . and Outlook 365) contain the tags and containers to query.

For example, typically these tags define dynamically allocated network and IP addresses for which you cannot create access control rules. Persisted feeds from the connectors are stored on the dynamic attributes connector for fast access.
Tag information is persisted on the dynamic attributes connector where you create dynamic attribute filters that define which information is important to use in access control rules.

For example, if AWS defines networks for the Accounting and Finance Departments virtual machines, you can create a dynamic attributes filter that specifies only the Finance network.
The adapter defined by the dynamic attributes connector receives those dynamic attributes filters as dynamic objects and enables you to use them in access control rules.

You can create the following types of adapters:
- On-Prem Firewall Management Center for an on-premises device.
  
  This type of device might be managed by Cisco Defense Orchestrator (CDO) or it might be a standalone.
- Cloud-Delivered Firewall Management Center for devices managed by CDO.