SPP can be run from the cloud.

Before you start: platforms and resources

When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.

Platforms that have been tested with the cloud deployments follow.

• AWS Virtual Machine (VM): For more information, see AWS deployment.
• Azure Virtual Machine (VM): For more information, see Azure deployment.
• Oracle Cloud Infrastructure (OCI): For more information, see OCI deployment.

For these deployments, the minimum resources used in test are 4 CPUs, 10GB RAM, and a 60GB disk. Choose the appropriate machine and configuration template. For example, when you click Create in the Azure Marketplace, default profiles display. You can click Change size to choose a different template. Whereas in OCI, select a supported shape to allocate the appropriate resources for your instance.

Restricting access to the web management kiosk for cloud deployments

The web management kiosk runs on port 9337 in AWS, OCI, and Azure and is intended for diagnostics and troubleshooting by Appliance Administrators.

CAUTION: The Management web kiosk is available via HTTPS port 9337 for cloud platforms (including AWS, OCI, and Azure). The Management web kiosk gives access to functions without authentication, such as pulling a support bundle or rebooting the appliance. In AWS and OCI, all ports are denied unless explicitly allowed. To deny access to port 9337, the port should be left out of the firewall rules. If the port is used, firewall rules should allow access to targeted users.

Azure: Block port 9337

Use the following steps to block access to port 9337 in Azure.

1. Navigate to the virtual machine running SPP.
2. In the left hand navigation menu select Networking.
3. Click Add inbound port rule.
4. Configure the inbound security rule as follows:
   Source: Any
   Source port ranges: *
   Destination: Any
   Destination port ranges: 9337
   Protocol: Any
   Action: Deny
   Priority: 100 (use the lowest priority for this rule)
   Name: DenyPort9337
   
5. Click Add.

AWS: Block port 9337

Use the following steps to block access to port 9337 in AWS.

1. From the EC2 Dashboard, navigate to the EC2 Instance running SPP.
2. Select the instance.
3. In the Description tab, locate the Security groups field then click the name of the security group.
4. Select the Inbound tab.
5. Click Edit.
6. Remove any existing rules and add the following rules:
   • Type: Custom UDP Rule
     Protocol: UDP
     Port Range: 655
     Source: Anywhere
     Description: Cluster VPN
   • Type: HTTPS
     Protocol: TCP
     Port range: 443
     Source: Anywhere
     Description: Web API
   • Type: Custom TCP Rule
     Protocol: TCP
     Port Range: 8649
     Source: Anywhere
     Description: SPS Cluster
7. Click Save.

OCI: Block port 9337

Use the following steps to block access to port 9337 in OCI.

1. Navigate to the Virtual Cloud Network assigned to the instance running SPP.

2. Navigate to the Subnet assigned to the instance.

3. Open the Security List for the subnet.

4. Ensure no ingress rules allow for traffic from any source (with any IP Protocol) to destination port 9337. Review the ingress rules carefully as they may apply to a range of destination ports instead of explicitly listing port 9337.