A new model for securing deployments of DNS Edge

At BlueCat, we’ve recently taken steps to become more reliable in our deployment model and more robust in our back-end security practices.

Last updated: September 15, 2025

An avatar of the author
BlueCat
Blue cloud-shaped padlock symbolizing shared cloud security responsibility for DNS Edge deployments
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article explains how BlueCat improved cloud security and deployment reliability for its DNS Edge SaaS by leveraging VPC-assigned IP addresses in AWS to monitor DNS traffic and automate deployment workflows. It describes using IP-based DNS monitoring combined with syslogs to detect security incidents (open ports, malicious code, erratic VM behavior, DDoS) and to assess performance across cloud resources, while reducing manual setup through automated Gateway workflows orchestrated with Rundeck. The changes support a move toward multitenancy, per-account auditing, and continuous vulnerability scans to simplify compliance with standards like FedRAMP and SOC and strengthen back-end operational controls.

How does BlueCat use VPC-assigned IP addresses to enhance cloud security and performance monitoring?

BlueCat leverages the IP addresses assigned to Virtual Private Clouds (VPCs) as observable points for DNS traffic, treating those addresses as designated paths to and from cloud resources. By monitoring DNS data flowing through each VPC IP and triangulating that data with other telemetry such as syslogs, BlueCat can detect anomalies—examples include open ports, injected malicious code, erratic VM behavior, or DDoS activity—and assess resource performance. This IP-centric monitoring approach gives security and network teams actionable indicators of compromise and operational issues tied to individual accounts and service points.

What automation and deployment changes did BlueCat implement to reduce manual setup and ensure consistent deployments?

BlueCat created automated workflows in its Gateway platform to assign IP addresses to VPCs in the cloud and schedules those workflows to run in sequence using Rundeck. This automation removes many manual setup steps previously required of users and enforces a common deployment approach across accounts and service points. The standardized assignment of VPC IPs not only simplifies deployment of DNS Edge service points (including customer self-deployment) but also enables consistent back-end monitoring and security controls tied to those assigned IPs.

How do these changes position BlueCat for multitenancy and compliance requirements like FedRAMP and SOC?

With the new deployment model, BlueCat is preparing for multitenancy by enabling separation of customer accounts and the ability to audit activity on those accounts. Because DNS Edge VPCs have assigned IP addresses that are continuously monitored, BlueCat can perform ongoing vulnerability scans at critical entry and exit points—an element required by FedRAMP and SOC standards. The combination of per-account auditing, continuous scanning tied to VPC IPs, and standardized deployments simplifies evidence collection for compliance and strengthens operational controls needed for regulated environments.

The shared responsibility model for cloud security separates out accountability across customers, stakeholders, and solution providers.  At BlueCat, we take responsibility for our part of cloud security very seriously.  That’s why we’ve recently taken steps to become more reliable in our deployment model and more robust in our back-end security practices.

Security monitoring through IP addresses

Most cloud resources in AWS require the creation of a Virtual Private Cloud (VPC) instance.  (BlueCat uses AWS, but every cloud provider has a similar service.)  Each of these VPCs runs through a set IP address assigned by the user.  As the designated paths of information to and from any VPC, these IP addresses are a significant source of data for both cloud security and performance management. 

By monitoring the DNS data flowing through that IP address, network administrators can learn a lot about how their cloud resources are performing.  Security teams can use the same information to detect anomalies and monitor traffic for indicators of compromise.  If someone left a port open, if malicious code was added to the cloud instance, if VMs are behaving erratically, if a DDOS attack is underway – all of this activity can be detected by triangulating DNS data with other information such as syslogs.

Assuring performance and security

DNS Edge, BlueCat’s SaaS security product, deploys through VPCs (along with other resources) in the AWS cloud.  BlueCat now leverages the IP addresses assigned to those VPCs to ensure optimal performance and strengthen security controls on the operational back-end.

Here’s what we’re doing:  BlueCat has created a series of automated workflows through its Gateway platform to assign IP addresses to VPCs in the cloud.  These workflows are scheduled to run in sequence through Rundeck.  The way these IP addresses are assigned allows BlueCat to monitor individual accounts for security and performance issues through its back-end security tools.

This process also avoids some of the manual set-up steps previously required of users, and ensures a common approach to deployment.  It will also allow customers to set up and deploy DNS Edge service points on their own. 

The path forward

With this deployment model in place, BlueCat is also starting down the path toward multitenancy – the ability to support multiple customers through a single account.  In this phase of the journey, we are enabling the separation of customer accounts, and the ability to audit activity on those accounts. 

These changes will also make information for FedRAMP and SOC compliance easier to obtain.  Both standards require vulnerability scans at critical entry/exit points – by monitoring the IP address assigned to VPCs for DNS Edge, BlueCat will now be able to perform those scans continuously.

Published on: May 14, 2019

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more