Cloud Exchange System Requirements
Cloud Exchange System Requirements
This section describes the system resources and software requirements required for the Netskope Cloud Exchange installation. Please note that an installation using Amazon ECS is slightly different. For more information, refer to the Install Netskope Cloud Exchange with AWS ECS Fargate.
Note
Customers looking to deploy CE v5.0.1 AWS ECS Fargate are strongly recommended to deploy CE v5.0.1 AWS AMI.
Netskope Cloud Exchange uses a setup script to verify that the host system is ready to run the Cloud Exchange platform. In addition to compute and storage size, permissions, and some software versioning on the host, Cloud Exchange needs access to GitHub, Docker Hub, a Netskope tenant, AWS, and other 3rd-party platforms you want to integrate. Evaluate your system readiness to help the setup complete successfully.
For Cloud Exchange containers on the same host to communicate with the RabbitMQ container, ensure that the host has port 15672 open for sessions originated from the same host. Netskope does not provide OS support; it supports Cloud Exchange instances stood-up on hosts running one of these operating systems.
System Specifications
Item | Specificatiion |
---|---|
OS | Ubuntu 20.04 and 22.04 RHEL 8 Note Netskope does not provide OS support; it supports Cloud Exchange instances stood-up on hosts running one of these operating systems. |
Docker/Podman | docker v25.0.3 and docker-compose v2.24.6 or podman v4.6.1 and podman-compose v1.0.6 |
Python 3 | Python 3.8.x |
- 8 CPUs. From Cloud Exchange v4.1.0 onwards, only x86 architecture with Advanced Vector Extensions (AVX) is supported. x86 architecture is supported on Cloud Exchange v4.0.x and older releases.
- 16 GB of Memory.
- 80 GB of Free Storage (recommend you provision at least 80 GB of host storage). Cloud Exchange checks the /var directory for free storage.
- Ubuntu 20.04 LTS or Red Hat Enterprise Linux 8.0 (the only ones Netskope continuously qualifies for).
- The machine running the browser accessing the Cloud Exchange UI must be able to load fonts from fonts.google.com and fonts.gstatic.com.
- Refer to Sizing the System based on Anticipated Usage for sizing requirements for different deployments.
The Netskope CE platform needs access to GitHub, Docker Hub, a Netskope tenant, partner’s platforms, and the other 3rd-party platforms that you wish to integrate with. Do evaluate network configurations, like HTTP Proxy setup, Firewall rules, etc., to ensure the connectivity is available.
Here is the list of Public URLs that CE needs. While the setup script will check for all of these, it will not successfully complete installing CE unless these requirements are met. Firewalls, web proxies, gateways, and routers must be configured to allow CE to communicate with multiple services as described below.
For fetching third party plugins, confirm the system has access to:
https://github.com
For fetching alerts and events from Netskope tenant, confirm the system has access to:
https://*.<tenant-domain>
Note
If conditional access is enabled with vendors or SaaS apps for Netskope solutions or need to SSL Allowlist by IP instead of domains, your systems will need to ensure reachability to this list of Netskope consolidated IP addresses (for tenant access from Cloud Exchange in case firewall does not support FQDN based rules). Subscribe to this link by clicking “Follow” icon on this page: https://support.netskope.com/s/article/NewEdge-Point-of-Presence-Data-Plane-and-Management-Plane-Global-Edge-Expansion-Status-and-IP-Range
For pulling docker images from Docker Hub (connectivity to additional hosts may be required since the docker images will be behind a CDN), confirm the system has access to:
https://hub.docker.com
https://auth.docker.io
https://registry-1.docker.io
https://index.docker.io/
https://dseasb33srnrn.cloudfront.net/
https://production.cloudflare.docker.com/
If you are behind an HTTP or HTTPS proxy server, for example in corporate settings, you need to add the proxy configuration in the Docker systemd service file. Refer to https://docs.docker.com/config/daemon/systemd/#httphttps-proxy for details.
Refer to Required Network Connectivity for 3rd-Party Plugins for additional network connectivity requirements based on the plugins.
For extracting web transaction event streaming logs, confirm connectivity to us-west1-pubsublite.googleapis.com
(for US customers) and europe-west3-pubsublite.googleapis.com
(for EU customers). Alternatively, ensure Cloud Exchange can access *.googleapis.com
(wildcard).
To provide analytics details, like version of the Cloud exchange and plugins to the Netskope team for the better performance, confirm connectivity to https://reporting.netskope.tech/
.
For connectivity to Cloud Exchange, ensure that the administrator can access the command line interface for Cloud Exchange via SSH (port 22)
For browser and API-based connectivity to Cloud Exchange, ensure users have access to Cloud Exchange via port 80 or 443 (by default) or via any alternative, non-standard port (recommended) configured during the setup.
The user running the setup script should have at least the following permissions:
- Either the user should be part of the docker group or should have permissions to run docker commands. (Ignore for installations on RHEL OS)
- You need to have sudo permissions.
Below are the prerequisites required for setting up Cloud Exchange on Linux distributions other than Red Hat.
- Linux System capable of supporting http://docker.io release of docker and docker-compose.
- docker (v25.0.3): Refer to https://docs.docker.com/engine/install/#server for installation instructions. Verify the versions with this command. Setup script will confirm.
$ docker version
- docker-compose (v2.24.6): Refer to https://docs.docker.com/compose/install/standalone for installation instructions. Verify the version with this command. Setup script will confirm.
$
docker-compose version
- Python 3 (for the setup script): Refer to https://wiki.python.org/moin/BeginnersGuide/Download for installation instructions. Execute this command to ensure you have the 3.8.x version of python installed. Setup script will confirm.
$ python3 --version
- Zip (For the diagnose script): Execute this command to verify if the command is available. If available, the command execution will output the path where zip commands are available.
$ which zip
- Git: Refer to https://git-scm.com/download/linux for installation instructions. Execute this command to verify it is available.
$ which git
Podman is a prerequisite to installing the Cloud Exchange platform on Red Hat Enterprise Linux (RHEL). Ensure these commands are available:
- podman (v4.6.1): Refer to https://podman.io/getting-started/installation for installation instructions. Verify the version with this command:
$ sudo podman version
- podman-compose (v1.0.6): Refer to https://github.com/containers/podman-compose#installation for installation instructions. Verify the version with this command:
$ sudo podman-compose version
- podman-plugins: Install the podman-plugins package using this command:
$ sudo yum install podman-plugins
- Python 3 (for the setup script): Refer to https://wiki.python.org/moin/BeginnersGuide/Download for installation instructions. Execute this command to make sure that you have the 3.8.x version of python installed.
$ python3 --version
- Zip (For the diagnose script): Execute this command to verify that the command is available. If available, the command execution will output the path where zip commands are available.
$ which zip
- Git: Refer https://git-scm.com/download/linux for installation instructions. Execute the command mentioned below to verify that the command is available.
$ which git
This section provides recommendations and guidance for selecting the memory/storage/CPU based on the expected volume. Factors include:
- Total number of indicators, alerts, tickets, applications, users and hosts stored in the database are the factors that defines the storage requirements.
- Netskope Cloud Exchange has a worker-based scheduling mechanism to cater to the data pull/push for multiple data sources. The number of workers determines how many data sources will be actively fetching data/sharing data concurrently. The total number of worker processes should be equal to the number of cores multiply by 1.25. If the expectation is to fetch data frequently with multiple data sources, consider changing the instance type.
This table shows recommendations for standard deployments:
Note
Starting CE v5.0.1, the Small stack size will NOT be supported.
Instance Type | RAM (GBs) | Number of Cores | AWS Equivalent | Azure Equivalent | Total Recommended Free Storage allocated to Cloud Exchange | Recommended Maximum Available Plugin Credits |
---|---|---|---|---|---|---|
Medium | 16 | 8 | C62XL | F8s_v2 | 80 | 10 |
Large | 32 | 16 | C64XL | F16s_v2 | 120 | 20 |
This table shows the maximum number of indicators supported by the Threat Exchange module.
Instance Type | Number of Indicators for Standalone | Number of Indicators for HA |
---|---|---|
Medium | 2M | 2M |
Large | 5M | 5M |
This table shows the number of alerts and events pulled and ingested at one destination by Log shipper module.
Instance Type | Alerts/Events per Minute for Standalone | Alerts/Events per Minute for HA |
---|---|---|
Medium | 100K | 150K |
Large | 200K | 300K |
This table shows the number of alerts and events pulled and ingested on one destination by Log shipper module for WebTx.
Instance Type | WebTx Throughput per Second for Standalone | WebTx Throughput per Second for HA |
---|---|---|
Medium | Not Recommended | Not Recommended |
Large | 6MB | 6MB |
This table shows the number of credits used by the Cloud Exchange modules and the WebTx plugins.
Credits Used | Plugin |
---|---|
3 | Log Shipper |
3 | Ticket Orchestrator |
1 | Threat Exchange |
2 | User Risk Exchange |
2 | Application Risk Exchange |
6 | WebTx |
Note
The CE plugin credits listed above are for sizing guidance and recommendations, and do not have any associated cost or license requirements.
Above Average Load Design Assumptions
Your numbers may differ.
Dimension | Modeled Load |
---|---|
Events Per Minute | .75 EPM/user |
WebTx We recommend that you use a separate Large Instance for WebTx. (Only WebTX should be configured in it.) | Average 4 KB each. Compressed 7:1 in W3C format. |
Event/Alert | Average 2 KB each |
Assumed user load from events/alert logs | 1 MB/user/day event/alert logs |
Assumed user load from event streaming logs | 4 MB/user/day WebTx (compressed) or 28MB/user/day WebTx (uncompressed) |
Assumed user load from cloud firewall logs | 14 MB/user/day Cloud Firewall logs |
Note
Estimated ingestion time from CE to destinations such as Syslog, Qradar, and Azure for one batch of alerts, events, and web transaction logs should be less than 10 seconds. One batch is approximately 10,000 alerts, 10,000 events, or 5MB of Web transaction logs.