Cloud Exchange System Requirements

Cloud Exchange System Requirements

This section describes the system resources and software requirements required for the Netskope Cloud Exchange installation. Please note that an installation using Amazon ECS is slightly different. For more information, refer to the Install Netskope Cloud Exchange with AWS ECS Fargate.

Note

Customers looking to deploy CE v5.0.1 AWS ECS Fargate are strongly recommended to deploy CE v5.0.1 AWS AMI.

Netskope Cloud Exchange uses a setup script to verify that the host system is ready to run the Cloud Exchange platform. In addition to compute and storage size, permissions, and some software versioning on the host, Cloud Exchange needs access to GitHub, Docker Hub, a Netskope tenant, AWS, and other 3rd-party platforms you want to integrate. Evaluate your system readiness to help the setup complete successfully.

For Cloud Exchange containers on the same host to communicate with the RabbitMQ container, ensure that the host has port 15672 open for sessions originated from the same host. Netskope does not provide OS support; it supports Cloud Exchange instances stood-up on hosts running one of these operating systems.

System Specifications

ItemSpecificatiion
OSUbuntu 20.04 and 22.04
RHEL 8

Note

Netskope does not provide OS support; it supports Cloud Exchange instances stood-up on hosts running one of these operating systems.

Docker/Podmandocker v25.0.3 and docker-compose v2.24.6
or
podman v4.6.1 and podman-compose v1.0.6
Python 3Python 3.8.x

Minimum System Requirements

  • 8 CPUs. From Cloud Exchange v4.1.0 onwards, only x86 architecture with Advanced Vector Extensions (AVX) is supported. x86 architecture is supported on Cloud Exchange v4.0.x and older releases.
  • 16 GB of Memory.
  • 80 GB of Free Storage (recommend you provision at least 80 GB of host storage). Cloud Exchange checks the /var directory for free storage.
  • Ubuntu 20.04 LTS or Red Hat Enterprise Linux 8.0 (the only ones Netskope continuously qualifies for).
  • The machine running the browser accessing the Cloud Exchange UI must be able to load fonts from fonts.google.com and fonts.gstatic.com.
  • Refer to Sizing the System based on Anticipated Usage for sizing requirements for different deployments.

Connectivity Requirements from Cloud Exchange Outbound

The Netskope CE platform needs access to GitHub, Docker Hub, a Netskope tenant, partner’s platforms, and the other 3rd-party platforms that you wish to integrate with. Do evaluate network configurations, like HTTP Proxy setup, Firewall rules, etc., to ensure the connectivity is available.

Here is the list of Public URLs that CE needs. While the setup script will check for all of these, it will not successfully complete installing CE unless these requirements are met. Firewalls, web proxies, gateways, and routers must be configured to allow CE to communicate with multiple services as described below.

For fetching third party plugins, confirm the system has access to:

  • https://github.com

For fetching alerts and events from Netskope tenant, confirm the system has access to:

  • https://*.<tenant-domain>

Note

If conditional access is enabled with vendors or SaaS apps for Netskope solutions or need to SSL Allowlist by IP instead of domains, your systems will need to ensure reachability to this list of Netskope consolidated IP addresses (for tenant access from Cloud Exchange in case firewall does not support FQDN based rules). Subscribe to this link by clicking “Follow” icon on this page: https://support.netskope.com/s/article/NewEdge-Point-of-Presence-Data-Plane-and-Management-Plane-Global-Edge-Expansion-Status-and-IP-Range

For pulling docker images from Docker Hub (connectivity to additional hosts may be required since the docker images will be behind a CDN), confirm the system has access to:

  • https://hub.docker.com
  • https://auth.docker.io
  • https://registry-1.docker.io
  • https://index.docker.io/
  • https://dseasb33srnrn.cloudfront.net/
  • https://production.cloudflare.docker.com/

If you are behind an HTTP or HTTPS proxy server, for example in corporate settings, you need to add the proxy configuration in the Docker systemd service file. Refer to https://docs.docker.com/config/daemon/systemd/#httphttps-proxy for details.

Refer to Required Network Connectivity for 3rd-Party Plugins for additional network connectivity requirements based on the plugins.

For extracting web transaction event streaming logs, confirm connectivity to us-west1-pubsublite.googleapis.com (for US customers) and europe-west3-pubsublite.googleapis.com (for EU customers). Alternatively, ensure Cloud Exchange can access *.googleapis.com (wildcard).

To provide analytics details, like version of the Cloud exchange and plugins to the Netskope team for the better performance, confirm connectivity to https://reporting.netskope.tech/.

Connectivity Requirements to Cloud Exchange Inbound

For connectivity to Cloud Exchange, ensure that the administrator can access the command line interface for Cloud Exchange via SSH (port 22)

For browser and API-based connectivity to Cloud Exchange, ensure users have access to Cloud Exchange via port 80 or 443 (by default) or via any alternative, non-standard port (recommended) configured during the setup.

Linux Hosts Permission Requirements (all OS)

The user running the setup script should have at least the following permissions:

  • Either the user should be part of the docker group or should have permissions to run docker commands. (Ignore for installations on RHEL OS)
  • You need to have sudo permissions.

Prerequisites for Linux Hosts (Ubuntu)

Below are the prerequisites required for setting up Cloud Exchange on Linux distributions other than Red Hat.

  • Linux System capable of supporting http://docker.io release of docker and docker-compose.
  • docker (v25.0.3): Refer to https://docs.docker.com/engine/install/#server for installation instructions. Verify the versions with this command. Setup script will confirm.

    $ docker version

  • docker-compose (v2.24.6): Refer to https://docs.docker.com/compose/install/standalone for installation instructions. Verify the version with this command. Setup script will confirm.

    $ docker-compose version

  • Python 3 (for the setup script): Refer to https://wiki.python.org/moin/BeginnersGuide/Download for installation instructions. Execute this command to ensure you have the 3.8.x version of python installed. Setup script will confirm.

    $ python3 --version

  • Zip (For the diagnose script): Execute this command to verify if the command is available. If available, the command execution will output the path where zip commands are available.

    $ which zip

  • Git: Refer to https://git-scm.com/download/linux for installation instructions. Execute this command to verify it is available.

    $ which git

Prerequisites for Red Hat Enterprise Linux Hosts (Supported as of Cloud Exchange version 4.x for RHEL 8.x or newer)

Podman is a prerequisite to installing the Cloud Exchange platform on Red Hat Enterprise Linux (RHEL). Ensure these commands are available:

  • Zip (For the diagnose script): Execute this command to verify that the command is available. If available, the command execution will output the path where zip commands are available.

    $ which zip

  • Git: Refer https://git-scm.com/download/linux for installation instructions. Execute the command mentioned below to verify that the command is available.

    $ which git

Sizing the System Based on Anticipated Usage

This section provides recommendations and guidance for selecting the memory/storage/CPU based on the expected volume. Factors include:

  • Total number of indicators, alerts, tickets, applications, users and hosts stored in the database are the factors that defines the storage requirements.
  • Netskope Cloud Exchange has a worker-based scheduling mechanism to cater to the data pull/push for multiple data sources. The number of workers determines how many data sources will be actively fetching data/sharing data concurrently. The total number of worker processes should be equal to the number of cores multiply by 1.25. If the expectation is to fetch data frequently with multiple data sources, consider changing the instance type.

This table shows recommendations for standard deployments:

Note

Starting CE v5.0.1, the Small stack size will NOT be supported.

Instance TypeRAM (GBs)Number of CoresAWS EquivalentAzure EquivalentTotal Recommended Free Storage allocated to Cloud ExchangeRecommended Maximum Available Plugin Credits
Medium168C62XLF8s_v28010
Large3216C64XLF16s_v212020

This table shows the maximum number of indicators supported by the Threat Exchange module.

Instance TypeNumber of Indicators for StandaloneNumber of Indicators for HA
Medium2M2M
Large 5M5M

This table shows the number of alerts and events pulled and ingested at one destination by Log shipper module.

Instance TypeAlerts/Events per Minute for StandaloneAlerts/Events per Minute for HA
Medium100K150K
Large 200K300K

This table shows the number of alerts and events pulled and ingested on one destination by Log shipper module for WebTx.

Instance TypeWebTx Throughput per Second for StandaloneWebTx Throughput per Second for HA
MediumNot RecommendedNot Recommended
Large 6MB6MB

This table shows the number of credits used by the Cloud Exchange modules and the WebTx plugins.

Credits UsedPlugin
3Log Shipper
3Ticket Orchestrator
1Threat Exchange
2User Risk Exchange
2Application Risk Exchange
6WebTx

Note

The CE plugin credits listed above are for sizing guidance and recommendations, and do not have any associated cost or license requirements.

Above Average Load Design Assumptions

Your numbers may differ.

DimensionModeled Load
Events Per Minute.75 EPM/user
WebTx
We recommend that you use a separate Large Instance for WebTx. (Only WebTX should be configured in it.)
Average 4 KB each. Compressed 7:1 in W3C format.
Event/AlertAverage 2 KB each
Assumed user load from events/alert logs1 MB/user/day event/alert logs
Assumed user load from event streaming logs4 MB/user/day WebTx (compressed) or 28MB/user/day WebTx (uncompressed)
Assumed user load from cloud firewall logs14 MB/user/day Cloud Firewall logs

Note

Estimated ingestion time from CE to destinations such as Syslog, Qradar, and Azure for one batch of alerts, events, and web transaction logs should be less than 10 seconds. One batch is approximately 10,000 alerts, 10,000 events, or 5MB of Web transaction logs.

Share this Doc

Cloud Exchange System Requirements

Or copy link

In this topic ...