Deploying DSPM Sidecars via Azure Container Instances
Deploying DSPM Sidecars via Azure Container Instances
Overview
The Netskope One DSPM application requires seamless connectivity to scan your data stores. However, as per common security practices, businesses tend to deny proper firewall egress between their internal networks & external applications. Such limitations impact the operational use of Netskope One DSPM and reduce the full return value of your subscription.
To overcome this, Netskope One DSPM provides a flexible collection architecture consisting of one or many sidecars you deploy alongside your data stores. These sidecars collect necessary metadata and transfer it to the Netskope One DSPM application. Within this central management console, you can take action on insights from across all data stores regardless of where they are hosted.
Architecture
Netskope One DSPM provides a flexible collection architecture, consisting of one or many sidecars you deploy alongside the main application. These sidecars connect to data stores to runs scans, uploading the results to the Netskope One DSPM application.
A single sidecar can scan multiple data stores in its installation environment. Typically, you will deploy one sidecar per individual environment (e.g. VNet, VPC, etc.); however, you may choose to install multiple sidecars for additional scalability and redundancy. The Netskope One DSPM application automatically load balances scans across healthy sidecars in each sidecar pool.
For more information on Azure Container Instances, please visit the Microsoft Azure knowledge base.
Provide Outbound Egress
Note
This step can be skipped if the environment where you plan to install the sidecar has public outbound internet access.
Because the Netskope One DSPM application is hosted and managed by Netskope, you may need to update your firewall/security group settings in order to provide outbound egress for sidecars to communicate with DSPM.
Whitelist the following addresses on port 443, substituting [TENANT] with your tenant name:
| Address |
|---|
[TENANT].dspm.goskope.com |
[TENANT]-sidecar.dspm.goskope.com |
Register Sidecar
To set up the relationship between your sidecars and Netskope One DSPM-hosted tenant, you will provide the sidecars with unique authentication tokens generated within our Sidecar Administration UI.
If you already have an existing sidecar pool token to use, you can skip this section. Otherwise, follow these instructions to acquire a new token.
- Log in to the Netskope One DSPM application.
- Go to Platform Settings > Sidecar to display the Sidecar Administration screen.
- Click Add Sidecar Pool.
- The Add Sidecar Pool modal is displayed.
- On the Details tab, complete the following field:
| Field | Value |
|---|---|
| Name | Any friendly value to describe the sidecar pool. |
- Click Save.
- Click Copy at the bottom of the Sidecar Authentication Token modal to save the generated token to your clipboard.
- Click the X button to exit the modal.
Since you haven’t yet associated this token with a sidecar, the sidecar pool will appear only when you click the Show Inactive Sidecars icon in the upper right, with empty Version and Status columns for now.
The above-generated token will be used for each individual sidecar within the sidecar pool.
Setting up the Azure Configuration
- Copy the following URL in your browser window to download the requisite Azure Resource Manager (ARM) template:
https://netskope-dspm-release.s3.us-west-2.amazonaws.com/NetskopeDSPM-SidecarOnACI-ARM.json- For the account where you will configure the custom template, log in to the Azure console.
- Using the search box, and go to Deploy a Custom Template.
- Click on Build your own template in the editor.
- Click Load file, then select Netskope One DSPM’s custom sidecar template JSON file.
- The template JSON file’s content will now be displayed. Click Save at the bottom of the page.
- Under Project details, enter the following values:
| Field | Value |
|---|---|
| Subscription | Pre-populated |
| Resource Group | Any value |
- Under Instance details, enter the following values:
| Field | Value |
|---|---|
| NetskopeDSPMHostName | Your tenant URL minus the protocol. For example, if your tenant is accessed using https://example.dspm.goskope.com, your value will be example.dspm.goskope.com. |
| sidecarPoolToken | An existing sidecar token, or a new one generated in the Register Sidecar Pool section above. |
| vnetName | View your Azure virtual networks within the selected resource group. The Vnet name appears on the left column titled Name. For example, example-virtual-network in the example below. |
| subnetName | Usually default. If there are multiple virtual networks/subnets, make sure you are inputting relevant names. Subnet Delegation field must be enabled with a delegation to container groups, as pictured below. |
- Click Review + create.
- You’ll see a validation screen with the information you entered above.
- Click Create.
- You’ll see your deployment in progress. This may take several minutes to complete.
- Once complete, you can expand the Deployment details section, then click the Resource name to see details of the sidecar container instances.
- In the left-hand menu, go to Settings > Containers to view details about the container group:
- One container for the Netskope One DSPM sidecar.
- One container for the classification engine.
- Click the Logs tab to view more detail on how sidecars are authenticating, running, and scanning your data stores.
Validate Sidecar Connection
When deploying sidecar, you’ll need to ensure that the sidecar has the ability to reach your tenant. Take the following steps to verify the connectivity from the sidecar.
- SSH to the sidecar.
- Run the following commands, substituting
[TENANT]with your tenant name:
curl [TENANT].dspm.goskope.com/api/pulseA successful response will resemble the following:
{"version":"10.0.0.311","build_target":"prod","deployment_type":"saas"}%Once a sidecar is running, you can now validate it is properly communicating with your Netskope One DSPM application.
- Log in to the Netskope One DSPM application.
- Go to Platform Settings > Sidecar.
- For the sidecar(s) in question, validate that the Version column is populated and its matching Status indicator is green.
It may take a few minutes for newly-running sidecars to communicate with the Netskope One DSPM application. If both values have not updated after 20 minutes, double-check that you configured your sidecars correctly and update the pool token, if necessary.
