Netskope Help

Install Netskope Cloud Exchange with AWS ECS Fargate

Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Cloud Exchange consumes valuable Netskope telemetry and external threat intelligence and risk scores, enabling improved policy implementation, automated service ticket creation, and exportation of log events from the Netskope Security Cloud.

To learn more about Netskope Cloud Exchange, refer to the Netskope Cloud Exchange introduction page.

Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that makes it easy for you to deploy, manage, and scale containerized applications.

AWS Fargate is a serverless, pay-as-you-go compute engine that lets you focus on building applications without managing servers. AWS Fargate is compatible with Amazon Elastic Container Service (ECS). To learn more about Amazon ECS, follow the Amazon ECS documentationGo-to-Icon.png. To learn more about AWS Fargate, follow the AWS Fargate documentationGo-to-Icon.png.

This document will guide you how to deploy Netskope Cloud Exchange using AWS Fargate on Amazon ECS.

This solution consists of the following components:

  • CloudExchangeTemplate.yaml AWS CloudFormation template that deploys the following resources:

    • Amazon EFS filesystem for Netskope Cloud Exchange

    • Custom resource AWS Lambda function to create initial directory structure on the Amazon EFS filesystem above

    • NetskopeCloudExchangeTaskRole and NetskopeCloudExchangeTaskExecutionRole AWS IAM roles

    • NetskopeCETaskSecurityGroup will be used by the Netskope CE task.

  • CloudExchangeTaskDefinition.json: Task Definition json file used to create a new task definition for the Netskope Cloud Exchange

Architecture Diagram

The following prerequisites are required to implement Netskope Cloud Exchange on AWS Fargate for Amazon ECS:

  • Existing Amazon VPC with minimum of two subnets in different Availability Zones and outbound connectivity to the Netskope NewEdge platform, third party applications and partnersʼ platforms youʼre planning to integrate Netskope Cloud Exchange with, as well as with a regional endpoint for Amazon S3 for the Custom Resource AWS Lambda function to report it status to Amazon CloudFormations. To enable Netskope Cloud Exchange communicating with external third-party services, we recommend deploying Amazon Nat GatewayGo-to-Icon.png in your VPC.

  • Existing Amazon ECS cluster where Netskope Cloud Exchange task will be running. To learn how to work with Amazon ECS, refer to the tutorials hereGo-to-Icon.png.

  • The latest version of the AWS CLI is installed and configured. For more information about installing or upgrading your AWS CLI, refer to Installing the AWS Command Line InterfaceGo-to-Icon.png.

  • This solution guide assumes working knowledge with the AWS management console and AWS CLI. We also recommend that you become familiar with the following AWS services:

This section explains how to configure Amazon EFS Filesystem, AWS Custom resource Lambda function, IAM roles and Netskope CE Task Security group using CloudExchangeTemplate.yaml and create a Netskope Cloud Exchange Task Definition.

Download the CloudExchangeTemplate.yaml and CloudExchangeTaskDefinition.json to your computer.

Configure the CloudFormation Stack on the AWS Security Management Account

Sign into the AWS Security Management account as administrator and deploy the Netskope Cloud Exchange CloudFormations stack.

  1. Go to the AWS CloudFormation management console and choose the region youʼd like to deploy the automation solutions in the Security Management account.

  2. Click Create Stack and select With new resources (standard).

  3. Select Upload a template file and click Choose file. Choose the CloudExchangeTemplate.yaml from the directory on your disk where you downloaded it, click Open, and then click Next.

  4. Enter the stack name and the parameters for your deployment:

    Existing VPC Id

    Enter the existing VPC Id where Netskope Cloud Exchange will be deployed

    Existing Private Subnet ID 1

    Enter the first Subnet ID where the EFS filesystem for Netskope Cloud Exchange will be deployed. Note that custom resource Lambda function in this stack should be able to communicate from this subnet to the Amazon S3 regional endpoint.

    Existing Private Subnet ID 2

    Enter the second Subnet ID where the EFS filesystem for Netskope Cloud Exchange will be deployed. Note that custom resource Lambda function in this stack should be able to communicate from this subnet to the Amazon S3 regional endpoint.

  5. Click Next.

  6. Optionally, enter the Tags for your CloudFormation stack, and/or click Next.

  7. Acknowledge creating IAM resources and click Create stack.

  8. When CloudFormation stack is in the CREATE_COMPLETE state, go to the Output tab and see the Security Group Id you will need to customize to allow Netskope Cloud Exchange access to the Netskope NewEdge and third-party platforms.

    Follow the instructions in the IP Allowlisting article on the Netskope Knowledge Portal to add the Netskope NewEdge IP addresses to the Netskope CE Task Security Group.

  9. Copy the EFS File System ID in the CloudFormation stack output. This will be used late on while creating the Netskope Cloud Exchange Task Definition for Amazon ECS.

Create a Netskope Cloud Exchange Task Definition
  1. Open the CloudExchangeTaskDefinition.json file for editing and replace all occurrences of these values as follows:

    /*AWS Region*/

    AWS Region where youʼre deploring the AWS Cloud Exchange. For example, us-east-2

    /*EFS FS Id*/

    AWS EFS File System ID created in by the CloudFormation template above and recorded in step 9 in the previous section.

    /*AWS Account ID*/

    AWS Account ID where Netskope Cloud Exchange been deployed.

  2. Using AWS CLI, create a new Amazon ECS Task Definition for Netskope Cloud Exchange:

    aws ecs register-task-definition --family NetskopeCloudExhange3-0 --cli-input-json file://CloudExchangeTaskDefinition.json

You can use the Netskope Cloud Exchange Task Definition to deploy AWS Fargate Task or Service according to your organizationʼs best practices using your existing automation tools.

Run Netskope Cloud Exchange as a service using AWS Fargate on Amazon ECS
  1. Log in to your Amazon ECS management console, go to Task Definitions, and select NetskopeCloudExchange3-0 task.

  2. Click Actions and then Create Service.

  3. Set the following parameters for the new service:

    Launch Type


    Operating system family


    Platform version



    Choose the Amazon ECS cluster youʼd like to run Netskope Cloud Exchange on

    Service name

    NetskopeCloudExchange (you can choose the name according to your preferences and best practices)

    Service type


    Number of tasks


    Minimum healthy percent


    Maximum percent


    Deployment circuit breaker


    Leave the other parameters unchanged and click Next step.

  4. Choose the same VPC and VPC Subnets you used to create an EFS File System using CloudExchangeTemplate.yaml.

    Choose the security group you noted previously and click Next step.

    For the best security practices, we do not recommend assigning a public IP address to the Netskope Cloud Exchange service, but rather accessing it using a private IP address, either via a jump host, Amazon Direct Connect or Netskope Private Access (NPA).

    When first installed, Cloud Exchange does not require an SSL certificate and the web server can be reached over an unencrypted connection. You can either front-end Netskope Cloud Exchange with a Application Load BalancerGo-to-Icon.png and deploy an SSL certificate there, or install a private SSL certificate on the Netskope Cloud Exchange. To learn how to install a private SSL certificate on the Netskope Cloud Exchange, refer to the documentation here. To learn how to create an HTTPS listener and install SSL certificate on the Application Load Balancer, refer to thisGo-to-Icon.png documentation.

    To enable Netskope Cloud Exchange communicating with external third-party services, we recommend deploying Amazon Nat GatewayGo-to-Icon.png.

  5. Leave Set Auto Scaling unchanged and click Next step.

  6. Review the configuration and click Create service.

  7. To monitor the task status, go to Clusters > your ECS cluster > Tasks and click on the NetskopeCloudExchange task.

Wait till the task status will be RUNNING with all four containers HEALTHY.

Now you can use the task Private IP address to log in to the Netskope Cloud Exchange.

After initial installation, Netskope Cloud Exchange is available via HTTP and you can access it via http://~. To secure access to the Netskope Cloud Exchange, follow the documentation mentioned in the step 4 above.

For complete documentation on how to use Netskope Cloud Exchange, refer to the Netskope Cloud Exchange documentation.