Troubleshooting NPA Allowlisting for Specific Domains in AWS

Troubleshooting NPA Allowlisting for Specific Domains in AWS

If you are having difficulty creating an allowlist for specific domains (.docker.com, .docker.io, *.ubuntu.com) within your Netskope Private Access (NPA) configuration, that is because AWS security groups only accept IP ranges, not domain names. This limitation prevents you from directly allowlisting these domains for NPA lockdown purposes.

Environments

AWS (Security Groups), Netskope Private Access (NPA), Netskope Publisher

Resolution

To resolve this issue, use a proxy for the Netskope Publisher to access the mentioned domains:

  1. Determine if you are using Netskope Secure Web Gateway (SWG).
  2. If you are using Netskope SWG, follow the steps in the Netskope documentation to configure the Publisher for software updates via an explicit proxy.
  3. If you are not using Netskope SWG, set up a generic proxy server in your environment.
  4. Configure the Netskope Publisher to use the proxy server for outbound connections to the required domains (.docker.com, .docker.io, *.ubuntu.com).
  5. Update the AWS security group rules to allow traffic from the Publisher to the proxy server.
  6. Test the configuration to ensure the Publisher can successfully download updates through the proxy.
Share this Doc

Troubleshooting NPA Allowlisting for Specific Domains in AWS

Or copy link

In this topic ...