Troubleshooting NPA Allowlisting for Specific Domains in AWS
Troubleshooting NPA Allowlisting for Specific Domains in AWS
If you are having difficulty creating an allowlist for specific domains (.docker.com, .docker.io, *.ubuntu.com) within your Netskope Private Access (NPA) configuration, that is because AWS security groups only accept IP ranges, not domain names. This limitation prevents you from directly allowlisting these domains for NPA lockdown purposes.
Environments
AWS (Security Groups), Netskope Private Access (NPA), Netskope Publisher
Resolution
To resolve this issue, use a proxy for the Netskope Publisher to access the mentioned domains:
- Determine if you are using Netskope Secure Web Gateway (SWG).
- If you are using Netskope SWG, follow the steps in the Netskope documentation to configure the Publisher for software updates via an explicit proxy.
- If you are not using Netskope SWG, set up a generic proxy server in your environment.
- Configure the Netskope Publisher to use the proxy server for outbound connections to the required domains (.docker.com, .docker.io, *.ubuntu.com).
- Update the AWS security group rules to allow traffic from the Publisher to the proxy server.
- Test the configuration to ensure the Publisher can successfully download updates through the proxy.