This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask the community

Netskope Private Access and Cloud Exchange running in AWS

Gary-Jenkins
Netskope
Netskope

‎07-14-2023 02:11 PM - edited ‎07-14-2023 02:22 PM

Netskope Private Access and Cloud Exchange running in AWS

Overview

Using Netskope’s Private Access (NPA) can help secure workloads in AWS like deploying Netskope’s Cloud Exchange there. In this solutions guide NPA is used to front end a Cloud Exchange server that doesn’t have direct inbound internet access. 

GaryJenkins_0-1689368871291.png

 

Requirements

  • Netskope tenant with a NPA license
  • Amazon Web Services account

Setup Steps

Netskope 

  • Configure a Netskope Publisher in your Tenant

 

Amazon Web Services

  • Deploy EC2 Netskope Publisher

 

Cloud Exchange

  • Setting up Cloud Exchange in AWS
    • Deploy EC2 Ubuntu Server
    • Add Access to Cloud Exchange via NPA
    • Setup Cloud Exchange on Ubuntu Server

 

Verify
  • Netskope Tenant sees your publisher
  • Check your client for the NPA tunnel
  • Try to access cloud exchange on your private IP

Configure a Netskope Publisher in your Tenant

Go to your Netskope Tenant > Settings > Security Cloud Platform > Publishers

Click New Publisher

 

GaryJenkins_1-1689368871410.png

 

 

Give your publisher a name

Save and Continue

GaryJenkins_2-1689368871372.png

 

 

Generate Token > Copy

Done

GaryJenkins_3-1689368871252.png

 

Deploy EC2 Netskope Publisher

Log into your AWS account and go to EC2. If you don’t see that on your main AWS dashboard you can search for EC2. 

Click Launch Instances

GaryJenkins_4-1689368871524.png

 

 

Add a name for your instance and search for netskope publisher

GaryJenkins_5-1689368871507.png

 

Select the Netskope Private Access Publisher

GaryJenkins_6-1689368871575.png

 

 

Once it brings you back to the configuration page, it will look like this. 

GaryJenkins_7-1689368871508.png

 

 

Key pair - Select or create a Key Pair so that you can ssh into it if needed. 

Network settings - I am going to have it automatically create a security group. When we add Cloud Exchange, we will use this same Network vpc and Security Group 

Block SSH 

Allow HTTPS - this will allow the tunnel traffic into the NPA system. You can lock it down to an IP address range if you are always coming from the same cidr. 

GaryJenkins_8-1689368871528.png

 

 

Be sure to open up the Advanced details section to add your NPA registration code. 

GaryJenkins_9-1689368871413.png

 

 

Scroll passed all of the options to the bottom field named “User data” and add the token. Once you have added your registration token, Launch instance.

GaryJenkins_0-1689369240414.png

 

 

Verify 

Netskope Tenant sees your publisher

Go back to your Netskope tenant and verify that your publisher is Connected. 

Security Cloud Platform > Traffic Steering > Publishers

GaryJenkins_1-1689369266065.png

Setting up Cloud Exchange in AWS

Deploy EC2 Ubuntu Server

Log into your AWS account and go to EC2. If you don’t see that on your main AWS dashboard you can search for EC2. 

Click Launch Instances

GaryJenkins_2-1689369283598.png

 

Give your new instance a name and select Ubuntu 22.04 LTS

GaryJenkins_3-1689369294586.png

 

Select an Instance type. To help you decide on size, check out our Sizing the System section here:

https://docs.netskope.com/en/cloud-exchange-system-requirements.html 

Select or create a key pair. If you create the key, you will need to save it to your hard drive. We will use this to SSH to Cloud Exchange in a couple of steps so be sure to know the path of where you put it. 

 

Since you are fronting this with Netskopes NPA, you don’t need any connection from the internet. 

Network settings - Edit these to match the Network vpc that you put the NPA in. 

GaryJenkins_4-1689369317620.png

 

Firewall security group - you will need a new security group since the NPA one is allowing https. This one doesn’t need to allow any inbound traffic from the internet. You will only be getting to it from the NPA tunnel. 

GaryJenkins_5-1689369334206.png

 

Configure the needed storage from the sizing guide. 

GaryJenkins_6-1689369350266.png

 

Review the summary and Launch instance. 

GaryJenkins_7-1689369368252.png

 

You will also need to add an ACL so that your Publisher can talk to your Cloud Exchange. Mine are both in this subnet and I just created an allow for the entire subnet. 

Go to EC2 > Network & Security > Security Groups > <cloud exchange group>

GaryJenkins_8-1689369384501.png

 

Add Access to Cloud Exchange via NPA

Before you can SSH to Cloud Exchange to finish the setup, you will need to tell Netskope to allow that traffic down the NPA tunnel by adding it to the App Definition. You will also need the private IP address of your Cloud Exchange server. 

 

Private Address of Cloud Exchange

Go into your AWS Instances and select your new Ubuntu Server. It will list your Private IP. 

GaryJenkins_0-1689369468834.png

 

Now that you know your IP, create a new Private App for TCP 443 and 22. 

Security Cloud Platform > Traffic Steering > App Definition > Private Apps

GaryJenkins_1-1689369482298.png

 

Give your application a name, list the IP in the host field, add TCP 443 and 22, and Select your Publisher. 

Save

GaryJenkins_2-1689369515823.png

 

Steer your Client Traffic

Before your NPA traffic will go through the tunnel, you need to add your Private Apps to your Client Steering Configuration. 

GaryJenkins_3-1689369525526.png

Edit your config. 

GaryJenkins_4-1689369535935.png

 

Steer private apps

Save

GaryJenkins_5-1689369549423.png

 

After this is done please also make sure to assign the Policy for the private app to allow the required traffic for the app:

Go to the Policies > Real-Time-Protection 

Create the new Policy specifically for the private app

GaryJenkins_6-1689369566453.png

 

Check if everything is working fine you need to again go to Private App > Troubleshooter

GaryJenkins_7-1689369611707.png

 

Click on your user to check if the private app can be accessible:

GaryJenkins_8-1689369635738.png

 

Make sure your client is enable or other results mentioned in the Troubleshooting:

GaryJenkins_9-1689369654135.png

 

Verify

Check your client for the NPA tunnel

GaryJenkins_10-1689369668501.png

 

Setup Cloud Exchange on Ubuntu Server

You will need to SSH to it to finish the setup. 

SSH with your public key.

The default user is ubuntu.

Here is the command I will use. 

 

ssh -i Alliances-Oregon.pem ubuntu@172.31.35.179

 

When I created my public key, I saved it in C:\User\gjenkins so I don’t need to add my path when I SSH. 

GaryJenkins_11-1689369683130.png

 

As you can see, it timed out the first time. I had forgotten to add SSH (TCP22) to my AWS Firewall rule. Once added, I was able to get there. 

 

Update the system and load Docker

A Netskope employee, Nathan Catania, has created this guide for you to follow to setup Cloud Exchange on your new AWS instance. 

 

https://community.netskope.com/t5/Blogs/A-Guide-to-Deploy-Netskope-Cloud-Exchange/ba-p/1143

 

Verify

Try to access cloud exchange on your private IP

GaryJenkins_12-1689369699375.png

 

Check to see if you can get there over the public IP address. It should fail. You can remove this address from your EC2 instance. 

GaryJenkins_13-1689369713738.png

 

This is how we can access the Cloud Exchange as private app using the Netskope Publisher



0 Likes
0 Replies 0
Subscribe
Labels

In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below

Sign In