Prisma Cloud Compute: How to configure an AWS Network Load Balancer

Prisma Cloud Compute: How to configure an AWS Network Load Balancer

14872
Created On 11/11/19 22:26 PM - Last Modified 04/21/22 19:20 PM


Objective


This guide shows you how to configure a Network Load Balancer in AWS for Twistlock Console. Console serves its UI and API on ports 8081 (HTTP) and 8083 (HTTPS). And Defender communicates with Console over a websocket on port 8084. You’ll set up a single load balancer to forward requests for both port 8083 and 8084 to Console, with the load balancer checking Console’s health using the /api/v1/_ping endpoint on port 8081.

Environment


  • Prisma Cloud Compute
  • Self-Hosted 19.11 or later

Procedure


Prerequisites
  • Console is fully operational. You have created your first admin user, entered your license key, and you can access the web interface.
Procedure
  1. Log into the AWS Management Console
  2. Go to Services > Compute > EC2
  3. In the left menu, go to LOAD BALANCING > Load Balancers
  4. Create a load balancer:
    1. Click Create Load Balancer
    2. In Network Load Balancer, click Create
    3. Give your load balancer a name, such as tw-nlb
    4. Create the following listener configuration:
      1. Load Balancer Protocol: TCP
      2. Load Balancer Port: 8083
      3. Load Balancer Protocol: TCP
      4. Load Balancer Port: 8084
    5. Select a VPC. Make sure your instance is in the same VPC
    6. Click Next Configure Routing
    7. Select a Target group if already defined. If not, select New target group
    8. Give your target group a name, such as tw-8083
    9. Create the following listener configuration:
      1. Protocol: TCP
      2. Port: 8083
      3. Target type: instance
      4. Health Checks
      5. Protocol: HTTP
      6. Path: /api/v1/_ping
    10. Under Advanced health check settings select
      1. Port: override 8081
    11. Click Next: Register Targets
    12. Search for your instance by name, select it, and click on Add to registered
    13. Click Next: Review > Create
  5. Configure an additional Target Group for port 8084
    1. In the left menu, go to LOAD BALANCING > Target Groups
    2. Click Create target group
    3. Give your target group a name, such as tw-8084:
      1. Protocol: TCP
      2. Port: 8084
      3. Target type: instance
      4. VPC: <same as that of instance>
      5. Health check settings
      6. Protocol: HTTP
      7. Path: /api/v1/_ping
    4. Under Advanced health check settings select
      1. Port: override 8081
    5. Click Create
    6. After target group is created, click on the Targets tab of the selected target group (tw-8084, in this example)
    7. Click Edit
    8. Search for your instance by name, select it, click Add to registered, then click Save
  6. Configure your load balancer to direct TCP traffic on 8084 to your newly created target group (tw-8084)
    1. In the left menu, go to LOAD BALANCING > Load Balancers, then click on your load balancer (tw-nlb)
    2. Click the Listeners tab
    3. Select TCP: 8084 under Listener ID
    4. Click Edit
    5. Delete the existing Default action
    6. Click Add action > Forward to > tw-8084
    7. Select the checkbox to add your entry, then click Update

Additional Information


For complete install procedure on Amazon ECS environment, follow steps in Install Twistlock on Amazon ECS.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNQeCAO&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language