Instructions

Overview

With this deployment type, Prisma Cloud acts as a proxy by sitting in front of the protected application. It receives traffic from an internet source (e.g ALB) on one port, and sends the traffic out to the protected app via another port.

In this example, external traffic hits the ALB on port 80. It then forwards traffic towards the app on port 80. As mentioned above, the Prisma Cloud proxy is listening on this port. If the payload is clean, the traffic is then forward to the app on port 8080.

This means users do not need to specify port numbers when accessing the app, e.g http://example.com

Build Docker image

  1. Build & push the Flask "fargate-demo" image:
APP_DIR=$PWD/App APP_NAME=fargate-app ./update_image.sh
  1. Update the container_image variable in the terraform.tfvars file to match your account number & desired region.
  2. Spin up the cloud infrastructure:
cd Infra
terraform init
terraform apply

Definition update

  1. Log into the AWS console & obtain a JSON copy of your Task Definition.
  2. Log into Prisma Cloud and navigate to "Compute" --> "Defenders" --> "Manual Deploy" --> "Container Defender - App-Embedded".
  3. Select "Native Fargate" from the "Template type" dropdown.
  4. Paste your Task Definition into the "Insert task definition" field.
  5. Click "Generate protected task".
  6. Extract the "containerDefinitions" array from the output.
  7. In the AWS console, create a new "JSON" revision of your task.
  8. Replace the revision's "containerDefinitions" array with the one you extracted above.
  9. Replace the Prisma Cloud Defender's portMappings": [] with the following:
    "portMappings": [
      {
        "containerPort": 80,
        "hostPort": 80,
        "protocol": "tcp"
      }
    ]

New service

Note: AWS does not allow Services to be updated if the portMappings have been changed. Therefore, we need to create a new service

  1. Create a new service using the new revision you created above.
  2. Under "Networking", select the "fargate-demo-vpc" from the "VPC" dropdown.
  3. Under "Subnets", deselect the private subnets.
  4. Select the two "fargate" security groups.
  5. Under "Load balancing", select "Application Load Balancer", then "Create a new load balancer".
  6. Under "Choose container to load balance", select "TwistlockDefender 80:80".
  7. Click "Create". This will trigger a CloudFormation deployment that will spin up the required infrastructure.

Browse to the ALB's hostname.