Instructions
Overview
With this deployment type, Prisma Cloud acts as a proxy by sitting in front of the protected application. It receives traffic from an internet source (e.g ALB) on one port, and sends the traffic out to the protected app via another port.
In this example, external traffic hits the ALB on port 80
. It then forwards traffic towards the app on port 80
. As mentioned above, the Prisma Cloud proxy is listening on this port. If the payload is clean, the traffic is then forward to the app on port 8080
.
This means users do not need to specify port numbers when accessing the app, e.g http://example.com
Build Docker image
- Build & push the Flask "fargate-demo" image:
APP_DIR=$PWD/App APP_NAME=fargate-app ./update_image.sh
- Update the
container_image
variable in theterraform.tfvars
file to match your account number & desired region. - Spin up the cloud infrastructure:
cd Infra
terraform init
terraform apply
Definition update
- Log into the AWS console & obtain a JSON copy of your Task Definition.
- Log into Prisma Cloud and navigate to "Compute" --> "Defenders" --> "Manual Deploy" --> "Container Defender - App-Embedded".
- Select "Native Fargate" from the "Template type" dropdown.
- Paste your Task Definition into the "Insert task definition" field.
- Click "Generate protected task".
- Extract the "containerDefinitions" array from the output.
- In the AWS console, create a new "JSON" revision of your task.
- Replace the revision's "containerDefinitions" array with the one you extracted above.
- Replace the Prisma Cloud Defender's
portMappings": []
with the following:
"portMappings": [
{
"containerPort": 80,
"hostPort": 80,
"protocol": "tcp"
}
]
New service
Note: AWS does not allow Services to be updated if the portMappings have been changed. Therefore, we need to create a new service
- Create a new service using the new revision you created above.
- Under "Networking", select the "fargate-demo-vpc" from the "VPC" dropdown.
- Under "Subnets", deselect the private subnets.
- Select the two "fargate" security groups.
- Under "Load balancing", select "Application Load Balancer", then "Create a new load balancer".
- Under "Choose container to load balance", select "TwistlockDefender 80:80".
- Click "Create". This will trigger a CloudFormation deployment that will spin up the required infrastructure.
Browse to the ALB's hostname.