Identity-Based Microsegmentation Guide
LAST UPDATED: November 8, 2021

System requirements

Compatibility

Microsegmentation is incompatible with the following.

Connectivity

Enforcer hosts must be able to access the aporeto.com and prismacloud.io domains, as well as any subdomains. To pull down our container images, the enforcer hosts must be able to access gcr.io. If you have firewalls blocking this traffic, add *.aporeto.com, gcr.io, *.prismacloud.io, *.network.prismacloud.io to their allow lists.

Certificate authority

The Microsegmentation Console uses a Let’s Encrypt certificate authority. Ensure that the enforcer hosts trust Let’s Encrypt certificate authorities. In most environments, it should be trusted by default.

Windows hosts

The host must have a minimum of 2vCPUs and 2GB RAM to deploy the Enforcer successfully.

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2

Clusters

Feature Requirement
Orchestrator Kubernetes 1.16 or later—deployed on AKS, EKS, or GKE*
OpenShift Container Platform 4.6
Nodes Linux (Windows hosts not supported)
Networking CNI plugin required (kubenet networking not supported)
Service mesh Istio 1.8

* To deploy the enforcer on GKE, you must have Kubernetes Engine Admin permissions.

TIP

The enforcer ignores Fargate and other serverless workloads at this time.

Linux hosts

You can deploy the enforcer on the following distributions. The host must have a minimum of 2vCPUs and 2GB RAM to deploy the Enforcer successfully.

Distribution Versions
Amazon Linux 2
CentOS 7.9, 8.0–8.3
Debian 9.8
Oracle Enterprise Linux 7.5, 7.6
Red Hat Enterprise Linux 7.1–7.9, 8.0–8.3
SuSE Linux 12.5
Ubuntu 16.04, 18.04, 20.04

Linux kernel

Kubernetes, OpenShift, and Linux host installations require the following.

Kernel capabilities

  • CAP_SYS_PTRACE: to access the /proc file system. Example: /proc/<pid>/root
  • CAP_NET_ADMIN: to program iptables.
  • CAP_NET_RAW: the enforcer uses raw sockets for the UDP datapath and in diagnostic ping implementations
  • CAP_SYS_RESOURCE: to set and override resource limits (setrlimit syscall)
  • CAP_SYS_ADMIN: to call, mount, and load extended Berkeley Packet Filter (eBPF)
  • CAP_SYS_MODULE: to ensure kernel modules are loaded like ip_tables, iptable_mangle, etc. (see list above). No proprietary kernel module is loaded.

Kernel modules

  • net/netfilter/xt_cgroup.ko: module to match the process control group.
  • net/netfilter/xt_limit.ko: rate-limit match
  • net/netfilter/xt_multiport.ko: multiple port matching for TCP, UDP, UDP-Lite, SCTP and DCCP
  • net/netfilter/xt_connmark.ko: connection mark operations
  • net/netfilter/xt_REDIRECT.ko: connection redirection to localhost
  • net/netfilter/xt_string.ko: string-based matching
  • net/netfilter/xt_HMARK.ko: packet marking using hash calculation
  • net/netfilter/xt_LOG.ko: IPv4/IPv6 packet logging
  • net/netfilter/xt_bpf.ko: BPF filter match
  • net/netfilter/xt_state.ko: ip[6]_tables connection tracking state match module
  • net/netfilter/xt_set.ko: IP set match and target module
  • net/netfilter/nf_nat_redirect.ko: used by xt_REDIRECT
  • net/netfilter/nf_log_common.ko: used by nf_log_ipv4
  • net/ipv6/netfilter/nf_conntrack_ipv6.ko: Linux connection tracking table
  • net/ipv4/netfilter/nf_log_ipv4.ko: Netfilter IPv4 packet logging
  • net/netfilter/ipset/ip_set.ko: core IP set support, used by ip_set_bitmap_port,xt_set,ip_set_hash_net,ip_set_hash_netport
  • net/netfilter/ipset/ip_set_bitmap_port.ko: Ipset: bitmap:port
  • net/netfilter/ipset/ip_set_hash_netport.ko: Ipset: hash:net,port
  • net/netfilter/ipset/ip_set_hash_net.ko: Ipset: hash:net
  • lib/ts_bm.ko: Boyer-Moore string matching algorithm
  • net/sched/cls_cgroup.ko: Control Group Classifier
  • ip_tables.ko: iptables
  • iptable_nat.ko: iptables NAT table support
  • iptable_mangle.ko: iptables mangle table support

Other dependencies

  • elfutils-libelf
  • conntrack-tools
  • ipset