Allowing access to web servers
About allowing access to web servers
We deploy enforcers in discovery mode. All traffic is allowed and shown in the Platform pane of the Microsegmentation section of the Prisma Cloud web interface as green dashed lines to an any-tcp external network.
When you click on the green dashed line and select the Policies tab, you will see that the traffic is allowed due to the discovery-mode policy.
This section describes how to allow incoming layer 3 and 4 traffic to web servers and disable discovery mode.
- Authenticated to
apoctlwith the Namespace Administrator role
Creating an external network
MICROSEG_NS environment variable containing the Microsegmentation namespace of your web server.
In our example, we have a web server in the
my-web-app Kubernetes namespace.
Use the following command to create an external network representing TCP connections on port 80 and 443 from any IP address.
It names the external network
internet and assigns it a tag of
cat <<EOF | apoctl api create externalnetwork -n $MICROSEG_NS -f - name: internet entries: - 0.0.0.0/0 protocols: - tcp ports: - "80" - "443" associatedTags: - ext:name=internet EOF
You may need to modify the
ports values if the web server listens on a different port.
If there is a load balancer or a Kubernetes service fronting the web server, specify the port that it is listening on.
For example, you can run
kubectl get services and check the values under
Make sure you add all the values there under
If you’re not sure, go ahead and create the external network using the above definition.
You can edit it later.
Selecting the web server
Identify a tag or set of tags that allow you to uniquely identify the web server or group of web servers. It may help to open the Microsegmentation section of the Prisma Cloud web interface and review the tags of the processing units that represent the web servers.
Microsegmentation supports logical tag expressions, allowing you to link tags with ANDs and ORs. You may be able to come up with a tag expression that selects the web servers using the tags that they already have. Alternatively, you may want to add tags to the web servers to make it easier to select them.
Once you have determined the tag or tags, set an environment variable to contain each tag. We add four below.
export WEBSERVER="type=web-server" export PROD="pu:state=prod" export DEV="pu:state=dev" export PU="\$identity=processingunit"
Because these values are stored as environment variables, you must escape any bash control characters. In the example above, we escape the
$ bash control character by adding
\ in front of it.
Creating a network policy to accept connections
Next, use one of the following commands to create a network policy that accepts incoming requests from the external network you just defined. We provide three examples below to show how to work with a single tag as well as multiple tags with both AND and OR relationships.
cat <<EOF | apoctl api create networkaccesspolicy -n $MICROSEG_NS -f - name: allow-web-server action: Allow applyPolicyMode: IncomingTraffic logsEnabled: true subject: - - ext:name=internet object: - - "$WEBSERVER" EOF
cat <<EOF | apoctl api create networkaccesspolicy -n $MICROSEG_NS -f - name: allow-web-server action: Allow applyPolicyMode: IncomingTraffic logsEnabled: true subject: - - ext:name=internet object: - - "$WEBSERVER" - "$PU" EOF
cat <<EOF | apoctl api create networkaccesspolicy -n $MICROSEG_NS -f - name: allow-web-server action: Allow applyPolicyMode: IncomingTraffic logsEnabled: true subject: - - ext:name=internet object: - - "$WEBSERVER" - "$PU" - "$PROD" - - "$WEBSERVER" - "$PU" - "$DEV" EOF
Observe how the hyphens allow you to specify AND and OR relationships between the tags.
Verifying that the web server accepts incoming connections
Open a browser and paste in the IP address or domain name of your web server. In the Microsegmentation section of the Prisma Cloud web interface, you should see a green flow as shown below.
If your request instead times out and you don’t see the internet external network with a green flow, adjust your external network and network policy definitions as needed.
Disable discovery mode
You must allow all desired traffic in your namespace before disabling discovery mode. If your namespace contains just the web server, complete the following steps to disable discovery mode. Otherwise, refer to Securing a Kubernetes namespace or Securing hosts for guidance.
In the Microsegmentation section of the Prisma Cloud web interface, select Platform, and review any dashed green flows. As soon as you disable discovery mode, these connections will be blocked. Take a few moments to allow any desired traffic before continuing to the next step.
Toggle discovery mode off, using the button in the top right corner.
You may see a new external network named Somewhere with red flows or red flows between pods. If you click on the red lines you can see that the connections were denied due to Microsegmentation’s default Reject all policy.
Congratulations! You have secured your namespace. Microsegmentation denies any traffic not explicitly allowed by policy.
If your web server is public, you are done!
If you want to allow only certain people to access the web server, you can configure Microsegmentation to authenticate your users against an OpenID Connect (OIDC) identity provider.