IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

Allowing access to web servers

About allowing access to web servers

We deploy enforcers in discovery mode. All traffic is allowed and shown in the Platform pane of the Microsegmentation section of the Prisma Cloud web interface as green dashed lines to an any-tcp external network.

Web server

When you click on the green dashed line and select the Policies tab, you will see that the traffic is allowed due to the discovery-mode policy.

This section describes how to allow incoming layer 3 and 4 traffic to web servers and disable discovery mode.

Prerequisites

  • apoctl installed
  • Authenticated to apoctl with the Namespace Administrator role

Creating an external network

Set a MICROSEG_NS environment variable containing the Microsegmentation namespace of your web server. In our example, we have a web server in the my-web-app Kubernetes namespace.

export MICROSEG_NS=/acme/team-b/dev/my-web-app 

Use the following command to create an external network representing TCP connections on port 80 and 443 from any IP address. It names the external network internet and assigns it a tag of ext:name=internet.

cat <<EOF | apoctl api create externalnetwork -n $MICROSEG_NS -f -
name: internet
entries:
- 0.0.0.0/0
protocols:
- tcp
ports:
- "80"
- "443"
associatedTags:
- ext:name=internet
EOF

NOTE

You may need to modify the ports values if the web server listens on a different port. If there is a load balancer or a Kubernetes service fronting the web server, specify the port that it is listening on. For example, you can run kubectl get services and check the values under PORT. Make sure you add all the values there under ports. If you’re not sure, go ahead and create the external network using the above definition. You can edit it later.

Selecting the web server

Identify a tag or set of tags that allow you to uniquely identify the web server or group of web servers. It may help to open the Microsegmentation section of the Prisma Cloud web interface and review the tags of the processing units that represent the web servers.

Microsegmentation supports logical tag expressions, allowing you to link tags with ANDs and ORs. You may be able to come up with a tag expression that selects the web servers using the tags that they already have. Alternatively, you may want to add tags to the web servers to make it easier to select them.

Once you have determined the tag or tags, set an environment variable to contain each tag. We add four below.

export WEBSERVER="type=web-server"
export PROD="pu:state=prod"
export DEV="pu:state=dev"
export PU="\$identity=processingunit"

Because these values are stored as environment variables, you must escape any bash control characters. In the example above, we escape the $ bash control character by adding \ in front of it.

Creating a network policy to accept connections

Next, use one of the following commands to create a network policy that accepts incoming requests from the external network you just defined. We provide three examples below to show how to work with a single tag as well as multiple tags with both AND and OR relationships.

cat <<EOF | apoctl api create networkaccesspolicy -n $MICROSEG_NS -f -
name: allow-web-server
action: Allow
applyPolicyMode: IncomingTraffic
logsEnabled: true
subject:
- - ext:name=internet
object:
- - "$WEBSERVER"
EOF
cat <<EOF | apoctl api create networkaccesspolicy -n $MICROSEG_NS -f -
name: allow-web-server
action: Allow
applyPolicyMode: IncomingTraffic
logsEnabled: true
subject:
- - ext:name=internet
object:
- - "$WEBSERVER"
  - "$PU"
EOF
cat <<EOF | apoctl api create networkaccesspolicy -n $MICROSEG_NS -f -
name: allow-web-server
action: Allow
applyPolicyMode: IncomingTraffic
logsEnabled: true
subject:
- - ext:name=internet
object:
- - "$WEBSERVER"
  - "$PU"
  - "$PROD"
- - "$WEBSERVER"
  - "$PU"
  - "$DEV"
EOF

TIP

Observe how the hyphens allow you to specify AND and OR relationships between the tags.

Verifying that the web server accepts incoming connections

Open a browser and paste in the IP address or domain name of your web server. In the Microsegmentation section of the Prisma Cloud web interface, you should see a green flow as shown below.

Web server

If your request instead times out and you don’t see the internet external network with a green flow, adjust your external network and network policy definitions as needed.

Disable discovery mode

IMPORTANT

You must allow all desired traffic in your namespace before disabling discovery mode. If your namespace contains just the web server, complete the following steps to disable discovery mode. Otherwise, refer to Securing a Kubernetes namespace or Securing hosts for guidance.

  1. In the Microsegmentation section of the Prisma Cloud web interface, select Platform, and review any dashed green flows. As soon as you disable discovery mode, these connections will be blocked. Take a few moments to allow any desired traffic before continuing to the next step.

  2. Toggle discovery mode off, using the button in the top right corner.

    Toggle discovery

  3. You may see a new external network named Somewhere with red flows or red flows between pods. If you click on the red lines you can see that the connections were denied due to Microsegmentation’s default Reject all policy.

Congratulations! You have secured your namespace. Microsegmentation denies any traffic not explicitly allowed by policy.

Next steps

If your web server is public, you are done!

If you want to allow only certain people to access the web server, you can configure Microsegmentation to authenticate your users against an OpenID Connect (OIDC) identity provider.