By Wikenson Lejulus, Customer Success Engineer

Introduction

Azure Container Instances (ACI) is a Microsoft Azure service that allows users to run containers without managing servers. ACI is a serverless solution that supports Linux and Windows containers.

This article will go through the steps needed to install an App-Embedded Defender in Azure ACI and connect it with Prisma Cloud so that the results from the defender are available in Prisma Cloud.

Overview

Deploy an App-Embedded Defender in ACI to provide runtime protection to applications installed in ACI. The App-Embedded Defender enforces runtime policy on the application entrypoint and any child processes created by this entrypoint.

This document is to help streamline the process and provide step-by-step instructions on how to get it done for Apps running as Azure Container Instances (ACI).

You can embed App-Embedded Defenders with the Console UI, twistcli, or Prisma Cloud API. However, this tutorial only covers how to do it with the console UI.

When to Use

Use this guide when you need to deploy an app-embedded Defender on Azure Container Instance (ACI).

Before You Begin

Requirements

• App-Embedded Defender image is supported on Linux (x86) architecture.
• Any Docker image with Prisma Cloud App-Embedded Defender binary.
• Azure Container Registry (ACR) (recommended)
• Prisma Cloud user with a minimum role of Defender Manager.
• Azure CLI installed

Prerequisites

• You can connect to Azure Container Registry(ACR) or any other registry used to pull your images.
• The container where you are embedding the App-Embedded Defender can reach Console’s port 443 or  8084 for Compute self hosted.
• You have the dockerfile for your image if you choose the Deployment type as dockerfile.  If not, make sure one exists.
• Be sure to have access to a machine with docker running.

1. Dockerfile prepping - Provision the App Embedded Defender

If you already have a project, begin by editing the dockerfile of your project. Otherwise, you can use Azure-Samples / aci-confidential-hello-world as a starting point for this exercise.

Some dockerfile will have the ENTRYPOINT instruction, some will have just the CMD instruction.

For this project there isn't an ENTRYPOINT instruction. You need to just add it  ENTRYPOINT ["python3", "main.py" ],   right before the CMD instruction.

Key Actions:

• Clone the sample[6] ACI app or use your own
• Modify the dockerfile to make sure there’s an ENTRYPOINT instruction

Workflow Steps:

• Step 1:  Clone this project to your machine. Make sure Docker runtime or desktop is installed on that machine.

git clone https://github.com/Azure-Samples/aci-confidential-hello-world.git

• Step 2: Use your favorite editor to open the dockerfile.  If it has ENTRYPOINT instruction, you can just skip to the next step.    

cp ./aci-confidential-hello-world/app/Dockerfile ./Dockerfile_bak  && nano aci-confidential-hello-world/app/Dockerfile 

Otherwise, You need to just add ENTRYPOINT ["python3", "main.py" ],   right before the CMD instruction. Then save the changes.

2. Create an App ID and runtime rule in Prisma Cloud

In this step you're going to create a new app-embedded policy. Take note of the rule name you create, because that will be used as the App ID when configuring the Defender in later steps.   When setting APP ID[2], specify a value that lets you easily trace findings back to the image. All vulnerability, compliance, and runtime findings for the container will be aggregated under this App ID. In Console, the App ID is presented as the image name.

Key Actions:

• Define runtime policy  -  Define the initial policy with runtime rules that will govern the App-Embedded Defender.
• Create the App ID -  Specify a unique identifier for your container image. This gives you a way to uniquely identify the App-Embedded Defender in the environment  This App ID will be used as the image name in the console UI.

Workflow Steps:

• Step 1: Now go to the console and create a new runtime app-embedded policy.  Take note of the rule name for the next step.:

Figure 1: App-Embedded_defender_runtime_policy_PaloAltoNetworks

• Step 2: Scope the policy to App ID by creating a new collection that will have the App ID.

• Step 2A: Click on the scope box.  

Figure 2: App-Embedded_defender_runtime_policy_scope_PaloAltoNetworks

• Step 2B:  Click on Add Collection

Figure 3: App-Embedded_defender_runtime_policy_Collections_PaloAltoNetworks

• Step 2C:  Add the rule name as the App ID.

Figure 4: Prisma_cloud_App-Embedded_defender_Collections_App-ID_PaloAltoNetworks

3. Embed App-Embedded Defender into a container image from Console’s UI

Now, you’re going to provision the app-embedded Defender and then embed it in the dockerfile. This is done through the Prisma cloud console UI.  This part can also be done through automation using either twistcli or the API.  But for this specific tutorial, we’re using the console UI.

These steps entail configuring the app-embedded Defender and then uploading the undefended dockerfile. The UI will return a zip file that has the new dockerfile with the Defender embedded.

Key Actions:

• Configure the app-embedded defender- More details to be added.
• Uploading the undefended dockerfile.
• Download the zip embedded Defender zip file.

Workflow Steps:

• Step 1:  Navigate to  Runtime Security > Manage > Defenders > Deploy,  and click on Manual Deploy
• Step 2: select Single Defender and under Defender Type, select the Container Defender - App Embedded.

Then define the required options as below:

• Deployment Type: Dockerfile
• App-ID: aci-wl-helloworld  ( the name of the app-embedded rule/policy from the previous steps).
• Data Folder: /twistlock
• Dockerfile: upload the dockerfile from the git project you have downloaded earlier, or your own specific project’s dockerfile.

Figure 5: Prisma_cloud_App-Embedded_defender_configuration_PaloAltoNetworks

• Once the dockerfile is uploaded, Prisma Cloud will prep and embed the Defender code excerpt into the the dockerfile and generate the zip file like this "app_embedded_embed_aci-wl-helloworld.zip"  (it can take a few minutes to complete).
• Step 3:  Download the zip file to the workstation where you cloned the github project.

Figure 6: Prisma_cloud_App-Embedded_defender_download_PaloAltoNetworks

4. Build/rebuild image with the new dockerfile (protected with the defender)

At this point, Prisma Cloud has prepped and embedded the Defender code excerpt into the dockerfile and generated the zip file.  You should have already downloaded the zip file in the previous step.  Now, unpackage the zip file to extract the new dockerfile with the embedded defender.  You will use that new docker file to build/rebuild the image. Then, you will have an app image with the Defender embedded in the image.

The steps below assume you already have an ACR or other registry/repo.  If not, create an ACR[4] and confirm that you can access it from the workstation where the new image is being built.

Key Actions:

• Unzip the file - unpackage the zip file to extract the new dockerfile.
• Build/rebuild the image - Rebuild the image with the new dockerfile to complete the embedding process.

Workflow Steps:

• Step 1:  Unzip the file to extract the dockerfile.

sudo unzip app_embedded_embed_aci-wl-helloworld.zip

• Step 2: Now, go back to the git project cloned folder, backup the original dockerfile to Dockerfile_bak, and copy the new dockerfile and twistlock_defender_app_embedded.tar.gz file to the aci-confidential-hello-world/app folder.

mv ./aci-confidential-hello-world/app/Dockerfile ./Dockerfile_bak  && cp ./twistlock_defender_app_embedded.tar.gz  ./Dockerfile  ./aci-confidential-hello-world/app/​

• Step 3: Now, build the new image with the app-embedded defender.

sudo docker build --pull --rm -f ./aci-confidential-hello-world/app/Dockerfile -t aci-wl-helloworld:latest . && sudo docker image list

sudo docker tag aci-wl-helloworld:latest yourregistry.azurecr.io/prisma/aci-wl-helloworld:latest​

Figure 7: App-Embedded_defender_new_image_PaloAltoNetworks

5. Push that “protected” image to registry/repo

At this point, the new image is ready to be pushed to your registry for deployment. The steps below assume that you already have an ACR or other registry and you have the right credentials to login and push images to the registry. You will need Azure CLI[3] installed on the machine you’re working on.

Key Actions:

• Push the image to the repository.

Workflow Steps:

• Step 1: Now that the protected image has been created, push it to your registry (ACR) for deployment.

sudo az login

sudo az acr login --name yourregistry

sudo docker push yourregistry.azurecr.io/prisma/aci-wl-helloworld:latest​

6. Deploy a Container Instance using the protected image

Now that the newly defended image has been pushed to your repo, you can use it to deploy an ACI or redeploy your existing application to ensure it’s protected.  This part can also be done through the Azure console or Azure CLI.

Key Actions:

• Deploy a container instance - Use the protected image to deploy a container instance.

Workflow Steps:

• Step 1:  Go to Azure Portal > Azure Container Registry > Repositories.
• Step 2: Right-click on the new image with the app-embedded Defender and select Run Instance.
• Step 3: Create a container instance and edit the following: 
  1. Enter the container name in Azure in the same way as the container image name.
  2. Select the OS type as Linux (Prisma Cloud only supports Linux x86 App-Embedded Defenders).
  3. Select Public IP address if you need routable IPs to establish communication between Prisma Console and Defender installed in Azure.
  4. Enter the Port defined for the APP in dockerfile.

• Step 4: Select Create.

Figure 8: Azure_Container_Instance_protected_image_PaloAltoNetworks

7. Confirm and validate vulnerability reporting and runtime events

This task entails confirming and validating that the app embedded Defender deployed successfully. If the previous task 6 was successful, in about 10-15 mins, the app embedded Defender should start reporting on any discovered vulnerabilities as well as runtime events and auditing.

Key Actions:

• Confirmation - From the console UI, confirm that vulnerabilities are showing for the app-embedded defender.
• Validate - Check the app-embedded Defender runtime observations.

Workflow Steps:

• Step 1:  In Azure, confirm and verify the container instances show a running status.
  Now you can see that App-Embedded Defender running in ACI showing up in Prisma Console under Manage > Defenders > Deployed Defenders.    

Figure 9: Prisma_cloud_Prisma_App_embedded_defender_PaloAltoNetworks

•  Step 2: After about 15-30 mins, it should start reporting vulnerabilities and runtime events.  You can confirm that by checking Runtime Security > Monitor > Vulnerabilities > images > Deployed,  filter by the appID or collection.:

Figure 10: Prisma_App_embedded_defender_vulnerabilities_PaloAltoNetworks

• Step 3:  Check the App embedded audit events.

• Runtime Security > Monitor > Runtime > App-Embedded observations.

Figure 11: Prisma_App_embedded_observations_PaloAltoNetworks

Conclusion

This article has guided you through the high level step-by-step process to deploy Prisma Cloud's App-Embedded Defender in Azure Container Instances (ACI) to ensure runtime security and vulnerability monitoring for containerized applications. Prisma Cloud's App-Embedded Defender bridges the security gap that previously existed in apps running in ACI, a fully managed IaaS solution by Microsoft Azure, by embedding runtime protection directly into the user container images.

Some of the key steps in the deployment process include:

1. Preparing the dockerfile
2. Creating an App ID and runtime rule in Prisma Cloud
3. Embedding the defender into the container image
4. Building/rebuilding the image
5. Pushing the protected image to a registry
6. Deploying it in ACI
7. and finally validating vulnerability reporting and runtime events.

The workflow leverages Prisma Cloud's intuitive Console UI to assist with configurations, ensuring the process is seamless and secure. By following this tutorial, organizations can safeguard their ACI applications against vulnerabilities and runtime threats, maintaining robust cloud-native security with Prisma Cloud.

References:

[1] Azure Container Instance  (ACI)

[2] App ID

[3] Azure CLI

[4] Azure Container Registry 

[5 Runtime Defense for App-Embedded

[6] Azure-Samples / aci-confidential-hello-world

About the Author

Wikenson Lejulus is a Customer Success Engineer on the Prisma™ Cloud Runtime Security team, specializing in supporting all compute solutions for Prisma™ Cloud  AWS, Azure, GCP, OCI, and Alibaba.

Wikenson’s broad expertise spans from Prisma Cloud, to Next-Generation Firewall, to securing compute workloads including containers and kubernetes on public and private clouds.  He uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.