Scanning On-Premise Jfrog Artifactory Running on Different VPC With Private IP 

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
No ratings

By Omoniyi Jabaru, Senior Customer Success Engineer

 

Overview

 

Prisma Cloud can scan container images in public and private repositories on public and private registries. The registry is a system for storing and distributing container images. The most well-known public registry is Docker Hub. One of the main repositories Prisma Cloud customers use is JFrog Artifactory. This article describes how Prisma Cloud works with this registry. 

 

Purpose

 

JFrog Artifactory requires that every image added to the main repository, be added as a new Registry Scanning inside Prisma Cloud. When adding more than one image inside a main repository, you need to add a registry scanning per each image to be scanned properly. Using a wildcard is not supported by Prisma Cloud at this time.

 

Before You Begin

 

To accomplish this, you will need to:

 

  • have a running instance of Prisma Cloud CWP Console
  • have an on-prem Jfrog Artifactory set up with Private IP
  • have a container engine running and at least one Defender has been deployed on different VPC with public and private IP

 



Create VPCs in different accounts and/or the same Region

 

RPrasadi_0-1721169891114.png

 

Figure 1 : VPC peering_PaloAltoNetworks

 

To request a VPC peering connection with VPCs in different accounts and the same Region

 

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Peering Connections.
  3. Choose Create peering connection.
  4. Configure the information as follows, and choose Create peering connection when you are done:

 

    • Name: You can optionally name your VPC peering connection. Doing so creates a tag with a key of Name and a value that you specify. This tag is only visible to you; the owner of the peer VPC can create their own tags for the VPC peering connection.
    • VPC ID (Requester): Select the VPC in your account with which to create the VPC peering connection.
    • Account: Choose Another account.
    • Account ID: Enter the ID of the AWS account that owns the accepter VPC.
    • VPC ID (Accepter): Enter the ID of the VPC with which to create the VPC peering connection.

 

RPrasadi_1-1721169891344.png

Figure 2 : VPC Create Peering_PaloAltoNetworks

 

To accept a VPC peering connection with VPCs in different accounts and the same Region


A VPC peering connection that’s in the pending-acceptance state must be accepted by the owner of the accepter VPC to be activated. You cannot accept a VPC peering connection request that you've sent to another AWS account. If you are creating a VPC peering connection in the same AWS account, you must both create and accept the request yourself.

If the VPCs are in different regions, the request must be accepted in the region of the accepter VPC.


To accept a VPC peering connection

 

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. Use the region selector to choose the region of the accepter VPC.
  3. In the navigation pane, choose Peering Connections.
  4. Select the pending VPC peering connection (the status is pending-acceptance), and choose Actions, Accept Request.
  5. Note: If you cannot see the pending VPC peering connection, check the region. An inter-region peering request must be accepted in the region of the accepter VPC.
  6. In the confirmation dialog box, choose Yes, Accept. A second confirmation dialog displays; choose to Modify my route tables now to go directly to the route tables page.

 

RPrasadi_2-1721169891350.png

Figure  2a : VPC peering DNS_PaloAltoNetworks

RPrasadi_3-1721169890569.png

Figure  2b : VPC peering route_PaloAltoNetworks

 

Configuring routes for a VPC peering connection

 

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Route Tables.
  3. Select the route table that’s associated with the subnet in which your instance resides.
  4. Note: If you do not have a route table associated with that subnet, select the main route table for the VPC, as the subnet then uses this route table by default.
  5. Choose Routes, Edit, Add Route.
  6. For Destination, enter the IPv4 address range to which the network traffic in the VPC peering connection must be directed. You can specify the entire IPv4 CIDR block of the peer VPC, a specific range, or an individual IPv4 address, such as the IP address of the instance with which to communicate. For example, if the CIDR block of the peer VPC is 10.0.0.0/16, you can specify a portion 10.0.0.0/28.
  7. Select the VPC peering (pcx) connection from Target, and then choose Save.

 

RPrasadi_4-1721169890456.png

Figure  2c : VPC peering routes_PaloAltoNetworks

RPrasadi_5-1721169891618.png

Figure  2d : VPC peering routes3_PaloAltoNetworks

 

Allow access from the source communication VPC on the Security Group of the Service

Create EC2 Instance :


https://docs.aws.amazon.com/efs/latest/ug/gs-step-one-create-ec2-resources.html


We need to add the entry for the new network address on the security group of the services you permit access to/from another VPC.

 

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. In the navigation pane, choose Security Groups.
  3. In the list, select the security group and choose Actions, Edit inbound rules.
  4. Choose Add rule.
  5. For Type, choose the type of protocol to allow.
  • If you choose a custom TCP or UDP protocol, you must manually enter the port range to allow.
  • If you choose a custom ICMP protocol, you must choose the ICMP type name from Protocol, and, if applicable, the code name from Port range.
  • If you choose any other type, the protocol and port range are configured automatically.
RPrasadi_6-1721169891620.png

Figure 2e : VPC peering inbound_PaloAltoNetworks


Allow access to the source communication VPC on the Security Group of the Service


For Source, do one of the following:

 

  • Choose Custom and then enter an IP address in CIDR notation, a CIDR block, another security group, or a prefix list from which to allow inbound traffic. I used my custom CIDR as seen in the below screenshot.
  • Choose Anywhere to allow all inbound traffic of the specified protocol to reach your instance. This option automatically adds the 0.0.0.0/0 IPv4 CIDR block as an allowed source. This is acceptable for a short time in a test environment, but it's unsafe for production environments. In production, authorize only a specific IP address or range of addresses to access your instance.
  •  For Description, optionally specify a brief description for the rule.

 

RPrasadi_7-1721169890537.png

Figure 2f : VPC peering inbound2_PaloAltoNetworks


For more info, review AWS VPC documentation below:
Work with VPC peering connections

Confirm VPC peering is working fine 

 

  • SSH into the Source Scanner EC2.
  • Ping the EC2 in the Target VPC with the private subnet.
  • Furthermore, SSH into the target EC2 (not necessary).

 

RPrasadi_8-1721169890615.png

Figure 3a : ping target_PaloAltoNetworks

 

RPrasadi_9-1721169891034.png

Figure 3b : ssh target_PaloAltoNetworks

 

Install a Container Defender On the Scanner EC2

  • Go to Compute > Manage > Defenders > Defenders: Deployed and select Manual deploy.
  • Under Deployment method, select Single Defender.
  • In Defender type, select Container Defender - Linux  Container Defender.
  • Select the way Defender connects to Console.
  • (Optional) Set a custom communication port (4) for the Defender to use.
  • (Optional) Set a proxy (3) for the Defender to use for the communication with the Console.
  • (Optional) Under Advanced Settings, Enable Assign globally unique names to Hosts when you have multiple hosts that can have the same hostname (like autoscale groups, and overlapping IP addresses).
    After setting the option to ON, Prisma Cloud appends a unique identifier, such as ResourceId, to the host’s DNS name. For example, an AWS EC2 host would have the following name: Ip-171-29-1-244.ec2internal-i-04a1dcee6bd148e2d.

Copy the install scripts command from the right side panel, which is generated according to the options you selected. On the host where you want to install Defender, paste the command into a shell window, and run it.

Verify the Install

 

  • In the Console, go to Manage > Defenders > Defenders: Deployed.
  • Your new Defender should be listed in the table, and the status box should be green and checked.

For more info, review the Prisma Defender documentation below :

Install a Single Container Defender

 

Install NGINX on The Private JFROG Instance

Registry scanning requires a secure connection which is HTTPS. Hence, we need to setup nginx reverse proxy in front of Artifactory. A reverse proxy configuration can be generated in the Artifactory UI by going to Administration->Artifactory->HTTP Settings

This will need to be copied to your nginx config. You will need to have your own SSL certs and key and place them in the correct directory specified in the nginx config. Below is a sample configuration for reference:

 

To install Nginx on an EC2 instance running a Linux distribution such as Amazon Linux, CentOS, Ubuntu, or Debian, you can follow these general steps:

  • Connect to Your EC2 Instance: Use SSH to connect to your EC2 instance. You can connect from the scanner instance since the VPC is peered.

  • Update the Package Database by the following command to ensure that the package database is up to date:

    • sudo yum update -y 

 

  • Install Nginx: Use the package manager to install Nginx. The package name may vary slightly depending on your Linux distribution.

 

  • For Amazon Linux, CentOS, or RHEL:

sudo yum install nginx -y

 

  • For Ubuntu or Debian:

 

sudo apt install nginx -y

 

RPrasadi_10-1721169891635.png

Figure 4 : jfrog.conf_PaloAltoNetworks

  • Verify Nginx Installation
    • nginx -t


Enable Route 53 TO Point to the Private Jfrog IP

Set up a Route 53 Private Hosted Zone:

 

  1. Navigate to the Route 53 console in the AWS Management Console.
  2. Choose "Create Hosted Zone".
  3. Specify a domain name (e.g., example.com).
  4. Select "Private hosted zone".
  5. Choose the VPC(s) that you want to associate with the private hosted zone.
  6. Click "Create".

Create a Record Set:

 

  1. Inside the newly created private hosted zone, choose "Create Record Set".
  2. In the "Name" field, enter the subdomain you want to map (e.g., www).
  3. Select the type of record you want to create (e.g., A for IPv4 address).
  4. In the "Value" field, enter the private IP address.
  5. Click "Create" to create the record set.

Update VPC DNS Settings:

 

  1. In the VPC settings, ensure that the VPC's DNS settings are configured to use the Route 53 resolver.
  2. In the Route 53 console, under "Resolver", you can find the Resolver endpoints and rules.


Solution Architecture

 

RPrasadi_11-1721169891208.png

 

Figure 5 : solution architecture_PaloAltoNetworks

 

 

Summary

 

 

The Scanner instance attempts to resolve the DNS private-jfrog.jmontufar.org of the JFROG instance. Route 53 indicates that the DNS private-jfrog.jmontufar.org corresponds to the server with IP address 10.0.138.85. Subsequently, the Scanner instance initiates a TLS negotiation request to the IP address 10.0.138.85, including the DNS private-jfrog.jmontufar.org in the request.

NGINX identifies the requested DNS as belonging to the default route and begins TLS negotiation, providing the Server Certificate for the negotiation. As the certificate installed on NGINX is a wildcard certificate (*.jmontufar.org) and the requested DNS is private-jfrog.jmontufar.org, the Scanner instance recognizes the certificate as valid and proceeds. Upon successful TLS negotiation, NGINX forwards scanning requests from the Scanner instance to the private JFROG instance. The Scanner instance subsequently transmits the report back to the Prisma Cloud Compute Console.


Scan Confirmation


Pushed Images to the on-prem Jfrog

docker pull alpine:latest
docker tag alpine:latest <jfrog-domain>/<repository-name>/<image-name>:latest
docker push <jfrog-domain>/<repository-name>/<image-name>:latest

 

RPrasadi_12-1721169891674.png

Figure 6 : docker_PaloAltoNetworks

Prisma Cloud registry scan settings

 

RPrasadi_13-1721169891009.png

Figure 6a : registry scan_PaloAltoNetworks


Prisma Cloud Vulnerability Report

 

RPrasadi_14-1721169890984.png

Figure 6b : vuln report_PaloAltoNetworks

 

Conclusion

 

By integrating Prisma Cloud with JFrog Artifactory, you can enhance your container security posture by continuously scanning images for vulnerabilities and compliance issues. This integration allows seamless monitoring and remediation, ensuring that your containerized applications remain secure throughout their lifecycle.


References

 

 

About the Author

Omoniyi Jabaru is senior customer success engineers specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. He uses simple approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.

 

 

Rate this article:
  • 1296 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎07-19-2024 03:47 PM
Updated by: