Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Deploy a POP in a Dedicated Secure VPC

Deploy the POP using the following steps:

  1. Download the POP deployment package.
  2. Deploy the required infrastructure through the prerequisite CloudFormation Template (CFT). 
  3. Deploy the CWPP POP.

Once the POP is successfully deployed, the POP details and its health status are reported on the POP Management page.

Step 1: Download the POP Deployment Package

Use the following steps to download the POP deployment package:

  1. Log in to Skyhigh CASB.
  2. Go to Setting > Service Management, select the AWS instance, and choose the registered AWS Account.
  3. In the Overview section, click Deploy New POP. 
  4. Click Download Deployment package.

The downloaded POP Deployment package contains the installation files and artifacts.  Installation files are used to deploy the POP and the required artifacts to communicate with Skyhigh CASB. The package is valid for 7 days after it is downloaded from Skyhigh CASB.
clipboard_eb1e5c0d3ac2e1142ba2c8d2ec456f94d.png

Step 2: Create a CloudFormation Template

NOTE: The prerequisite CFT is required only for the existing infra. Step 2 is not applicable for new infra.

It is recommended to deploy a POP in a dedicated secure Virtual Private Cloud (VPC). The secure VPC is created as part of the prerequisite CloudFormation Template (CFT) and the POP deployment package. But first, you must deploy the prerequisite infrastructure using the CFT. 

To create a CFT: 

  1. Extract the downloaded POP Deployment Package, go to Infrastructure > aws, and locate the file aws_preReq.json. This CFT deploys the prerequisite infrastructure.
    clipboard_efc507b2e798159932f5c923f074b36d1.png
  2. In the AWS console, go to CloudFormation and select the region where you want to deploy the POP.  
  3. Go to CloudFormation > Create Stack > With new resources (Standard) > Template is ready > Upload a template file. Select the file aws_preReq.json.
  4. Enter the required fields: 
    • Stack name. The stack name for the prerequisite deployment.
    • NumberofAZs. The number of Availability zones that must be configured in the region.
    • PrivateSubnets. Select true.
    • PoPName. Specify the name for the POP that you need to create. This is limited to 20 characters. 
      clipboard_e5b51880ac89d62b0caa5b2ab1a7d2f98.png
  5. Click Next and confirm to start the CloudFormation resource.
  6. To create the stack, you might need an additional IAM Role. In the final tab, Activate the flag I acknowledge that AWS CloudFormation might create IAM resources and click Create stack.

This creates the prerequisite infrastructure in your AWS account. It generally takes about 4 minutes.

Once the CFT is started, the resources are created. Review them in the Outputs tab. Note the values for PoPName, PrivateSubnet, PublicSubnet, VPC, cwppRole, and cwppSecurityGroup. These are the resources created as part of the prerequisites, required for the POP deployment.clipboard_e2025bfa533f934967172890bf648450b.png

Step 3: Deploy the POP

The POP can be deployed using the new or existing Infra setup.

IMPORTANT: Before continuing, make sure the following prerequisites are in place.   

  • You have selected the correct region where you want to deploy the POP. 
  • You have the Key Pairs required to create the AWS instance and connect to them. To create key pairs, in the AWS console, go to EC2 Resources > Key Pairs.  

Deploy the POP using New Infra Setup

To deploy the POP using New Infra Setup: 

  1. Extract the POP Deployment Package and copy PoPDeployment.tar to an AWS S3 location.
  2. Log in to the AWS console and switch to the Region where the POP needs to be deployed. 
  3. Go to Create Stack > With new resources (Standard) > Template is ready > Upload a template file. In the downloaded POP deployment package file extract Infrastructure.tar, go to Infrastructure > aws and select the file AWS_New_Infra_CFT.json. 
  4. Enter the required fields: 
    clipboard_ec696fd9abe30f2324e1259c3e7256d09.png

NOTE: It is recommended to provide the same name for Stack name and PoPName.

  • Stack name. The stack name for the POP deployment.
  • AutoScalingSubnetList. A comma-separated list of PrivateSubnet(s) value from prerequisite outputs.
  • DesiredSecondaryNodeCapacity. The number of secondary nodes for the POP.
  • IAMRole. The cwppRole value from prerequisite outputs.
  • ImageId. Ubuntu 18.04 AMI ID in the deployment region. In the IAM console, in the AMI list, search for ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20201026.
  • InstanceType. Select the instance type.
  • KeyName. The name of the KeyPair to start and connect to the instance.
  • PoPName. The PoPName value from the prerequisite outputs.
  • S3Path. The AWS S3 Path where PoPDeployment.tar is uploaded.
  • SecurityGroupIDs. The cwppSecurityGroup value from the prerequisite outputs.
  • SubnetId. The PrivateSubnet value from prerequisite outputs. Specify the subnet where the VPC Endpoint must be created. Not all Availability Zones might be supported for the service based on the network topology. For more details, see AWS documentation, Interface VPC endpoints (AWS PrivateLink)
  1. Click Next and start the CloudFormation.

Deploy the POP using Existing Infra Setup

To deploy the POP using Existing Infra Setup: 

  1. Extract the POP Deployment Package and copy PoPDeployment.tar to an AWS S3 location.
  2. Log in to the AWS console and switch to the Region where the POP needs to be deployed. 
  3. Go to Create Stack > With new resources (Standard) > Template is ready > Upload a template file.  In the downloaded POP deployment package file extract Infrastructure.tar, go to Infrastructure > aws and select the file AWS_Existing_Infra_CFT.json. 
  4. Configure the following details: 
    • Stack name. The stack name for the POP deployment.
    • AutoScalingSubnetList. Use the value of the existing subnet.
    • DesiredSecondaryNodeCapacity. The number of secondary nodes for the POP.
    • IAMRole. Use the existing IAM role.
    • ImageId. Ubuntu 18.04 AMI ID in the deployment region. In the IAM console > AMI list, search for ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20201026.
    • InstanceType. Select the instance type.
    • KeyName. Use the existing region key.
    • PoPName. Use the existing PoPName.
    • S3Path. The AWS S3 Path where PoPDeployment.tar is uploaded.
    • SecurityGroupIDs. Use the value of the existing SecurityGroup.
    • SubnetId. Use the existing subnet ID with PoPName tag.
    • VolumeSize. Select the default volume size as 50.

NOTE: Make sure the below tag is present for all the existing subnets within VPC. 

Key tag: kubernetes.io/cluster/<Popname> value: Shared. 
For example, kubernetes.io/cluster/awsdemopop shared.

clipboard_e0325a74ba96c9efb34d39fdb1a7ce5e7.png

  1. Click Next and start the CloudFormation.

Validate the Deployment Status

Here, you can validate the POP deployment status for the new infra and existing infra setup.

Once the CloudFormation is started, wait for 20 minutes to deploy the POP. You can check the deployment status in the CloudFormation stack console in AWS.

After the POP Deployment, the POP deployed in your account updates the status to Skyhigh CASB, and you can check the POP details on the POP Management page. 
clipboard_eee57840b86114ac7175caad01b33a539.png

  • Was this article helpful?