Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Deploying Netskope One DSPM sidecars via Azure

    Table of Contents

    Overview Architecture Register Sidecar Pool Deploy from Netskope One DSPM Custom Template Validate Sidecar Connection Next Steps

    Overview

    The Netskope One DSPM application requires seamless connectivity to scan your data stores. However, as per common security practices, businesses tend to deny proper firewall egress between their internal networks & external applications. Such limitations impact the operational use of Netskope One DSPM and reduce the full return value of your subscription.

    To overcome this, Netskope One DSPM provides a flexible collection architecture consisting of one or many sidecars you deploy alongside your data stores. These sidecars collect necessary metadata and transfer it to the Netskope One DSPM application. Within this central management console, you can take action on insights from across all data stores regardless of where they are hosted.

    Architecture

    Excerpt: Sidecar: Architecture

    Netskope One DSPM provides a flexible collection architecture, consisting of one or many sidecars you deploy alongside the main application. These sidecars connect to data stores to runs scans, uploading the results to the Netskope One DSPM application.

    A single sidecar can scan multiple data stores in its installation environment. Typically, you will deploy one sidecar per individual environment (e.g. VNet, VPC, etc.), however you may choose to install multiple sidecars for additional scalability and redundancy. The Netskope One DSPM application automatically load balances scans across healthy sidecars in each sidecar pool. 

    For more information on Azure Container Instances, please visit the Microsoft Azure knowledge base

    Register Sidecar Pool

    Excerpt: Sidecar: Registration

    Log into the Netskope One DSPM application. Navigate to the Platform Settings > Sidecar m

    To set up the relationship between your sidecars and Netskope One DSPM-hosted tenant, you will provide the sidecars with a unique authentication token generated within our Sidecar Administration UI.

    If you already have an existing sidecar pool token to use, you can skip this section. Otherwise, follow these instructions to acquire a new token.

    1. Log into the Netskope One DSPM application.
    2. Navigate to the Platform Settings > Sidecar menu to display the Sidecar Administration screen.
    3. Click the Add Sidecar Pool button.
    4. The Add Sidecar Pool modal is displayed.
    5. On the Details tab, complete the following field:
    Field Value
    Name Any friendly value to describe the sidecar pool.
    1. Click Save.
    2. Click Copy at the bottom of the Sidecar Authentication Token modal to save the generated token to your clipboard. 
    1. Click the “x” button to exit the modal.

    Since you haven't yet associated this token with a sidecar, the sidecar pool will appear only when you click the Show Inactive Sidecars icon in the upper right, with empty Version and Status columns for now.

    The above-generated token will be used for each individual sidecar within the sidecar pool.

    Deploy from Netskope One DSPM Custom Template

    1. Download Netskope One DSPM's custom sidecar template JSON file to your local device: https://Netskope One DSPM-release.s3.us-west-2.amazonaws.com/Netskope One DSPMSidecarACI-ARM.json
    2. For the account where you will configure the custom template, log into the Azure console.
    3. Using the search box, navigate to Deploy a Custom Template.
    1. Click on Build your own template in the editor.
    1. Click on the Load file button, then select Netskope One DSPM's custom sidecar template JSON file:
    1. The template JSON file's content will now be displayed. Click the Save button at the bottom of the page.
    1. Under Project details, enter the following values:
    Field Value
    Subscription Pre-populated
    Resource Group Any value
    1. Under Instance details, enter the following values:
    Field Value
    Region Pre-populated based on Resource Group selected above
    Container Group Name Any unique value. Recommendation is to use “Netskope One DSPMSidecar”
    Sidecar Pool Token An existing sidecar token, or a new one generated in the Register Sidecar Pool section above.
    Netskope One DSPM Host Name Your tenant URL minus the protocol.        

    For example, if your tenant is accessed using https://example.Netskope One DSPM.io, your value will be example.Netskope One DSPM.io.
    Vnet Name View your Azure virtual networks within the selected resource group. The Vnet name appears on the left column titled Name, ie. example-virtual-network in the example below. 
    Subnet Name

    Usually default. If there are multiple virtual networks/subnets, make sure you are inputting relevant names.

    Subnet Delegation field must be enabled with a delegation to container groups, as pictured below.
    1. Click the Review + create button.
    2. You'll see a validation screen with the information you just inputted.
    3. Click the Create button.
    4. You'll see your deployment in progress. This may take several minutes to complete.
    5. Once complete, you can expand the Deployment details section, then click the Resource name hyperlink to see details of the sidecar container instances. 
    1. In the left-hand menu, navigate to Settings > Containers to view details about the container group:
      1. One container for the Netskope One DSPM sidecar
      2. One container for the classification engine
    1. Click the Logs tab to view more detail on how sidecars are authenticating, running, and scanning your data stores:

    Validate Sidecar Connection

    Excerpt: Sidecar: Validate Sidecar Connection

    Once a sidecar instance is running, you can now validate it is properly-com

    When deploying sidecar, you'll need to ensure that the sidecar has the ability to reach two URLs on port 443: 

    https://[tenant-name].Netskope One DSPM.io
     https://[tenant-name]-sidecar.Netskope One DSPM.io

    Take the following steps to verify the connectivity from the sidecar.

    1. SSH to the sidecar
    2. Run the command [curl] to [api/pulse] for both URLs, as shown below
    curl https://[tenant-name].Netskope One DSPM.io/api/pulse
    curl https://[tenant-name]-sidecar.Netskope One DSPM.io/api/pulse
    1. A successful response will resemble the following
    {"version":"6.3.0.311","build_target":"prod","deployment_type":"saas"}%

     

    Once a sidecar is running, you can now validate it is properly communicating with your Netskope One DSPM application. 

    1. Log into the Netskope One DSPM application.
    2. Navigate to the Platform Settings > Sidecar screen.
    3. For the sidecar(s) in question, validate that Version column is populated and its matching Status indicator is green. 

    It may take a few minutes for newly-running sidecars to communicate with the Netskope One DSPM application. If both values have not updated after 20 minutes, double-check that you configured your sidecars correctly and update the pool token, if necessary.

    Next Steps

    Excerpt: Next Steps: Connecting Data Stores

    Connect your discovered Data Stores. For more information, visit our Connecting A

    Connect your discovered Data Stores. For more information, visit our Connecting AWS Data Stores category and select the articles applicable to the Data Store Types you wish to connect.

     

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support