Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Deploy Secure App Connector on Docker for UDP Applications

  1. Last updated
  2. Save as PDF

Secure App Connector enables end users to securely access their organization's private applications through Skyhigh SSE. Docker-based solutions provide a lightweight and faster deployment method. Whether using OVA, AWS, or Azure, a single container can perform similar tasks as a microk8s setup. This makes Docker an efficient choice for quick deployment.

Prerequisites 

Before deploying the Docker image, make sure your system meets the following requirements:

  • Minimum OS Requirement:
    • Ubuntu: 22.04/24.04
    • RHEL: 9.6
    • CentOS: 9
  • Docker version >= 24.0.5
  • Only one UDP container per host is supported.
  • Skyhigh Security recommends that a secure App Connector have at least 4 CPUs, 8 GB RAM, and 50 GB storage. To deploy both TCP and UDP container on the same host, use at least 8 CPUs, 12 GB RAM, and 80 GB storage.
  • You must add a Secure App Connector before deploying the Docker image, see Configure Secure App Connector.

NOTE: Make sure to allow the following domains and HTTP(S) ports when using a firewall. For more details, see Secure App Connector Docker Prerequisites and Firewall settings For Private Applications.

Steps to Deploy Docker Image 

  1.  Log in to the host, copy the downloaded config file to the home directory (/home/ubuntu or /home/ec2-user) and rename the file to connector.conf.

IMPORTANT: The generated config file has a validity of 12 hours. Generate a new config file whenever retrying a deployment. 

  1. Paste the Docker command copied to pull the image from the ECR Docker repository. 

    image (77)_1.png

  2. To deploy the image, create a new container using this command: 

For Ubuntu, use the following command : 

sudo docker run \

     --cap-add={NET_ADMIN,NET_RAW} \

     --name=skyhigh-pa-conn \

     --hostname=skyhigh-secure-app-connector \

     --restart=always \

     -d \

     -v <Directory_of_config>:/skyhigh/mount:ro \

     -e https_proxy="http://proxyhost.com:9090" \

     -e UDP_SOCKS_PROXY="hostname:8080" \

     public.ecr.aws/y0m9s9j4/usprod-pop-services/udp-connector:latest

  • Replace the mount path Directory_of_config appropriately. 
    NOTE: Exclude the config file name from this path. 

  • Docker provides a default name for the container if you don’t include the --name option when you run the above command. You can replace  skyhigh-pa-conn it with a different container name of your choice. 

  • Docker provides a default value if you don’t include the --hostname option while executing the above command.

  • If the proxy is not used, remove  -e https_proxy="http://proxyhost.com:9090"from the Docker run command.

  • If the UDP socks proxy is not used, remove  -e UDP_SOCKS_PROXY="hostname:8080" from the Docker run command. 

    •  NOTE: Make sure you have the UDP Socks Proxy in this format i.e., <ip>:<port> or <hostname>:<port>. For example: 172.22.20.41:1080

  • Here we are using the NET_ADMIN capability, which performs various network-related operations:

    • interface configuration
    • administration of IP firewall, masquerading, and accounting
    • modify routing tables
    • bind to any address for transparent proxying
    • set type-of-service (TOS)
    • clear driver statistics
    • set promiscuous mode
    • enabling multicasting 
  • Here we are also using NET_RAW capability, which performs below operations:
    • use RAW and PACKET sockets
    • bind to any address for transparent proxying

  1. You can stop and restart the container without losing any state or data. However, if the container is deleted, a new configuration file must be generated to run it again.

  2. Auto-update of the container isn’t supported. To get the latest version, generate a fresh config file, and redeploy the container.

Deployment Validation  

  1.  Run the diagnostics tests option to verify the connector setup:

    sudo docker exec -it skyhigh-pa-conn run_diag

Replace skyhigh-pa-conn with the name specified in Step 4. 

The screenshot below shows the output of this command when everything is working properly. 

clipboard_e6990dcfc4ddb116c9120cb1fefef170d.png
 

Remove or Stop Connector  

NOTE: Replace skyhigh-pa-conn with the name of the connector.

  1. Use sudo docker stop skyhigh-pa-conn command to stop a running connector.
  2. Use sudo docker start skyhigh-pa-conn command to start a stopped connector.
  3. Use sudo docker rm skyhigh-pa-conn command to remove/delete a connector.

IMPORTANT: Removing or deleting a connector is equivalent to uninstalling it. To recreate the connector, a new configuration file is required.

Troubleshoot Connector for Docker  

 For generating and transferring the logs to the VM, run these commands:

  1. Run the sudo docker exec -it skyhigh-pa-conn collect-state-wrapper.sh command, this creates a file udp_connector_state. tar.gz in the /tmp directory inside the container.
  2. Copy the logs bundle from the container to the host using the command sudo docker exec skyhigh-pa-conn cat /tmp/udp_connector_state.tar.gz > /tmp/udp_connector_state.tar.gz If Docker is installed via snap, the logs bundle is avaialble at /tmp/snap-private-tmp/snap.docker/tmp/.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    1. TOPIC ID 753
    2. TOPIC ID 760