: Deploy Orchestrator Defenders on Amazon ECS
Focus
Focus

Deploy Orchestrator Defenders on Amazon ECS

Table of Contents

Deploy Orchestrator Defenders on Amazon ECS

This guide shows you how to deploy Prisma Cloud Defenders in an ECS cluster.
The Defender protects your containerized environment according to the policies you set in Prisma Cloud Console. It runs as a service in your ECS cluster. The parameters of the service are described in a task definition, and the task definition is written in JSON format. To automatically deploy an instance of Defender on each node in your cluster, you’ll run the Defender task as a daemon service.
The Defender deployment process consists of the following steps.
  1. Create worker nodes in your ECS cluster.
  2. Create a task definition for the Prisma Cloud Defender.
  3. Create a service of type Daemon to deploy Defender to every node in the cluster.
This deployment guide includes the following steps you need to take in AWS before you deploy the Defender if you haven’t provisioned a cluster.
If you already have an AWS ECS cluster with worker nodes and are familiar with the AWS interface, you can skip directly to creating the Defender task definition.
Before you create the task definition, ensure that the launch configuration for your worker nodes in ECS includes the following actions.
  • Run the Amazon ECS-Optimized Amazon Linux 2 AMI.
  • Use the ecsInstanceRole IAM role.
  • Run the following script for worker nodes to join the cluster and install the Defender.
    #!/bin/bash echo ECS_CLUSTER=pc-ecs-cluster >> /etc/ecs/ecs.config
ECS_CLUSTER must match your cluster name. Replace pc_ecs_cluster with the name of the cluster where you create launch configurations and auto-scaling groups to start EC2 instances for Prisma Cloud. Modify your user data scripts accordingly.
To better understand clusters, read our cluster context topic.

Create your ECS Cluster

Create an empty cluster named pc-ecs-cluster. This is the cluster where you will create launch configurations and auto-scaling groups to start EC2 instances.
  1. Log into the AWS Management Console.
  2. Go to
    Services > Containers > Elastic Container Service
    .
  3. Click
    Create Cluster
    .
  4. Select
    Networking only
    , then click
    Next Step
    .
  5. Enter a cluster name, such as pc-ecs-cluster.
  6. Click
    Create
    .

Create a launch configuration for worker nodes

Create a launch configuration named pc-worker-node that:
  • Runs the Amazon ECS-Optimized Amazon Linux 2 AMI.
  • Uses the ecsInstanceRole IAM role.
  • Runs a user data script that joins the pc-ecs-cluster and runs the commands required to install Defender.
  1. Go to
    Services > Compute > EC2
    .
  2. In the left menu, click
    Auto Scaling > Launch Configurations
    .
  3. Click
    Create Launch Configuration
  4. In
    Name
    , enter a name for your launch configuration, such as pc-worker-node.
  5. In Amazon machine image, select
    Amazon ECS-Optimized Amazon Linux 2 AMI
    .
    You can get a complete list of per-region Amazon ECS-optimized AMIs from here.
  6. Choose an instance type, such as t2.medium.
  7. Under
    Additional configuration
    :
    1. In
      IAM instance profile
      , select ecsInstanceRole.
    2. Under
      User data
      , select
      Text
      , and paste the following code snippet:
      #!/bin/bash echo ECS_CLUSTER=pc-ecs-cluster >> /etc/ecs/ecs.config
      Where:
      • ECS_CLUSTER must match your cluster name. If you’ve named your cluster something other than pc_ecs_cluster, then modify your user data script accordingly.
    3. (Optional) In
      IP Address Type
      , select
      Assign a public IP address to every instance
      .
      With this option, you can easily SSH to this instance to troubleshoot issues.
  8. Under
    Security groups
    :
    1. Select
      Select an existing security group
      .
    2. Select
      pc-security-group
      .
  9. Under
    Key pair (login)
    , select an existing key pair, or create a new key pair so that you can access your instances.
  10. Click
    Create launch configuration
    .

Create an auto scaling group for worker nodes

Launch two worker nodes into your cluster.
  1. Go to
    Services > Compute > EC2
    .
  2. In the left menu, click
    Auto Scaling > Auto Scaling Groups
    .
  3. Click
    Create an Auto Scaling group
    .
  4. In
    Choose launch template or configuration
    :
    1. In
      Auto Scaling group Name
      , enter
      pc-worker-autoscaling
      .
    2. In
      Launch template
      , click
      Switch to launch configuration
      .
    3. Select
      pc-worker-node
      .
    4. Click
      Next
      .
  5. Under
    Configure settings
    :
    1. In
      VPC
      , select your default VPC.
    2. In
      Subnet
      , select a public subnet, such as 172.31.0.0/20.
    3. Click
      Next
      .
  6. In
    Configure advanced options
    , accept the defaults, and click
    Next
    .
  7. In
    Configure group size and scaling policies
    :
    1. Set
      Desired capacity
      to
      2
      .
    2. Leave
      Minimum capacity
      at
      1
      .
    3. Set
      Maximum capacity
      to
      2
      .
    4. Click
      Skip to review
      .
  8. Review the configuration and click
    Create Auto Scaling Group
    .
    After the auto scaling group spins up (it will take some time), validate that your cluster has three container instances.
    1. Go to
      Services > Containers > Elastic Container Service
      .
    2. The count for
      Container instances
      in your cluster should now be a total of two.

Create a Prisma Cloud Defender task definition

Generate a task definition for Defender in Prisma Cloud Console.
  1. Log into Prisma Cloud Compute Console.
  2. Go to
    Manage > Defenders > Deploy > Defenders
    .
  3. In
    Deployment method
    , select
    Orchestrator
    .
  4. For orchestrator type, select
    ECS
    .
  5. In
    Specify a cluster name
    , leave the field blank.
    The Prisma Cloud console automatically retrieves the cluster name from AWS. Only enter a value if you want to override the cluster name assigned in AWS.
  6. In
    Specify ECS task name
    , leave the field blank.
    By default, the task name is pc-defender.
  7. Click
    Download
    to download the task definition.
  8. Log into AWS.
  9. Go to
    Services > Containers > Elastic Container Service
    .
  10. In the left menu, click
    Task Definitions
    .
  11. Click
    Create new Task Definition
    .
  12. In
    Step 1: Select launch type compatibility
    , select
    EC2
    , then click
    Next step
    .
  13. In
    Step 2: Configure task and container definitions
    , scroll to the bottom of the page and click
    Configure via JSON
    .
  14. Delete the contents of the window, and replace it with the Prisma Cloud Console task definition you just generated.
  15. Click
    Save
    .
  16. (Optional) Change the name of the task definition before creating it. The default name is pc-defender.
  17. Click
    Create
    .

Start the Prisma Cloud Defender Service

Create the Defender service using the task definition. With Daemon scheduling, ECS schedules one Defender per node.
  1. Go to
    Services > Containers > Elastic Container Service
    .
  2. In the left menu, click
    Clusters
    .
  3. Click on your cluster.
  4. In the
    Services
    tab, click
    Create
    .
  5. In
    Step 1: Configure service
    :
    1. For
      Launch type
      , select
      EC2
      .
    2. For
      Task Definition
      , select
      pc-defender
      .
    3. In
      Service Name
      , enter
      pc-defender
      .
    4. In
      Service Type
      , select
      Daemon
      .
    5. Click
      Next Step
      .
  6. In
    Step 2: Configure network
    , accept the defaults, and click
    Next step
    .
  7. In
    Step 3: Set Auto Scaling
    , accept the defaults, and click
    Next step
    .
  8. In
    Step 4: Review
    , click
    Create Service
    .
  9. Click
    View Service
    .
  10. Verify that you have Defenders running on each node in your ECS cluster.
    1. Go to your Prisma Cloud Console and view the list of Defenders in
      Compute > Manage > Defenders > Manage
      . There should be two new Defenders that have been connected for a few minutes, one for each ECS instance in the cluster.

Recommended For You