Prisma Cloud Network Analyzer
Prisma Cloud’s network analyzer takes a multi-dimensional approach to identify overly-exposed resources by providing an end-to-end network path visibility from any source, such as AWS EC2 virtual machine, DB instance, or Lambda application to any destination, such as the Internet, another VPC, or on-premises networks.
For example, a compute instance is directly exposed to the Internet only when it has an elastic network interface (ENI) with EIP attached to a public subnet and has overly permissive security-group in a VPC that is attached to an Internet gateway with route to the Internet.
Prisma Cloud does not send actual traffic or read network logs for performing network path analysis. The cloud network analyzer engine correlates multiple data points, including routing paths and security policy configurations using graph-based modeling and then runs a complex calculation to evaluate the net effective action (
Allow
or Deny
).Some of the important use cases that you can address using Prisma Cloud’s network analyzer are:
- AWS EC2 instances/Azure VMs, interfaces, PaaS, or workloads exposed to the Internet
- AWS applications or workloads that have unrestricted access to the Internet (Egress)
- Overly permissive AWS security groups attached to sensitive workloads
- AWS RDS or sensitive DB workloads exposed to the Internet
- Production applications connected to QA or staging environments between cloud accounts or VPCs
