In order to operate, Prisma Cloud requires a number of connections between
components. The following diagram shows the ports and connections
required. To fit the needs of various customer environments and
deployments, all ports are configurable at install time (for more
information, see the inline comments in twistlock.cfg).
Customers typically place Console in a management security zone or other
segregated part of their network. Some customers might also want to
place a firewall between Console and Defender. Prisma Cloud can
interoperate with firewalls wherever necessary, provided the required
TCP ports are open.
When using Prisma Cloud Compute Saas Console customers will need to provide connectivity
from their deployed Defenders to the SaaS Console through the firewalls on port 443.
When Defender DaemonSets are deployed with Istio monitoring enabled,
Prisma Cloud can discover the service mesh and show you the RBAC
capabilities for each service (e.g. this pod can read service X using
REST/grpc on the following endpoints). Services integrated with Istio
display the Istio logo.
A common configuration involves placing a load balancer in front of
Console for access to the GUI and the API. Prisma Cloud can interoperate
with traditional hardware or software load balancers, as well as load
balancers from all major cloud service providers.
When using Prisma Cloud Compute and a SaaS Console managed by Prisma, using a
load balancer is not suggested.