Overview

Prisma Cloud DSPM  Orchestrator is used to securely detect and classify sensitive information in your environment, while keeping your data in the organization. You can integrate all of your Azure subscriptions with Prisma Cloud DSPM and monitor them using Orchestrator. You can either use a single Orchestrator to monitor all subscriptions, or use multiple Orchestrators in case separation between environments is required.

NOTE: Prisma Cloud DSPM automatically attempts to apply environment labels to projects that are not labeled to the best of its ability.

Part 1 - Onboarding Prisma Cloud DSPM Orchestrator to Your Azure Environment

When integrating an Azure subscription with Prisma Cloud DSPM for the first time, you need to approve the installation of Orchestrator to enable Prisma Cloud DSPM to monitor your environment.

1. Sign in to your Prisma Cloud DSPM account.
2. Go to Preferences > Integrations.
3. Navigate to the Azure option, click Configure.
4. Select Add New.
5. Sign in to the Azure subscription where you want to install Orchestrator.
   
   Note: Ensure your subscription is using a role that has sufficient permissions to approve an enterprise application and assign roles to the monitored subscriptions.
6. Enter your Tenant ID  and Subscription ID.
7. Give your subscription a Name and select a Label for it.
8. To approve Prisma Cloud DSPM enterprise application, click Approve. A Microsoft Permission requested window opens in a new tab. Do not close the Prisma Cloud DSPM tab.
9. Click Accept.
   
10. To Approve the installation of Prisma Cloud DSPM Orchestrator in your subscription, in Prisma Cloud DSPM, check the Acknowledge the following to continue. You will be redirected to the Custom deployment page in Azure to complete the installation. Do not close the Prisma Cloud DSPM tab.
    
11. From Subscription, select the relevant subscription (the one you are onboarding).
12. From Region, select the region where you want to install Prisma Cloud DSPM Resources Group Location.
13. Select Review + create.
14. In the following screen, select  Create.
15. Wait for the deployment to be completed.
16. Go back to Prisma Cloud DSPM (this tab is automatically refreshed) and click Done.

The new subscription is now listed under Connected Subscriptions in your Azure configuration page.

Onboard Prisma Cloud DSPM Orchestrator Using Custom Network Resources

This option allows customers to input their own network resources instead of relying on the default resources provided by the platform. It also simplifies the process for customers who want to maintain control over their network infrastructure.

• The system validates the information provided and allows customers to make adjustments, such as adding or removing regions.
• When selecting custom network resources, a different template is applied with reduced permissions because fewer actions are required.

IMPORTANT NOTE: Once a subscription has been onboarded using either the standard or custom deployment method, it cannot be onboarded again using the other method. For example, if you have onboarded an orchestrator subscription using the standard method and wish to switch to a custom deployment, you must first offboard the subscription and then re-onboard it using the desired deployment method. This ensures a smooth transition and avoids conflicts between onboarding types.

To connect a new account:

1. Sign in to your Prisma Cloud DSPM account.
2. Go to Preferences > Integrations.
3. Navigate to the Azure option, click Configure.
4. Select Add New and then Add Subscription via ARM or Add Subscription via Terraform.
   
5. In the Connect New Subscription window, do the following:
   1. Select I want an orchestrator deployed in this account.
   2. Click Advanced Options.
   3. Select Use Custom Network Resources.
   4. Enter the Resource Group Name that holds the network resources
   5. Click Generate Template.
      
6. After clicking Generate Template, the Custom Network Resources template opens.
   1. Use the template to provide the necessary configurations for each required region, including private subnets, security groups, Blob Private DNS Zones, and Fileshare Private DNS Zones. If you have multiple regions, configure each region separately.
   2. Click Save.
      
   3. The newly created subscription is added to the Connected Subscription list. The Custom label indicates the account has been created using custom network resources.
      

To edit the configurations:

1. In the Connect Subscription window, navigate to the custom subscription you want to edit.
2. Choose one of the following methods to edit the configuration:
3. Click the Custom button, and then click Edit configuration.
   
4. Click the cog icon and select Custom Network Resources.
   
5. Edit the configuration as required, and click Save.

Note: In case of an error, see the error details for more information and troubleshooting procedures. You can click the “Revalidate” button to run the validation process after fixing the issue.

Custom Deployment Resources

To facilitate scanning operations within the customer environment, Prisma Cloud DSPM requires multiple resources in the designated orchestrator subscription. These resources facilitate communication between the Azure orchestrator account and Prisma Cloud DSPM, and store classification results.

Required Resources

Prisma Cloud DSPM requires several network resources to be configured in the VM instance setup used to classify data and the Prisma Cloud Console.

Required Global resources

• Files Private DNS Zone:
  • Purpose: Enables secure and private connection to Azure Files assets.
  • Requirements:
    1. Subscription: orchestrator subscription ID.
    2. Resource Group: The Prisma Cloud resource group.
    3. Name: privatelink.file.core.windows.net
  • Mandatory input in the DPSM console
  • Note: A private DNS Zone is not a regional resource, hence you can choose to use a common zone for all regions.
• Blob Private DNS Zone:
  • Purpose: Enables secure and private connection to Azure Blob assets.
  • Requirements:
    1. Subscription: orchestrator subscription ID.
    2. Resource Group: The Prisma Cloud resource group.
    3. Name: privatelink.blob.core.windows.net
  • Mandatory input in the DPSM console
  • Note: A private DNS Zone is not a regional resource, hence you can choose to use a common zone for all regions.

For each region where data assets reside, the following resources are required:

• VNet (Virtual Network):
  • Purpose: Hosts and manages all network resources and scanner VMs, including connectivity to the customer’s data resources within the same subscription and to assets in the monitored subscription.
  • Requirements:
    1. Subscription: Orchestrator subscription ID.
    2. Resource Group: The Prisma Cloud resource group.
    3. CIDR: At least 1024 addresses in the specified CIDR.
       Recommended value: 10.0.0.0/22

• Security Group:
  • Purpose: allowing VMs to communicate with DSPM backend and classifiable assets.
  • Requirements:
    1. Subscription: orchestrator subscription ID.
    2. Resource Group: The Prisma Cloud resource group.
    3. Security Rules:
       1. Outbound:
          1. Protocol: TCP
          2. Source Port Range: *
          3. Destination Port Ranges:
             1. 443 (HTTPS)
             2. 1433 (SQL Server)
             3. 10255 (Cosmos DB)
             4. 11000-11999 (SQL Server)
             5. 445 (Azure NetApp Files and on-premises file shares) - Optional
          4. Destination Address Prefix: Internet
  • Mandatory input in the DPSM console
• Subnet:
  • Purpose: Hosts the scanner VMs.
  • Requirements:
    1. Vnet Name: The newly created Vnet name.
    2. IPv4 address range: At least 256 addresses in the specified address range.
       Recommended value: 10.0.0.0/24
    3. Network security group: The newly created security group.
    4. NAT gateway: The newly created/existing NAT Gateway.
    5. Service Endpoints: Microsoft.Sql - Optional (for scanning Azure SQL Server)
  • Mandatory input in the DPSM console

• Files Private DNS Link:
  • Purpose: Enables secure and private connection to Azure Files assets.
  • Requirements:
    • Subscription: orchestrator subscription ID.
    • Resource Group: The Prisma Cloud resource group.
    • Private Zone Name: privatelink.file.core.windows.net
    • Location: Global.
    • Registration Enabled: False.
    • Virtual Network: The newly created Vnet name.

• Blob Private DNS Link:
  • Purpose: Enables secure and private connection to Azure Blob assets.
  • Requirements:
    1. Subscription: orchestrator subscription ID.
    2. Resource Group: The Prisma Cloud resource group.
    3. Private Zone Name: privatelink.blob.core.windows.net
    4. Location: Global.
    5. Registration Enabled: False.
    6. Virtual Network: The newly created Vnet name.

Recommended Resources

Prisma Cloud DSPM requires egress communication between the VM instances used to classify data and the Prisma Cloud Console.

Make sure to allow connectivity to the following domains and IPs:

• EU:
  • 52.48.123.3
  • 99.80.210.235
  • 34.247.249.123
  • orchestrator.dig.security
• US:
  • 54.225.205.121
  • 18.214.146.232
  • 3.93.120.3
  • orchestrator.prod-use1.dig.security

Below you will find the recommended resources used to establish such communication, although other network enabling resources will suffice.

• Public IP Address:
  • Purpose: Provides connectivity to external Prisma Cloud DSPM resources, by attaching it to the NAT Gateway.
  • Requirements:
    1. Subscription: Orchestrator subscription ID.
    2. Resource Group: The Prisma Cloud resource group.
    3. SKU: Standard.
    4. IP address assignment: Static.
    5. Tier: Regional.
    6. Routing Preference: Microsoft network.
• NAT Gateway:
  • Purpose: Associated with the subnet to enable outbound internet connectivity.
  • Requirements:
    1. Subscription: Orchestrator subscription ID.
    2. Resource Group: The Prisma Cloud resource group.
    3. SKU: Standard.
    4. Public IP addresses: The newly created Public IP Address.

Part 2 - Adding Monitored Subscriptions

After adding a first Azure subscription and installing Orchestrator in it, you can add more Azure subscriptions that you want to be monitored by Orchestrator. You can use either an existing Orchestrator to monitor all subscriptions, or install a new Orchestrator for each subscription.

1. To add a new Azure subscription, follow steps 1-7 as detailed in Part 1 - Onboarding Orchestrator in Your Azure Environment.
2. Select whether you want to use an existing Orchestrator (in which case, you can select the required Orchestrator from the drop-down menu) or deploy a new Orchestrator in this subscription.
3. Click Enable.
   
4. Continue as described in steps 11-16 in Part 1 - Onboarding Orchestrator in Your Azure Environment (whether you selected an existing Orchestrator or a new one).
   When added, the new subscription will be listed under Connected Subscriptions.

Adding a New Azure Subscription Using Terraform

1. Go to Preferences > Integrations.
2. In the Settings window, navigate to the Cloud Platforms section, and click Configure Microsoft Azure.
   
3. From the Add New drop-down menu, select Add New Subscription via Terraform.
4. In the Connect New Subscription window, enter your Tenant ID.
5. After choosing to add a new Azure subscription using Terraform, the Connect New Subscription window opens
6. Specify the project ID using the export command.
7. Select whether you want to use an existing orchestrator (in which case, you can select the required Orchestrator from the dropdown menu) or choose the option to deploy an Orchestrator in this project.
8. Click Generate Terraform to generate a Terraform module.
9. Click Copy to copy the Terraform module, and click Done.
   Important: Do not modify the Terraform module. If the module is modified, Prisma Cloud DSPM cannot provide seamless updates and manage permissions.
10. Insert the Terraform module into your Terraform pipeline.
11. Run the Terraform module. After the module has successfully run, your Terraform-managed Azure account is automatically onboarded into Prisma Cloud DSPM, and listed under Connected Accounts in your Azure configuration page.

Dev Examples

Orchestrator

module "dig_security_orchestrator" {
  source         = "https://onboarding.dev-2.dig.security/azure/terraform/latest"
  dig_tenant_id  = "3002"
  application_id = "0766e056-2341-46a8-8f12"
  location       = "West US 2"
}


terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.55.0"
    }
  }
}

provider "azurerm" {
  # Configuration options
  features {}
  //sandbox-client-1
  subscription_id = "dd8bb350-09g5-8675-gbfd8a3ef048"
}

Monitored

module "dig_security_monitored" {
  source                       = "https://onboarding.dev-5.dig.security/azure/terraform/latest"
  dig_tenant_id                = "3221"
  application_id               = "0877e067-2341-46a8-d2e473dcc811"
  orchestrator_subscription_id = "dd9ba240-08f4-4a1c-9586-gbht8a3ef048"
  eventhub_name                = "dig-security-eh-cac3f4f8af1c3-2001-dev-2"
  eventhub_namespace_name      = "dig-security-ns-cac3f4f8af1c3-2001-dev-2"
  orchestrator_resource_group = "dig-security-rg-cac3f4f8af1c3-2001-dev-2"
  location = "West US 2"
}


terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.55.0"
    }
  }
}

provider "azurerm" {
  # Configuration options
  features {}
  subscription_id = "599febf1-1de3-5d"
}