Overview

Prisma Cloud DSPM Orchestrator is used to securely detect and classify sensitive information in your environment, while keeping your data in the organization. You can integrate all of your GCP projects with Prisma Cloud DSPM and monitor them using Orchestrator. You can either use a single Orchestrator to monitor all projects, or use multiple Orchestrators in case separation between environments is required.

NOTE: Prisma Cloud DSPM automatically attempts to apply environment labels to projects that are not labeled to the best of its ability.

Onboarding Prisma Cloud DSPM Orchestrator to Your GCP Environment

When integrating a GCP project with Prisma Cloud DSPM for the first time, you need to approve the installation of Orchestrator in your project to enable Prisma Cloud DSPM to monitor your environment.

1. Sign in to your Prisma Cloud DSPM account.
2. Go to Preferences > Integrations.
3. Locate the Google Cloud option, click Configure .
   
4. In the Add New drop down, opt to add a new account by using either Cloud Shell or by Terraform.
   
5. To continue with the onboarding, click a link below according to your chosen option:
   • Add a new project using Cloud Shell
   • Add a new project using Terraform

Add a new project using Cloud Shell

1. Sign in to the GCP project where you want to install Orchestrator.
   NOTE: Ensure your project has Administrator privileges and the permissions to create IAM roles and service accounts.
2. Enter your Project ID  and select a Label  for it.
3. Select whether you want to use an existing Orchestrator (in which case, you can select the required Orchestrator from the dropdown menu) or deploy a new Orchestrator in this project.
4. Click Get CloudShell command.
5. From the generated Cloud Shell command, click Copy code snippet.
6. Click Open Cloud Shell. A GCP console will open in a new tab. Do not close the Prisma Cloud DSPM tab.
7. From the bottom of the GCP console, under Cloud Shell, click Continue.
8. Paste the copied Cloud Shell command into the shell, then click Enter  and Authorize.
9. Allow the script to run.
10. When the script finishes running, go back to Dig (this tab is automatically refreshed) and click Done.
    

The new project is now listed under Connected Projects  in your GCP configuration page.

Add a new project using Terraform

1. After choosing to add a new project using Terraform, the Connect New Project window opens
2. Specify the project ID using the export command.
   • Note: If you are using gcloud CLI, use the following command:

gcloud config set project <project_id>

1. Select whether you want to use an existing Orchestrator (in which case, you can select the required Orchestrator from the dropdown menu) or deploy a new Orchestrator in this project.
2. Click Get Terraform command to generate a Terraform module.
3. Click Copy to copy the Terraform module, and click Done.
   Important:  Do not modify the Terraform module. If the module is modified, Prisma Cloud DSPM cannot provide seamless updates and manage permissions.
4. Insert the Terraform module into your Terraform pipeline.
5. Run the Terraform module. After the module has successfully run, your Terraform-managed GCP account is automatically onboarded into Prisma Cloud DSPM, and listed under Connected Accounts in your GCP configuration page.

Onboard Prisma Cloud DSPM Orchestrator Using Custom Network Resources

This option allows customers to input their own network resources instead of relying on the default resources provided by the platform. It also simplifies the process for customers who want to maintain control over their network infrastructure.

• The system validates the information provided and allows customers to make adjustments, such as adding or removing regions.
• When selecting custom network resources, a different template is applied with reduced permissions because fewer actions are required.

IMPORTANT NOTE: Once a project has been onboarded using either the standard or custom deployment method, it cannot be onboarded again using the other method. For example, if you have onboarded an orchestrator project using the standard method and wish to switch to a custom deployment, you must first offboard the project and then re-onboard it using the desired deployment method. This ensures a smooth transition and avoids conflicts between onboarding types.

To connect a new account:

1. Sign in to your Prisma Cloud DSPM account.
2. Go to Preferences > Integrations.
3. Navigate to the GCP option, click Configure.
4. Select Add New and then Add project via CloudShell or Add project via Terraform.
   
5. In the Connect New Project window, do the following:
   1. Select I want an orchestrator deployed in this account.
   2. Click Advanced Options.
   3. Select Use Custom Network Resources.
   4. Click Get CloudShell command or Get Terraform command.
      
6. After clicking Generate Template, the Custom Network Resources template opens.
   1. Use the template to provide the necessary configurations for each required region, the Private Subnet Name to be used. If you have multiple regions, configure each region separately.
   2. Click Save.
      
   3. The newly created project is added to the Connected Projects list. The Custom label indicates the account has been created using custom network resources.
      

To edit the configurations:

1. In the Connected Projects window, navigate to the project you want to edit.
2. Choose one of the following methods to edit the configuration:
3. Click the Custom button, and then click Edit configuration.
   
4. Click the cog icon and select Custom Network Resources.
   
5. Edit the configuration as required, and click Save.

Note: In case of an error, see the error details for more information and troubleshooting procedures. You can click the “Revalidate” button to run the validation process after fixing the issue.

Custom Deployment Resources

To facilitate scanning operations within the customer environment, Prisma Cloud DSPM requires multiple resources in the designated orchestrator subscription. These resources facilitate communication between the Azure orchestrator account and Prisma Cloud DSPM, and store classification results.

Required Resources

Prisma Cloud DSPM requires several network resources to be configured in the VM instance setup used to classify data and the Prisma Cloud Console.

• VPC (“Orchestrator VPC”)
  • Purpose: Hosts and manages all Prisma Cloud DSPM resources.
  • Requirements:
    • Dynamic routing mode: Regional
    • Firewall Rules:
      • Purpose: Controls which type of traffic is allowed/denied to flow in/to the VPC.
      • Requirements:
        • Outbound TCP traffic on ports 443 and 80 is allowed to all hosts.
        • Outbound UDP traffic on port 53 is allowed to all hosts.
        • (Required for Cloud SQL only) Outbound TCP traffic on port 3307 is allowed to all hosts.
        • (Required for on-prem Fileshares only) Outbound TCP traffic on port 445 is allowed to all on-prem Fileshare public IPs.

• VPC Private Services Access
  • Purpose: Enables private connectivity between VPC and Google Cloud services. Required for Scanning private CloudSQL resources.
  • Requirements:
    • VPC Network: Orchestrator VPC
    • Allocated Internal IP Range:
      • Type: Automatic
      • Prefix Length: 24
    • Connection name: servicenetworking-googleapis-com

For each region where data assets reside, the following resources are required:

• Subnet
  • Mandatory input in the DSPM console
  • Requirements:
    • Connectivity: Subnets in all regions must have an outbound internet access. The most recommended way to provide connectivity is by using a NAT Gateway, but other solutions might be applicable as well.
    • CIDR: At least 256 addresses in the specified CIDR.

Recommended value: 10.0.x.0/24 (x varies between regions)

• NAT Gateway
  • Purpose: Provides outbound internet access for scanner VMs in the Private Subnet.
  • Requirements:
    • Type: Public.
    • Router: newly created Cloud Router with a default configuration.
    • VPC network: Orchestrator VPC
    • Source endpoint type: VM instances, GKE nodes, Serverless
    • Source subnets & IP ranges: All subnets' primary and secondary IP ranges

Prisma Cloud DSPM requires egress communication between the VM instances used to classify data and the Prisma Cloud Console.

Make sure to allow connectivity to the following domains and IPs:

• EU:
  • 52.48.123.3
  • 99.80.210.235
  • 34.247.249.123
  • orchestrator.dig.security
• US:
  • 54.225.205.121
  • 18.214.146.232
  • 3.93.120.3
  • orchestrator.prod-use1.dig.security

Connect additional GCP accounts

After connecting a first GCP account and installing Orchestrator in it, you can connect more GCP accounts that you want to be monitored by Prisma Cloud DSPM. You can either add an existing Orchestrator to monitor all accounts, or install a new Orchestrator for each account.

1. Add a new account as described above.
2. Select whether you want to use an existing Orchestrator (in which case, you can select the required Orchestrator from the dropdown menu) or deploy a new Orchestrator in this account.
3. Click Get Cloud Shell/Terraform command, and add an account by using CloudShell or Terraform. When added, the new account is listed under Connected Accounts in your GCP configuration page.