Deploy Satori Customer Hosted on GCP
The following section describes the main components of the Satori Customer Hosted (CH) platform and how to deploy them on GCP.
Introduction to Satori CH for GCP
The Satori CH platform consists of two main components:
- The Satori Management service, maintained by Satori.
- The Satori Customer Hosted (CH) Data Access Controller (DAC), a Kubernetes container that is either consumed as a service or deployed on an GCP Google Kubernetes Engine (GKE) inside the customer's VPC.
Deploying the Satori CH DAC
Deploy the Satori CH DAC in the same public cloud region as the data stores that the Satori CH DAC is meant to protect.
For example, customers using a managed PosgreSQL instance on GCP us-east1 should deploy the Satori DAC on a VPC in the same region (GCP us-east1).
Multi-Region Deployments
For customers who operate data stores in multiple regions, a Satori CH DAC should be deployed for each separate region.
Satori VPC Deployment Architecture on GCP
The following two diagrams illustrate the Satori architecture when deployed in a customer's virtual private cloud (VPC) on GCP.
Illustration 1 - High Level Satori Deployment on GCP Architecture
Illustration 2 - Kubernetes Cluster Architecture
High Level Deployment Steps
Satori provides assistance for the following deployment steps for a Customer Hosted DAC, including:
- Customer Task - Prepare the network for deployment.
- Customer Task - Prepare the kubernetes cluster.
- Customer Task - Deploy the Satori DAC.
- Satori Task - Reference a new CNAME for the DAC
- Operational Task - Configure a self-hosted DNS and SSL for the DAC
Satori CH DAC Network Configuration
The Satori CH DAC requires the following network path configurations:
- User Connection to the Satori DAC - Users connect to data stores via the Satori DAC, therefore a network path from users to the Satori DAC is required.
- Satori DAC Connection to the Data Store - the Satori DAC receives queries from users and then sends them to the data stores it protects, so a network path from the Satori DAC to the data stores is required. Typically, this is established by deploying the Satori DAC in the same VPC as the data stores it protects and ensuring that GCP Cloud Armor allows access from the Satori DAC to the data stores.
- Verify the egress traffic to the following host addresses: app.satoricyber.com, .google.com, .googleapis.com and us-docker.pkg.dev on port 443 - Satori uses several services from the Google cloud platform (GCP) as well as a GIT repository that contains the Satori DAC's configuration files, a secret manager for secure storage of secrets and a messaging service to publish data access metadata that is shared with the management console. The full list of fields that are sent is available here: Metadata Shared by Data Access Controllers with the Management Console.
- Verify the egress traffic to the following host addresses: cortex.satoricyber.net, alert1.satoricyber.net, alert2.satoricyber.net, alert3.satoricyber.net - the product telemetry (metrics) are uploaded here.
Private or Public Facing Data Access Controller
You can choose to deploy a private, VPC-only facing Satori CH DAC, or a public, internet-facing Satori CH DAC.
The following section describes how to deploy a typical GKE cluster.
Prerequisites
To deploy an GKE cluster, ensure the following access privileges and third party products are installed and made available:
- Administrator Level Access to the Following GCP Services - VPC, Cloud Nat, Cloud load balancer, GKE.
- Helm 3 is installed on the Command Line - To verify helm is installed run the following command:
helm version
. To download helm go Helm. -
Administrator level access to the Kubernetes cluster
-
kubectl is installed on the Command Line - To verify kubectl is installed run the following command:
kubectl version
. To download kubectl go to Kubernetes Tool Installations.
Recommended Cluster Specification
- Kubernetes Version - 1.28
- Nodes - e2-standard-2 or similar compute instances per availability zone (minimum of three).
- Disk Space Allocation -20Gb Ephemeral storage of type "balanced" on each of the nodes
- Autoscaling the Cluster- Satori recommends that autoscaling is enabled on the cluster. See here for additional information
Deploying the Satori Helm Chart on the Cluster
The Satori helm chart is available in a deployment package which you download from the Satori management console for first time installation of the DAC. Follow these steps to download and deploy the deployment package:
-
Login to the Satori management console at Satori Management Console.
-
Go to Settings, Data Access Controllers and select the DAC to deploy to. Please contact Support if a new DAC needs to be created.
- Select the Upgrade Settings tab and download the recommended deployment package.
- Extract the deployment package and open a terminal window to the directory where the deployment package was extracted. For example:
tar -xf satori-dac-1.2405.2.tar
cd satori-2405
- Run the command (this command is required only once during the first installation):
- Run the command (this command is required only once during the first installation):
If you are installing the DAC to the standard satori-runtime namespace you can run the command as is:
kubectl apply -f ./runtime-prometheus-server.yaml
If you are installing the DAC to a custom namespace change the namespace in the file by running the following command before applying the runtime-prometheus-server.yaml file.
MacOS users:
sed -i '' 's/satori-runtime/
Linux users:
sed -i 's/satori-runtime/
- Run the main DAC install command:
cd satori-runtime
helm upgrade --install --create-namespace -n satori-runtime --values version-values.yaml --values customer-values.yaml --values customer-override.yaml --set bootstrapOTP=
Note: The one-time password is auto generated when you copy the install command from the Satori Management Console. The OTP is required only for the first time DAC installation.
#### The one-time password is valid for one hour and can be used only one time.
## ![Screenshot](otp.png)
### DNS configuration
Satori CH generates a unique hostname for each data store that it protects in a DNS zone that is unique for each Satori CH DAC. For private facing Satori CH DACs, customers should host the DNS zone on a DNS service.
For public facing Satori CH DACs, Satori provides the option to use Google DNS, at no extra cost.
The DNS zone would have a root hostname pointing to the load balancer, and a wildcard entry for the data store specific hostnames. For example:
*.dac1.us-east1.g.p1.satoricyber.net. A 34.23.14.69 ```
In all of the above cases, The DAC and its DNS should now be set up in order for you to begin adding your first data store.
Upgrading Satori CH DAC
To upgrade your Satori CH DAC and enjoy the latest features, fixes and security improvements go to the Upgrading Satori section.