Using the Amazon Machine Image
You need to install the SPA connector on an AWS EC2 instance using the Amazon Machine Image (AMI). You must be able to access the private applications or services from this AWS EC2 instance.
- Log in to your AWS account, open the EC2 dashboard, and select the AMI Catalog.
- In the Amazon AMI Catalog, search for Lookout Secure Private Access Connector.
- Under architecture, select the version you want:
- 64-bit (ARM): Graviton instance
- 64-bit (x86): AMD instance
- Click the Launch Instance with AMI button at the top.
- In the Name prompt, enter the same Node name that you entered in the Management Console while creating the Node.
- (Optional) Add any tags you want to add to your node.
- Choose an Instance type:
Instance Type Minimum requirements Arm64 - Instance size: t4g.xlarge
- CPU: 4 Cores
- RAM: 16 GB
- Disk space: 100 GB
Amd64 - Instance size: t3a.xlarge
- CPU: 4 Cores
- RAM: 16 GB
- Disk space: 100 GB
- Create or choose an existing Key pair to access the connector Node.You can either use a pre-existing key, or create a new key for this purpose.
Make sure the Key pair is using ED25519, not RSA because the RSA SHA1 support has been deprecated and removed from Ubuntu 22.04 as it is no longer considered secure.
- Edit the Network settings and enter the VPC and Subnet details so that the node is able to make outbound connections to the Lookout Cloud Security Platform as well as to your internal applications that you want to provide access to:
- Allow outbound connection from the Secure Private Access connector on port 443.
- Allow outbound connections to register the Secure Private Access connector to the Lookout node manager service. You can view the node management URL in the Management Console.
- Set up a security group with firewall rules that will allow this node to access the Lookout Security Cloud platform as well as your internal applications that you want to provide access to.
You must open these ports to establish proper communication with the Lookout Security Cloud platform:
Ports Description Outbound UDP ports 500 and 4500 To establish an IPsec tunnel from the SPA connector to the Lookout Cloud Security Platform cloud service. Outbound TCP Port 443 Used for internal communication between the Lookout cloud service and the SPA connector. These are the minimum outbound rules required for the SPA connector:
- Under Configure storage, specify adequate storage to meet the requirements.
- Click Advanced details, select User data As text and enter the following user data in the User data (Optional field):
Replace the data within the double-quotes with the information you copied from the Management Console when you created the node. You can find this information in the connector Configuration page of the Management Console.
-
<
NODE_MANAGER_ENDPOINT>: Node Manager Endpoint - <TENANT_ID>: Tenant Id
- <NODE_SERVER_UNIQUE_NAME>: Node Server Unique Name
-
<NODE_SERVER_TOKEN>: Node Server Token.
Leave the double-quotes surrounding the information as is.
-
- Click Launch Instance.
- You will see this message once the node is installed successfully:
- Click on the instance to find its IP address and ssh into it, or you can monitor the node from the Management Console nodes list where it will show "STARTING" as the node starts and eventually "OK" and "Connected" when the node is completely up and running.
- In the Management Console, select Administration > Node Management.
- Locate the name of your node and verify the value in the ZTNA TUNNEL column. If the Secure Private Access tunnel was established successfully, the value reads Connected
- You can find the new instance in the AWS EC2 Instance list.
- To SSH into the node, use the private IPv4 address that is shown in the AWS EC2 Instance information, using the key-pair you set for the instance.