Azure CWPP Architecture
Plerion's Cloud Workload Protection Platform (CWPP) capability allows you to protect your Azure workloads from threats, by leveraging enriched and contextualized data from vulnerabilities, inked exploits, sensitive data exposure, and Software Bill of Materials (SBOM).
This document describes the architecture of the Plerion CWPP solution and deployment process for Azure.
Agentless Solution
Plerion's CWPP solution is agentless and does not require any software to be installed on Azure workloads. Instead, it launches appliances in an Azure subscription that seamlessly scan workloads in an Azure subscription and provide visibility into the security posture of the workloads. An appliance is an ephemeral Azure Virtual machine (VMs), deployed in a dedicated resource group managed by Plerion to scan workloads in an Azure subscription. The appliance is deployed in the same region as the workloads to be scanned.
Onboarding Process
Before onboarding CWPP for Azure Subscription, you must have an Azure AD integration with Plerion as it uses the same App registration created in the integration. For more information, see Azure AD Integration.
The onboarding process is as follows:
- Create a dedicated resource group for Plerion appliances in the Azure subscription.
| Resource Type | Resource Name | Description |
|---|---|---|
| plerion-cwpp-appliance-<plerionTenantId>-rg | A dedicated resource group for launching Plerion appliances. |
The <plerionTenantId> is the tenant ID of the Plerion tenant and can be found on the Plerion platform.
- Create a user-managed identity for the appliances in the resource group created in the previous step.
| Resource Type | Resource Name | Description |
|---|---|---|
| plerion-cwpp-appliance-<plerionTenantId>-mi | A user-managed identity attached to the appliances for scanning workloads |
- Grant the user-managed identity Reader access on the Azure subscription:
| Identity | Role Name | Scope | Description |
|---|---|---|---|
| plerion-cwpp-appliance-<plerionTenantId>-mi | Reader | Azure Subscription | Read-only access to all resources in the Azure subscription |
- Grant the user-managed identity Disk Snapshot Contributor access on the Azure subscription:
| Identity | Role Name | Scope | Description |
|---|---|---|---|
| plerion-cwpp-appliance-<plerionTenantId>-mi | Disk Snapshot Contributor | Azure Subscription | Create, manage, and copy disk snapshots to the resource group created in step 1 to scan |
- Grant the user-managed identity Contributor access to the resource group created in step 1:
| Identity | Role Name | Scope | Description |
|---|---|---|---|
| plerion-cwpp-appliance-<plerionTenantId>-mi | Contributor | Resource Group (plerion-cwpp-appliance-<plerionTenantId>-rg) | Full access to all resources in the resource group created in step 1 to manage appliance resources |
- Grant the Plerion App registration created in the Azure AD integration Contributor access on the resource group created in step 1:
| Identity | Role Name | Scope | Description |
|---|---|---|---|
| Plerion App Registration (Service Principal) | Contributor | Resource Group (plerion-cwpp-appliance-<plerionTenantId>-rg) | Full access to all resources in the resource group created in step 1 to manage appliance resources, manage the network, and cleanup resource created by Plerion. This is used by the Plerion Control Plane to manage the CWPP capability |
After the above steps are completed, the Plerion Protection Platform will have the required permissions to launch appliances in the resource group created in Step 1 and scan workloads in the Azure subscription.
This process needs to be repeated for each Azure subscription that needs to be onboarded to Plerion CWPP.
Plerion Control Plane
The Plerion Control Plane manages the appliances and orchestrates the scanning of workloads in the Azure subscription. The Control Plane is hosted in the Plerion platform and is responsible for the following:
- Creating virtual networks in the Azure subscription for appliances to communicate with the Plerion platform
- Launching appliances in the Azure subscription
- Assigning workloads to appliances for scanning
- Managing the lifecycle of appliances
- Collecting scan results from appliances
The above process is repeated for each region enabled for CWPP in the Azure subscription.
1. Network configuration
The Plerion Control Plane creates a virtual network in the Azure subscription for appliances to communicate with the Plerion platform.
Virtual Network
The virtual network is created in the same region as the workloads to be scanned. The virtual network is created with the following configuration:
| Specification | Details |
|---|---|
| Name | plerion-cwpp-appliance-<plerionTenantId>-vnet |
| Address space | 10.0.0.0/16 |
Subnet
A subnet is created in the virtual network for each appliance launched in the Azure subscription. The subnet is created with the following configuration:
| Specification | Details |
|---|---|
| Name | plerion-cwpp-appliance-<plerionTenantId>-subnet |
| Address space | 10.0.0.0/24 |
Network Security Group
A shared network security group is created in the virtual network for appliances to communicate with the Plerion platform. The network security group is created with the following configuration:
| Specification | Details |
|---|---|
| Name | plerion-cwpp-appliance-<plerionTenantId>-nsg |
| Inbound Traffic | Block all inbound traffic |
| Outbound Traffic | Allow outbound traffic on port 443 (HTTPS) to the Plerion platform and download appliance dependencies |
Currently, the Plerion Control Plane does not support providing a custom network. Support for custom networks will be added in the future.
2. Launching appliances
The Plerion Control Plane launches appliances in the dedicated resource group created during the onboarding. The appliances are launched in the same region as the workloads to be scanned. The appliances are launched with the following configuration:
| Specification | Details |
|---|---|
| Instance Type | Standard D2s v3 |
| CPU | 2 vCPUs |
| Memory (RAM) | 8 GiB |
| Storage | 30 GiB |
| Operating System | Linux (ubuntu 22.04) |
| Networking | Public IP address for secure communication with Plerion platform- Adherence to Azure security best practices |
3. Assigning workloads to appliances for scanning
The currently supported workloads for scanning are:
- Azure Virtual Machines
Plerion creates appliances on a ratio of:
- 1 appliance for every 2 Azure Virtual Machines
The process is repeated for each region enabled for CWPP in the Azure subscription. For each region, a maximum of 10 appliances are launched at a time. The number of appliances launched is based on the number of workloads to be scanned in the region.
4. Managing the lifecycle of the appliance
The Plerion Control Plane manages the lifecycle of appliances. The Control Plane is responsible for the following:
- Starting appliances
- Deleting appliances
An appliance is stopped when it has completed scanning all the workloads assigned to it. The appliance is deleted as soon as it is stopped.
If the appliance fails due to any reason and doesn't stop after 3 hours then the appliance is deleted and the remaining workloads are marked as not scanned. In case, there is an issue deleting the appliance, the Plerion Control Plane retries deleting old appliances in the next integration scan and notifies the user in the Plerion Platform.
5. Collecting scan results from appliances
Once the appliance has completed scanning the workloads assigned to it, the Plerion Control Plane collects the scan results from the appliance. The scan results are stored in the Plerion platform and are available for viewing in the Plerion platform.
Plerion Workload Scanner only collects security-related metadata from workloads. The scan results -- combined with telemetry from our CSPM and CIEM capabilities -- deliver context-rich cloud security to help customers focus on what really matters.
Plerion Workload Scanner does not collect raw data, PII/PHI, or sensitive business data.
Monitoring Resources Created by Plerion
All the resources required for CWPP are created in the resource group (plerion-cwpp-appliance-<plerionTenantId>-rg) created during the onboarding process. The resources created by Plerion are prefixed with plerion-cwpp-* and tagged with Owner=Plerion. The dedicated resource group has the following advantages:
- Easy to monitor and identify resources created by Plerion
- Easy to clean up resources created by Plerion
- View the cost of resources created by Plerion and set budget