Deploying Secure Access Cloud Connector as Docker Container on the Application/Service Host

Products

Secure Access Cloud

Issue/Introduction

Deploying Secure Access Cloud (SAC) Connector as Docker Container on the Application/Service Host

Environment

Secure Access Cloud

Resolution

As described in the Frequently Asked Questions document, SAC is a Software as a Service platform that allows corporate IT organizations to provide secure connectivity to corporate applications and services for designated audiences.

The technical ability to access corporate assets that are deployed/hosted in the corporate hybrid cloud is achieved by deploying small components, called SAC Connectors, in various location inside the corporate data centers. These components are responsible for reaching out to the SAC cloud service and providing application-level connectivity to the corporate assets, according to the policy.

Below is the basic diagram depicting the solution components:

SAC Connector can be deployed anywhere in the corporate network, as long as it has the ability to open an outbound port 443 https connectivity to the SAC cloud service, and the ability to connect to the actual published application / service host.

One of the possible deployment scenarios is to run the SAC Connector on the application/service host. There are a number of security and operational advantages to this approach, most prominent of which are:

The host can be cloaked from all networks, including an internal one, by blocking all incoming traffic via a host firewall. This way, the only connections to various services on that host can come via the SAC platform, implementing a "true" Software Defined Perimeter.
If the host is being moved from one network location to another, there is no need to reconfigure any networking elements, the access to the application/service at its new network location, through the SAC service, will make the location and the process of migration completely transparent.

When deploying a Connector as a Docker container running on the application/service host and connecting to the actual server via local networking, it is important to take the structure of Docker networking, schematically depicted below:

As the application server is running either on the Docker Host, or in a different container, the address used by the SAC Connector (the Internal Address defined in the Application configuration in SAC Admin UI), should take the internal networking into consideration, as just using localhost or 127.0.0.1 will lead to the network interface of the container hosting the SAC Connector.

There are two possible approaches to expose an application/service running on the Docker Host via SAC Connector running in a Docker Container:

1. When creating a container, create it with --net=host option, and then configuring the application to use the localhost interface

2. Using the Docker Host IP in the application configuration.

More details about Docker Container Networking can be found in the Docker Docs.