User Guide
Release Notes

Insight Point

Secure datasource discovery using an Insight Point running in your own environment.

What is a Veza Insight Point?

An Insight Point is a lightweight connector running in your environment to enable the secure gathering of authorization metadata for resources that Veza cannot access directly. An Insight Point is typically deployed as a Docker container or VM OVA.

Typically, you will want an Insight Point to enable secure discovery of services (such as Active Directory, SQL Server, etc.) that require connectivity from within your corporate network. The Insight Point will run within your network to query the internal-only data sources for authorization metadata and push that information to Veza securely.

When do I need an Insight Point?

Deploying an Insight Point for Veza is usually not required, but might be necessary:

  • When the resources to discover are not exposed publicly.

  • To discover databases and other services that do not have cloud-native APIs.

  • If your organization prohibits 3rd-party programmatic access to cloud service providers.

  • To discover on-premise Active Directory and SQL Server.

Deploying an Insight Point

  • Instructions for running an Insight Point with Docker are generally applicable for any environment capable of orchestrating Docker containers (Mac, Windows, or Linux).

  • The Insight Point is also available as an OVA image suitable for Oracle Virtualbox or VMWare VSphere. This option can be preferable to Docker for Windows-based environments.

  • For AWS environments, see Deploy with AWS EC2 for instructions to start an Insight Point on AWS EC2.

After deploying the Insight Point, you can specify it when configuring an integration. Veza will use the Insight Point for secure collection and transmission of entity metadata.

Generating a registration key

Log in to Veza with an administrator account, and create a registration key by browsing to Configuration > Insight Point:

  1. Click Create

  2. Enter a Name

  3. Click Generate Key

  4. Copy the key for use when running the docker image

Save the Insight Point key in a secure location. If lost, there is no way to recover it.

When running the Insight Point, you will typically pass the key to the container as an environment variable or use a secrets manager. You can also save the credentials within the docker-compose.yml file, provided you treat the configuration as a secret.

Troubleshooting

Accessing Insight Point Logs

If the Insight Point does not appear to launch successfully or has connectivity issues, you can get more details by reviewing the container logs, or share them with customer support for assistance. To view logs using the terminal:

  • Find the ID of the Insight Point process: docker ps -a

  • Copy the value in the Container ID field

  • Get logs for the container: docker logs <container_id>

A successful deployment will indicate when any required upgrades are complete and the Insight Point is initialized. Otherwise, the logs will include any errors.

Checking connectivity

The Insight Point automatically checks for connectivity on container start. This includes steps to resolve the DNS and verify TCP and HTTP communication. If there are connection problems, the container logs will indicate if a connection was refused, a host could not be found, or there is another issue.

Changing an Insight Point

When modifying the Insight Point associated with an integration — for example, if the registration key is lost — you will need to re-enter the credentials and secrets for that integration configuration.

  • Follow the instructions to start another Insight Point with a new deployment key

  • On the Configurations page, edit the integration configuration to re-enter the credentials for each affected integration.

Ports and connectivity

The Insight Point will communicate out from the container VM to the Veza Tenant and targeted systems. Your implementation must enable traffic to and from the host on the required ports.

Also, the host must be able to communicate out to the ECR repository hosting the insight point image.

RequiredDestinationProtocolPort

yes

Veza Tenant

TCP

443

yes

public.ecr.aws

TCP

443

for AD

AD Domain Controller

TCP/UDP

636

for SQL

SQL Server

TCP

1433

  • The Insight Point must be able to communicate with https://<your-org>.vezacloud.com on outbound port 443. Ensure that firewalls allow outbound traffic to the Veza tenant domain. Insight Points have a DP_USE_WEBSOCKET=true flag that controls the communication protocol. If set, the insight Point will use WebSockets instead of HTTP/2. This option is automatically enabled when there is an issue connecting via HTTP/2.

  • For Active Directory and SQL Server: The Insight Point must be allowed to communicate with Active Directory Domain Controllers on port 636, and SQL Servers on port 1433.

  • For AWS RDS and Trino: To discover AWS RDS or Trino instances, you will need to add the Insight Point egress IP to the Security Groups Inbound rules. Do this for each of the instances to discover.

To add an entry for AWS RDS:

  1. Log in to the AWS account containing the resources to discover, and go to RDS > Databases

  2. Click the DB identifier and go to Connectivity & security > Security > VPC security groups

  3. Click Inbound rules > Edit inbound rules to set the IP address entry

  4. Click Add rule > Type (MySQL, Aurora or PostgreSQL) > Source (Custom)

  5. Enter the Insight Point egress IP

  6. Optionally enter a description and click Save rules

To add an entry for Trino:

  1. Log in to the AWS account containing the resources to discover, and go to EC2 > Security Groups

  2. Click the Security Group associated with your Trino instances and go to 'Inbound rules' > 'Edit inbound rules' to set the IP address entry

  3. Click 'Add rule' > Type (Custom TCP) > Port Range (8080 or your custom port) > Source (Custom) > enter the Insight Point egress IP

  4. Optionally enter a description, and save the rules

PreviousPrerequisites and ConnectivityNextDeploy with Docker on Ubuntu

Last updated