Anchore Enterprise can run in an isolated environment with no outside internet connectivity. It does require a network connection to its own components and must be able to reach the Docker image registries (v2 API compatible) where the images to be analyzed are hosted.
Components
- Private Network
- Public Network (internet is reachable)
- Anchore Enterprise
- Anchore Enterprise Feeds
- Anchore Enterprise Feeds in API-Only Mode
- Docker Image Registry (any registry that is compatible with the Docker Registry v2 API)
Assumptions
- The docker images to be analyzed are available within the Private Network.
- Anchore Enterprise will be accessed from within the private network by the components in the infrastructure that need to query for analysis results.
- There exists a way to move a data file from the Public Network to the Private Network.
Installation
- Refer to the feed data migration content for configuring an API-Only Feeds in Private Network.
- Install Anchore Enterprise in Private Network.
- Configure the Anchore Enterprise to use the API-Only Feeds installation, see configuration.
- Start Anchore Enterprise.
Periodically Updating Feed Data
To ensure that the Anchore Enterprise installation has up-to-date vulnerability data from the vulnerability sources, you need to update the API-Only Feed Service with data from the feed service running on the public network. This is essentially the same process that was used at installation to initialize the Read-Only Feed Service. It should be done on a regular schedule, or when the Public Network Feed Service task execution indicates new data was detected.