Anchore Enterprise can run in an isolated environment with no outside internet connectivity. It does require a network connection to its own components and must be able to reach the Docker image registries (v2 API compatible) where the images to be analyzed are hosted.
- Private Network
- Public Network (internet is reachable)
- Anchore Enterprise Feeds
- Anchore Enterprise Feeds in Read-Only Mode
- Anchore Engine
- Docker Image Registry (any registry that is compatible with the Docker Registry v2 API)
- The docker images to be analyzed are available within the Private Network
- Anchore Engine will be accessed from within the private network by the components in the infrastructure that need to query for analysis results
- There exists a way to move a data file from the Public Network to the Private Network
- Refer to feed data migration for configuring a Read-Only Feeds in Private Network
- Install Anchore Engine in Private Network
- Configure the Engine to use the Read-Only Feeds installation, see configuration
- Start Anchore Engine
Periodically Updating Feed Data
To ensure that the Anchore Engine installation has up-to-date vulnerability data from the vulnerability sources, you need to update the Read-Only Feed Service with data from the feed service running on the public network. This is essentially the same process that was used at installation to initialize the Read-Only Feed Service, and should be done on a regular schedule or when the Public Network Feed Service task execution indicates new data was detected.