Deploy a Network Security instance in Microsoft Azure

Network Security for Azure allows you to monitor and protect your network traffic by placing Network Security virtual appliances inline in your Azure virtual environment.

Depending on the deployment option you choose, high availability is ensured using Azure Function to monitor and reroute network traffic, manually rerouting traffic rules, or by load balancers. Manage your virtual appliances through the Network Security management interface. Use the Azure Monitor log analytics function and the command line interface to monitor the health of your web applications.

This user guide describes how to deploy and manage a Network Security instance in a compatible environment.

Virtual appliance size recommendations

The appliance sizes listed below are available options for each deployment. You will select an appliance size during the Deploy the Network Security virtual appliance procedure.

• Standard_F8s_v2
• Standard_F16s_v2
• Standard_F8s
• Standard_F16s

Permissions for Azure deployments

To deploy Network Security in Azure, you must first manually configure the appropriate permissions and roles.

Azure uses role-based access control/identity access management (RBAC/IAM) to authorize the users and groups who access Azure services and resources. The RBAC/IAM required for all Azure deployments includes two sets of permissions: one set for deployment and one set for operations.

Learn more about RBAC and Azure roles.

Note

High availability deployments required additional permission configuration. Learn more.

Each role you assign to an Azure service or resource consists of three elements:

• security principal – user, group, service principal, or managed identity requesting access to Azure resources
• role or role definition – indicates which permissions, such as read and write, can be performed by the security principal. Use a Contributor role for any role that does not require permission configuration.
• scope – the set of resources being granted access. The levels of scope are management group, subscription, resource group, and resource. You assign roles to any of the scope levels you use.

Permissions for deployment

Ensure that any user performing the deployment is granted a Contributor role within the Resource Group of the Network Security virtual appliance.

Permissions for operations

You must configure the proper user-defined routes (UDRs) to enable your Network Security virtual appliance to inspect traffic. Follow the instructions below to set up a new custom role and assign the necessary permissions needed in order to manipulate the UDRs.

1. Navigate to your resource group in your Azure portal.
2. Select Access control (IAM) from the menu on the left.
3. Click Add → Add custom role.
4. Grant users the following permissions:
   • Microsoft.Network/virtualNetworks/subnets/read
   • Microsoft.Network/virtualNetworks/subnets/write
   • Microsoft.Network/routeTables/read
   • Microsoft.Network/routeTables/write
   • Microsoft.Network/routeTables/routes/write
   • Microsoft.Network/routeTables/join/action

Update Network Security certificate

Certificates for Network Security virtual appliances expire after two years. This might lead to your instance showing as "Not communicating" in the Network Security management interface, even though the instance still appears to be healthy in Azure and is still passing traffic without network disruption.

To check if your instance certificate has expired, you can use the Network Security CLI to search for a certificate error in the system log. You can use the following command to search the system log for the certificate error: show log-file system search sslv3 alert certificate

If your Network Security virtual appliance certificate has expired, follow these steps to update your certificate:

1. Open your Azure Console.

2. From the console, select your Network Security virtual appliance instance under Settings, and then click Serial console. Learn more about using the Azure Serial Console.

3. Generate a Network Security appliance deployment token. Learn more about creating appliance deployment tokens.

Some instances that are older than two years might not support appliance deployment tokens. If this is the case, use an API key instead of an appliance deployment token. Learn more about creating a Trend Cloud One API key.

1. Enter the following commands in the Serial Console:

2. cloudone unregister

3. cloudone register <appliance deployment token>

4. Confirm that your instance was updated by checking the Network → Appliances page in the Network Security management interface.

After confirming that the instance was updated, redistribute your policies.

Azure resources

Before deploying Network Security in your Azure environment, be sure you are familiar with these basic Azure concepts:

• Network traffic
• Azure Firewall
• Application Gateway
• Load Balancer
• Scale sets
• Azure Function high availability
• High availability (scale sets)
• Monitoring

Always refer to Microsoft's Azure documentation to better understand your platform's capabilities.

Additional recommendations

• Refer to Microsoft's regional product availability site to ensure an Azure datacenter is available in your region.
• Review Azure’s subscription and services limitations to ensure your account has sufficient capability to deploy Network Security.
• Troubleshoot outages or Azure service health by referring to the Microsoft’s Azure Status page.
• Ensure virtual machine SKUs are available in your region. You can use the use the Azure virtual machine list-SKU command to determine this. Refer to Microsoft’s documentation for more information about the Azure CLI.
• Ensure you have the proper permissions and Azure roles.
• Use the Azure Resource Manager to troubleshoot common errors.