# Deploy Sensor into Azure IaaS ## Azure Base Setup for Sensor - The shell script ``base.sh`` will create resources in Azure using native ``az cli`` commands. It will create the following resources: - Resource Group - VNet - Management, Tap, and User Subnets - Network Security Group (hard coded to main-nsg) - SSH Key - A ``params.json`` file used by sensor - Modify the variables of the ``base.sh`` script in the ``base directory`` and then run the script. Your assigned values are on the linked spreadsheet. - For the Brain IP use the **INTERNAL IP** address of the Brain NOT the external - The "base_name" is the "Sensor base_name" in the spreadsheet - Sample script below ```bash #!/bin/bash # Azure variables rg="student50" location="westus2" vnet_name="student50-vnet" address_prefix="10.50.0.0/16" mgmt_subnet_name="mgmt-subnet" mgmt_subnet_prefix="10.50.1.0/24" tap_subnet_name="tap-subnet" tap_subnet_prefix="10.50.2.0/24" # Vectra variables base_name="EXAMPLE" brain_ip="10.0.0.4" reg_token="nlnwlnvzsvngzdmynbcczgdpvmnfxkxg" sensor_size="Standard_DS3_v2" # User VM subnets to generate traffic UVMsubnetA="10.50.3.0/24" UVMsubnetB="10.50.4.0/24" # Create a resource group. az group create \ --name $rg \ --location $location # Create a virtual network with a mgmt subnet. az network vnet create \ --name $vnet_name \ --resource-group $rg \ --location $location \ --address-prefix $address_prefix \ --subnet-name $mgmt_subnet_name \ --subnet-prefix $mgmt_subnet_prefix # Create a vtap subnet. az network vnet subnet create \ --address-prefix $tap_subnet_prefix \ --name $tap_subnet_name \ --resource-group $rg \ --vnet-name $vnet_name # Create subnetA. az network vnet subnet create \ --address-prefix $UVMsubnetA \ --name SubnetA \ --resource-group $rg \ --vnet-name $vnet_name # Create subnetB. az network vnet subnet create \ --address-prefix $UVMsubnetB \ --name SubnetB \ --resource-group $rg \ --vnet-name $vnet_name # Create a network security group. az network nsg create \ --resource-group $rg \ --name main-nsg \ --location $location # Associate the main-nsg to the tap-subnet. az network vnet subnet update \ --vnet-name $vnet_name \ --name $tap_subnet_name \ --resource-group $rg \ --network-security-group main-nsg # Associate the main-nsg to the SubnetA. az network vnet subnet update \ --vnet-name $vnet_name \ --name SubnetA \ --resource-group $rg \ --network-security-group main-nsg # Associate the main-nsg to the tap-subnet. az network vnet subnet update \ --vnet-name $vnet_name \ --name SubnetB \ --resource-group $rg \ --network-security-group main-nsg # Create SSH key ssh-keygen \ -m PEM \ -t rsa \ -b 4096 \ -C "vectra" \ -q \ -N "" \ -f ../keys/vectra ssh_key=$(cat ../keys/vectra.pub) # Modify params.json for Sensor tmpfile=$(mktemp) jq --arg sshKey "$ssh_key" \ --arg baseName "$base_name" \ --arg brainIP "$brain_ip" \ --arg registrationToken "$reg_token" \ --arg resourceGroup "$rg" \ --arg loc "$location" \ --arg vnet "$vnet_name" \ --arg traffic "$tap_subnet_name" \ --arg mgt "$mgmt_subnet_name" \ --arg instanceSize "$sensor_size" \ '(.parameters.instanceSize.value) = $instanceSize | (.parameters.location.value) = $loc | (.parameters.virtualNetwork.value.resourceGroup) = $resourceGroup | (.parameters.registrationToken.value) = $registrationToken | (.parameters.brainIP.value) = $brainIP | (.parameters.baseName.value) = $baseName | (.parameters.sshKey.value) = $sshKey | (.parameters.virtualNetwork.value.name) = $vnet | (.parameters.virtualNetwork.value.subnets.traffic.name) = $traffic | (.parameters.virtualNetwork.value.subnets.mgt.name) = $mgt' ../shared/params.json > "$tmpfile" mv -- "$tmpfile" ../shared/params.json ``` - Since we will pair the Sensor with a Brain in a different vNet we need to peer the two vNets together. Peering will allow communication between different vNets. Peering requirements will vary based on deployment. Modify the variables in ``peer.sh`` in the ``peering directory`` to match your Brain and then run the script to create your peers. - Sample script below ```bash #!/bin/bash # Variables brain_rg="" brain_vnet="" sensor_rg=($(jq -r '.parameters.virtualNetwork.value.resourceGroup' ../shared/params.json)) sensor_vnet=($(jq -r '.parameters.virtualNetwork.value.name' ../shared/params.json)) # Get the id for Brain. vNet1Id=$(az network vnet show \ --resource-group $brain_rg \ --name $brain_vnet \ --query id --out tsv) # Get the id for Sensor. vNet2Id=$(az network vnet show \ --resource-group $sensor_rg \ --name $sensor_vnet \ --query id \ --out tsv) az network vnet peering create \ --name brain-to-sensor \ --resource-group $brain_rg \ --vnet-name $brain_vnet \ --remote-vnet $vNet2Id \ --allow-vnet-access az network vnet peering create \ --name sensor-to-brain \ --resource-group $sensor_rg \ --vnet-name $sensor_vnet \ --remote-vnet $vNet1Id \ --allow-vnet-access ``` You can verify your peers in the Azure Portal by typing ``Virtual Networks`` in the search bar and selecting your vNet and click ``Peerings`` ![Peer](./images/vnetpeer.png) ## Sensor Deployment A Vectra sensor consists of a Load Balancer and a VM Scale Set. You can deploy the Sensor from the MarketPlace or a template in Azure CLI. For this lab we will use Azure CLI with a template (``mainTemplate.json`` and ``params.json``) provided by Vectra. The ``params.json`` file was automatically updated by ``base.sh``. Please review the contents of ``./shared/params.json``. It should look similar to the below but updated with your values. ```json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "baseName": { "value": "aspen" }, "brainIP": { "value": "10.0.0.4" }, "registrationToken": { "value": "nlnwlnvzsvngzdmynbcczgdpvmnfxkxg" }, "sshKey": { "value": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/iU3O9ofBW4IF4YXxmvC4Hij2WJcmfkQMycBtN07Z9Wd4jv8IVlOTYk/Z+URi6g+EAr+AUbd6BVhWpaJbm9ATokT4JDRtey69iiUhyczZuLokx9OgplV8E5fqWtMdY/DiIVlTdCQCfuYt+SLloxKusWm6QmnhjstHlRt4r4Jg9BEjpWkSZYwwc1OasDDe/OSQXllTTat+V2cxP4yXXzz2pNoCVfMVHY5wdft/xsxoQpZr/8I/dYwsGZmJJVFmfI0s0u/BYbmx1yJjW3vUc/QGXtNgOA4OheroKqZRKpdaZM7b0deOb2OnJMrtQDCiEiyTe3lK+ruoqiCCI4Rk3BNVlq3FOZjyfJw+IXatiCBKFu/Pv1vQ15TlIL7SqSAZx15yC4uAi2yuF8KQpOYCOpYiIVnTwgewtCI/NHuEZ08hQ/q+W0VpxfmaToYSC44HPLVXRz4y9S+koVELyqMMPR81xjgT5N0QUd+SgCSBsU+z4IsHyj3H/KlZILAghypm3qxEtJ6NPdo5aM7IHY1Mr04XjBA90h/byhOHVDUEYopvzHD5w9zLBh1B7enOIA97Inw7QfWOl3iM5Tp4IBzYj9ZnsrmtpiEFQ+aAP+NuL6HU7uQnvJIS4TIc8E/ZwT877Qa1PSSis2Tvh68bI4s7JnMb+8DxTenxgA7Hr7oWbSWtkw== vectra" }, "location": { "value": "westus2" }, "virtualNetwork": { "value": { "newOrExisting": "existing", "name": "student20-vnet", "resourceGroup": "student20", "subnets": { "traffic": { "name": "tap-subnet" }, "mgt": { "name": "mgmt-subnet" } } } }, "instanceSize": { "value": "Standard_DS3_v2" }, "sshKeyUser": { "value": "vectra" } } } ``` - The shell script ``sensor.sh`` in the ``sensor directory`` will create Vectra resources in Azure using the ``Azure Deployment Manager`` with an ``ARM Template`` (``mainTemplate.json`` and ``params.json``) . The shell script also outputs the IP address of the Load Balancer to a file which will be used by cPacket. The script does NOT need to be modified for the Vectra lab. If using at a customer then you need to modify ``subid`` with the customers Subscription ID. ```bash #!/bin/bash # Add Azure Subscription ID subid="48c78df7-2340-465e-819f-70f07d4da296" # Do not modify rg=($(jq -r '.parameters.virtualNetwork.value.resourceGroup' ../shared/params.json)) vmain=($(jq -r '.resources[2].properties.virtualMachineProfile.storageProfile.imageReference.version' ../sensor/mainTemplate.json)) vmp=$(az vm image list --all --publisher vectraaiinc --query '[0].version' -o tsv) if [ "$vmain" = "$vmp" ]; then echo "Template validation successful" echo "Deploying Vectra Sensor in $rg Resource Group" az deployment group create --subscription $subid --resource-group $rg --template-file ../sensor/mainTemplate.json --parameters ../shared/params.json else echo "Template validation not successful. Please contact your Vectra account team for latest Sensor deployment." fi # Get lb ip for cpacket remote tool input lbname=($(jq -r '.parameters.baseName.value' ../shared/params.json)) lbname+="-lb" lb_private_ip_address=$(az network lb frontend-ip list --resource-group $rg --lb-name $lbname --query '[0].privateIpAddress' -o tsv) echo "LB private IP address: $lb_private_ip_address" # Store ip in file jq -n --arg ip $lb_private_ip_address '{"value":"\($ip)"}' > ../shared/lbip.json ``` - Once the Sensor setup is complete logon to the Brain and verify it has connected and forwarding.