Deploy Brain into Azure IaaS

Adding cPacket images to account (Already Done)

The cPacket images have ALREADY been staged to the Azure vectra-demolab subscription. To do this cPacket generates a temporary URL and then the create-images.sh script is run. This script is provided by cPacket as part of ccloud but is modified for customer environments. An example of the script is below:

#!/usr/bin/env bash
# This script expects 'ccloud' to be in the current directory when it runs.
# If 'ccloud' is in your PATH, remove the ./ in the calls below.

subscription_id="48c78df7-2340-465e-819f-70f07d4da296"
resource_group="core-infra"

# Note: a storage account will be created if it doesn't exist.
storage_account="ccloudimages"

# Substitute the URLs with SASes that cPacket has provided you.
cclearv_sas_url="https://ccloudvhds.blob.core.windows.net/vhds/cclearv-21.1.1.vhd?se=2021-12-27T10%3A15%3A06Z&sp=r&sv=2018-11-09&sr=b&sig=m9ivj4rcjXC
xM7f64hhKxl3%2FM3Iby%2FDH4FYRK05KCVM%3D"
cstorv_sas_url="https://ccloudvhds.blob.core.windows.net/vhds/cstorv-21.1.1.vhd?se=2021-12-27T10%3A15%3A13Z&sp=r&sv=2018-11-09&sr=b&sig=ANdzZa6jLzVkY
8JJZgUucOxQWtkXXNOJiAcSIfynwSU%3D"
cvuv_sas_url="https://ccloudvhds.blob.core.windows.net/vhds/cvuv-21.1.1.vhd?se=2021-12-27T10%3A15%3A15Z&sp=r&sv=2018-11-09&sr=b&sig=5I7n8ZyxqhOaJgyjf
vNCdO5VDV0aG4yJKByhVDdC1Ug%3D"

./ccloud az image create -g "$resource_group" -a "$storage_account" --subscription "$subscription_id" "$cclearv_sas_url"
./ccloud az image create -g "$resource_group" -a "$storage_account" --subscription "$subscription_id" "$cstorv_sas_url"
./ccloud az image create -g "$resource_group" -a "$storage_account" --subscription "$subscription_id" "$cvuv_sas_url"

Order of deployment

  • Azure Setup for Brain must be done first.

  • Brain A provisioning token and IP address are required to provision the sensor.

  • Azure Base Setup for Sensor must exist in order to deploy VMs. The minimum is a Resource Group, VNet, and Subnet.

  • Sensor should be deployed second. You will use the IP address of the Sensor Load Balancer when you provision cPacket. (If sensor is already deployed there is a workaround using API calls to cPacket.)

  • cPacket cVu virtual TAP is where the UDR will send UVM traffic and is the last appliance required for Vectra.

  • Users VMs in each subnet to generate traffic

  • UDRs are required to forward traffic from your UVM subnet to the cPacket cVU subnet. This is a “bump in the wire”. Solution

Azure Setup for Brain

  • SEs have been granted access to the Brain image. You must run az login once Cloud Shell has been launched. This will give your Cloud Shell access to the Vectra account where the image is stored. Run az account list and verify you see theVectraDev account

  {
    "cloudName": "AzureCloud",
    "homeTenantId": "a6cc66bc-f419-45c2-a9c2-8ff4ab685f2d",
    "id": "ac63f844-2350-4db1-9655-35817d1347a8",
    "isDefault": false,
    "managedByTenants": [],
    "name": "VectraDev",
    "state": "Enabled",
    "tenantId": "a6cc66bc-f419-45c2-a9c2-8ff4ab685f2d",
    "user": {
      "name": "email",
      "type": "user"
    }

  • Once you have verified access to the image you can start creating resources

  • Create a resource group from Cloud Shell

az group create --name <Brain Resource Group> --location westus2

  • Create a VNet and Subnet

az network vnet create --name <Brain Vnet Name> --resource-group <Brain Resource Group> --subnet-name <Brain Subnet Name>

  • Create SSH key for Brain

ssh-keygen \
    -m PEM \
    -t rsa \
    -b 4096 \
    -C "vectra" \
    -q \
    -N "" \
    -f ./brainkey

You can verify your Resource Group created in the Azure Portal by typing Resource Groups in the search bar and then selecting your newly created Resource Group. Inside the Resource Group you should be able to see your vNet.

Brain Deployment

The Brain is deployed using the Azure CLI with an ARM template (mainTemplate.json and params.json) provided by Vectra. The template references a Brain image that is made available to individual Azure logins via a shared image gallery. For customers this must be done prior to the install by creating an Ultimate
Case in SFDC. The user should receive and email to their Azure login to accept the share with a Brain token. If the customer does not receive email to their Azure login the share will be visible, but the token will need to be shared manually.

The following information are prerequisites for the ARM template:

  • Resource group - The name of the resource group where the Brain will be deployed

  • Base Name (baseName) – Base name for all the resources that will be created as part of this deployment

  • Template URI - Vectra provided URI to download the template files

  • Brain Image (brainImage) - Vectra provided resource ID of the Brain Image

  • Provisioning Token (provisionToken) – Vectra provided token that will allow the Brain to register with Vectra

  • Public SSH Key (sshKey). This key was created in the Azure Setup for Brain setup and is called brain.pub

  • Subnet ID (subnet) - Azure subnet ID the Brain will be connected to. You can get the subnet value by running below

az network vnet list --resource-group <Brain Resource Group> | jq -r '.[].subnets[].id'

Once all the prerequisite information is gathered you can configure the Brain JSON template. The template consists of (2) files mainTemplate.json and params.json. You do not modify mainTemplate.json as all the variables are stored in params.json

  • Modify the values of params.json in the brain directory with the appropriate values collected in the prerequisite section.

  • Sample JSON below

{
 "baseName": {
 "value": "EXAMPLE"
 },
 "brainImage": {
 "value": "/subscriptions/ac63f844-2350-4db1-9655-35817d1347a8/resourceGroups/vectra-dev-WestUS2/providers/Microsoft.Compute/galleries/Production/images/Cognito-6.16/versions/6.16.0"
 },
 "createPublicAddress": {
 "value": "true"
 },
 "instanceSize": {
 "value": "Standard_E16s_v3"
 },
 "location": {
 "value": "westus2"
 },
 "provisionToken": {
 "value": "c31515f9-1dff-4d99-9a2a-83a6f97a05da"
 },
 "sshKey": {
 "value":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0ZNrE5OR7aWf5hyHU+cnwCRzBysBrv3OKBpxDQDBW44FhfdyTnh5L3ylsGGNe5eWDoNfNVL9qm/IJruNLVH9P0dqxDABThBhjzHEqgL4EqvrGhutdXjGeeIxmmwAnM2A0BanROn4SQT0ZIpyi+zl5OGYp+0TzfxTpbAMqqOYjR3anqLsGDWvFg0OZ8ilm+t/cOowIp0w9fRmJGD5Qg+4CGmJoaWhUBN/LYTRtlfwBWcIf4UXYceJqMOMrBjJUiCpaBEsRVlsv/qkzPBHt8wdHVz2KWVrRWtvsLeaZdB9PVmw7ZHsuALisemymmb8kChsmD+8ngjIRXLmGUcvWtRp8pdwwHwpu7WFyjSxyO47cNYJ5VEgDe/uiHlkZ/jDAAF7XzGiBhkg3PbzIaGk49tIjeQAhMTxjZj7vdkyfDjv9pOPbxjwd0fCF/10zw1KKwlG2NusYm0EqAIiyk7TKZlKQp3O0QQnSsskxU6zwVyyWYAd67xPHX6ZQ0kQeVsg6A7He5Pcgg/N84RkhIb3g4FHdFuKOWEcJeOA9z2QlZ8AbeVRAWOv1tUuRKEOjtvwTiQEFYv5KL036/FQoBfuTAEFqbdkW9AC10MOeW43VB7oiojxS97f9UOyCE1EbmvkvzpVw89yEiQk4BNYwx4w9rtMKsHR2pAo4qL3Iq7im55S5cw== vectra"
 },
 "sshKeyUser": {
 "value": "vectra"
 },
 "subnetwork": {
 "value": "/subscriptions/48c78df7-2340-465e-819f-70f07d4da296/resourceGroups/EXAMPLE/providers/Microsoft.Network/virtualNetworks/EXAMPLE/subnets/EXAMPLE"
 }
}

  • Use Azure Deployment Manager to deploy the template

    • --subscription specifies the subscription to run against. This isn’t always required as there may only be one or it may be set as the default. This will change based on customer

    • --resource-group where to deploy the template

    • --template-file the template file used by deployment manager

    • --aux-tenants option specifies the Vectra tenant ID for access to the Brain image. This will be the same for all customers

    • --parameters the parameters file that will be used with the template file

az deployment group create  --resource-group <Brain Resource Group> --template-file mainTemplate.json --aux-tenants a6cc66bc-f419-45c2-a9c2-8ff4ab685f2d --parameters params.json

Once the deployment has finished logon to the Brain and generate a Sensor token.

  • Before logging into the Brain you need to configure the NSG to allow access to the public IP address.

  • We have intentionally omitted the step on how to find the public IP address of the Brain to expose navigating in the Azure Portal.

  • Modify and run the following brain-nsg.sh script in the brain directory from Cloud Shell. Replace <external-ip> with your public home IP address. You can get your public IP from a service like https://ifconfig.co/

#!/bin/bash

rg="<Brain Resource Group>"
ip="<external-ip>"
nsg="<baseName-sg>"
#ip=$(curl ifconfig.co)

az network nsg rule create \
  --resource-group $rg \
  --source-address-prefixes $ip \
  --nsg-name $nsg \
  --protocol tcp \
  --name Alllow22-443 \
  --priority 1000 \
  --destination-address-prefixes VirtualNetwork \
  --destination-port-range 22 443

Login to the WebUI of the Brain

  • Username: “admin”

  • Password: Virtual Machine Name

  • Accept the EULA

  • Setting >> Edit Sensor >> Generate token and enable “Automatic Pairing”