Deploy cPacket into Azure IaaS¶
cPacket Deployment¶
Each group member will deploy their own cPacket cVu appliances. In this lab we will place the cVu appliance in the same Resource Group as the Vectra Sensor, but this can vary base on customer requirements. cPacket will be deployed in the studentX
resource group.
The shell script
vectrapacket.sh
in thecpacket directory
will create cPacket resources in Azure using theccloud
utility from cPacket. Currently we are using a modified version ofccloud
.IMPORTANT Uncomment out the cvu image path to match your Azure Region
#!/bin/bash
# Location
#For West US 2 uncomment below
#cvu="/subscriptions/48c78df7-2340-465e-819f-70f07d4da296/resourceGroups/core-infra/providers/Microsoft.Compute/images/cvuv-21.1.1.vhd"
#For France Central uncomment below
#cvu="/subscriptions/48c78df7-2340-465e-819f-70f07d4da296/resourceGroups/core-infra-fr/providers/Microsoft.Compute/images/cvuv-21.1.1.vhd"
# Variables
ssh_public_key=../keys/vectra.pub
sa="1sa"
# Do not edit
name=($(jq -r '.parameters.baseName.value' ../shared/params.json))
rg=($(jq -r '.parameters.virtualNetwork.value.resourceGroup' ../shared/params.json))
vnet=($(jq -r '.parameters.virtualNetwork.value.name' ../shared/params.json))
subnet=($(jq -r '.parameters.virtualNetwork.value.subnets.traffic.name' ../shared/params.json))
sensor_ip=($(jq -r '.value' ../shared/lbip.json))
# Output
echo "Deploying cPacket in $rg Resource Group"
../cpacket/ccloud.sh az monitoring-subnet \
-g "$rg" \
--cvuv-image "$cvu" \
--prefix-resources \
--created-by "$name"cpacket \
--cvuv-count 2 \
--vnet "$vnet" \
--subnet "$subnet" \
--additional-tools "$sensor_ip" \
--ssh-public-key "$ssh_public_key" \
--storage-account "$sa"
# Output
echo "cPacket Deployment complete"
lbname=($(jq -r '.parameters.baseName.value' ../shared/params.json))
lbname+="cpacket-lb"
lb_private_ip_address=$(az network lb frontend-ip list --resource-group $rg --lb-name $lbname --query '[0].privateIpAddress' -o tsv)
echo "cPacker LB IP address: $lb_private_ip_address"
Capture the IP address of the cPacket LB. This will be used for the UDRs when running
cpacket-redirect.sh
below.Once cPacket is deployed logon to one of the cVu appliances to verify the vxlan connected to the Vectra Sensor Load Balancer. To do this you will need to add a public IP address and security rule to the NSG. In a customer environment they would likely have an Express Route or VPN allowing direct connections to the internal IPs and these steps wouldn’t be required.
You will only add a public IP address to 1 appliance (2 were created)
The users/pass for cVu appliance is cpacket/cpacketpw.
Create and associate public IP address
Create a Public IP: Replace
<rgname>
with your resource groupaz network public-ip create -g <rgname> --sku standard --zone 1 2 3 -n cvu-publicip1
List the NIC name: Replace
<cpacket-appliance>
with the name of your cPacket appliance and replace<rgname>
with your resource groupaz vm nic list --vm-name <cpacket-appliance> --resource-group <rgname>
List the IP Configuration Name: Replace
<cpacket-appliance-nic>
with the name of the NIC value returned and replace<rgname>
with your resource groupaz network nic ip-config list --nic-name <cpacket-appliance-nic> --resource-group <rgname> --out table
Update the NIC with the Public IP: Replace
<ip-config-name>
with the IP-config NAME value returned, replace<cpacket-appliance-nic>
with the name of the NIC vale returned, and replace<rgname>
with your resource groupaz network nic ip-config update --name <ip-config-name> --nic-name <cpacket-appliance-nic> --resource-group <rgname> --public-ip-address cvu-publicip1
View your new Public IP and copy to notepad: Replace
<cpacket-appliance>
with the name of your cPacket appliance and replace<rgname>
with your resource groupaz vm list-ip-addresses --name <cpacket-appliance> --resource-group <rgname> --out table
Modify the
nsg.sh
script in theops
directory. Replace<external-ip>
with your public IP address. You can get your public IP from a service likehttps://ifconfig.co/
#!/bin/bash
ip="<external-ip>"
rg=($(jq -r '.parameters.virtualNetwork.value.resourceGroup' ../shared/params.json))
#ip=$(curl ifconfig.co)
az network nsg rule create \
--resource-group $rg \
--source-address-prefixes $ip \
--nsg-name main-nsg \
--protocol tcp \
--name Alllow22-443 \
--priority 1000 \
--destination-address-prefixes VirtualNetwork \
--destination-port-range 22 443
Logon to the cPacket UI
https://<cpacket-public-ip>
and navigate toadmin
and thensettings
and verify vxlan0 has the Remote IP of your Sensor.