Deploy cPacket into Azure IaaS

cPacket Deployment

Each group member will deploy their own cPacket cVu appliances. In this lab we will place the cVu appliance in the same Resource Group as the Vectra Sensor, but this can vary base on customer requirements. cPacket will be deployed in the studentX resource group.

  • The shell script vectrapacket.sh in the cpacket directory will create cPacket resources in Azure using the ccloud utility from cPacket. Currently we are using a modified version of ccloud.

  • IMPORTANT Uncomment out the cvu image path to match your Azure Region

#!/bin/bash

# Location
#For West US 2 uncomment below
#cvu="/subscriptions/48c78df7-2340-465e-819f-70f07d4da296/resourceGroups/core-infra/providers/Microsoft.Compute/images/cvuv-21.1.1.vhd"

#For France Central uncomment below
#cvu="/subscriptions/48c78df7-2340-465e-819f-70f07d4da296/resourceGroups/core-infra-fr/providers/Microsoft.Compute/images/cvuv-21.1.1.vhd"

# Variables
ssh_public_key=../keys/vectra.pub
sa="1sa"


# Do not edit
name=($(jq -r '.parameters.baseName.value' ../shared/params.json))
rg=($(jq -r '.parameters.virtualNetwork.value.resourceGroup' ../shared/params.json))
vnet=($(jq -r '.parameters.virtualNetwork.value.name' ../shared/params.json))
subnet=($(jq -r '.parameters.virtualNetwork.value.subnets.traffic.name' ../shared/params.json))
sensor_ip=($(jq -r '.value' ../shared/lbip.json))

# Output
echo "Deploying cPacket in $rg Resource Group"

../cpacket/ccloud.sh az monitoring-subnet \
    -g "$rg" \
    --cvuv-image "$cvu" \
    --prefix-resources \
    --created-by "$name"cpacket \
    --cvuv-count 2 \
    --vnet "$vnet" \
    --subnet "$subnet" \
    --additional-tools "$sensor_ip" \
    --ssh-public-key "$ssh_public_key" \
    --storage-account "$sa" 

# Output
echo "cPacket Deployment complete"
lbname=($(jq -r '.parameters.baseName.value' ../shared/params.json))
lbname+="cpacket-lb"
lb_private_ip_address=$(az network lb frontend-ip list --resource-group $rg --lb-name $lbname --query '[0].privateIpAddress' -o tsv)
echo "cPacker LB IP address: $lb_private_ip_address"

  • Capture the IP address of the cPacket LB. This will be used for the UDRs when running cpacket-redirect.sh below.

  • Once cPacket is deployed logon to one of the cVu appliances to verify the vxlan connected to the Vectra Sensor Load Balancer. To do this you will need to add a public IP address and security rule to the NSG. In a customer environment they would likely have an Express Route or VPN allowing direct connections to the internal IPs and these steps wouldn’t be required.

  • You will only add a public IP address to 1 appliance (2 were created)

  • The users/pass for cVu appliance is cpacket/cpacketpw.

  • Create and associate public IP address

    • Create a Public IP: Replace <rgname> with your resource group

      az network public-ip create -g <rgname> --sku standard --zone 1 2 3 -n cvu-publicip1

    • List the NIC name: Replace <cpacket-appliance> with the name of your cPacket appliance and replace <rgname> with your resource group

      az vm nic list --vm-name <cpacket-appliance> --resource-group <rgname>

    • List the IP Configuration Name: Replace <cpacket-appliance-nic> with the name of the NIC value returned and replace <rgname> with your resource group

      az network nic ip-config list --nic-name <cpacket-appliance-nic> --resource-group <rgname> --out table

    • Update the NIC with the Public IP: Replace <ip-config-name> with the IP-config NAME value returned, replace <cpacket-appliance-nic> with the name of the NIC vale returned, and replace <rgname> with your resource group

      az network nic ip-config update --name <ip-config-name> --nic-name <cpacket-appliance-nic> --resource-group <rgname> --public-ip-address cvu-publicip1

    • View your new Public IP and copy to notepad: Replace <cpacket-appliance> with the name of your cPacket appliance and replace <rgname> with your resource group

      az vm list-ip-addresses --name <cpacket-appliance> --resource-group <rgname> --out table

  • Modify the nsg.sh script in the ops directory. Replace <external-ip> with your public IP address. You can get your public IP from a service like https://ifconfig.co/

#!/bin/bash

ip="<external-ip>"
rg=($(jq -r '.parameters.virtualNetwork.value.resourceGroup' ../shared/params.json))
#ip=$(curl ifconfig.co)

az network nsg rule create \
  --resource-group $rg \
  --source-address-prefixes $ip \
  --nsg-name main-nsg \
  --protocol tcp \
  --name Alllow22-443 \
  --priority 1000 \
  --destination-address-prefixes VirtualNetwork \
  --destination-port-range 22 443

  • Logon to the cPacket UI https://<cpacket-public-ip> and navigate to admin and then settings and verify vxlan0 has the Remote IP of your Sensor. cPacketVxLAN