Deploy Sensor into Azure IaaS

Azure Base Setup for Sensor

  • The shell script base.sh will create resources in Azure using native az cli commands. It will create the following resources:

    • Resource Group

    • VNet

    • Management, Tap, and User Subnets

    • Network Security Group (hard coded to main-nsg)

    • SSH Key

    • A params.json file used by sensor

  • Modify the variables of the base.sh script in the base directory and then run the script. Your assigned values are on the linked spreadsheet.

  • For the Brain IP use the INTERNAL IP address of the Brain NOT the external

  • The “base_name” is the “Sensor base_name” in the spreadsheet

  • Sample script below

#!/bin/bash

# Azure variables
rg="student50"
location="westus2"
vnet_name="student50-vnet"
address_prefix="10.50.0.0/16"
mgmt_subnet_name="mgmt-subnet"
mgmt_subnet_prefix="10.50.1.0/24"
tap_subnet_name="tap-subnet"
tap_subnet_prefix="10.50.2.0/24"

# Vectra variables
base_name="EXAMPLE"
brain_ip="10.0.0.4"
reg_token="nlnwlnvzsvngzdmynbcczgdpvmnfxkxg"
sensor_size="Standard_DS3_v2"

# User VM subnets to generate traffic 
UVMsubnetA="10.50.3.0/24"
UVMsubnetB="10.50.4.0/24"

# Create a resource group.
az group create \
  --name $rg \
  --location $location

# Create a virtual network with a mgmt subnet.
az network vnet create \
  --name $vnet_name \
  --resource-group $rg \
  --location $location \
  --address-prefix $address_prefix \
  --subnet-name $mgmt_subnet_name \
  --subnet-prefix $mgmt_subnet_prefix

# Create a vtap subnet.
az network vnet subnet create \
  --address-prefix $tap_subnet_prefix \
  --name $tap_subnet_name \
  --resource-group $rg \
  --vnet-name $vnet_name

# Create subnetA.
az network vnet subnet create \
  --address-prefix $UVMsubnetA \
  --name SubnetA \
  --resource-group $rg \
  --vnet-name $vnet_name

# Create subnetB.
az network vnet subnet create \
  --address-prefix $UVMsubnetB \
  --name SubnetB \
  --resource-group $rg \
  --vnet-name $vnet_name

# Create a network security group.
az network nsg create \
  --resource-group $rg \
  --name main-nsg \
  --location $location

# Associate the main-nsg to the tap-subnet.
az network vnet subnet update \
  --vnet-name $vnet_name \
  --name $tap_subnet_name \
  --resource-group $rg \
  --network-security-group main-nsg

# Associate the main-nsg to the SubnetA.
az network vnet subnet update \
  --vnet-name $vnet_name \
  --name SubnetA \
  --resource-group $rg \
  --network-security-group main-nsg

# Associate the main-nsg to the tap-subnet.
az network vnet subnet update \
  --vnet-name $vnet_name \
  --name SubnetB \
  --resource-group $rg \
  --network-security-group main-nsg

# Create SSH key
ssh-keygen \
    -m PEM \
    -t rsa \
    -b 4096 \
    -C "vectra" \
    -q \
    -N "" \
    -f ../keys/vectra

ssh_key=$(cat ../keys/vectra.pub)

# Modify params.json for Sensor
tmpfile=$(mktemp)
jq --arg sshKey "$ssh_key" \
  --arg baseName "$base_name"  \
  --arg brainIP "$brain_ip"  \
  --arg registrationToken "$reg_token"  \
  --arg resourceGroup "$rg"  \
  --arg loc "$location"  \
  --arg vnet "$vnet_name" \
  --arg traffic "$tap_subnet_name"  \
  --arg mgt "$mgmt_subnet_name" \
  --arg instanceSize "$sensor_size" \
'(.parameters.instanceSize.value) = $instanceSize | (.parameters.location.value) = $loc | (.parameters.virtualNetwork.value.resourceGroup) = $resourceGroup | (.parameters.registrationToken.value) = $registrationToken | (.parameters.brainIP.value) = $brainIP | (.parameters.baseName.value) = $baseName | (.parameters.sshKey.value) = $sshKey | (.parameters.virtualNetwork.value.name) = $vnet | (.parameters.virtualNetwork.value.subnets.traffic.name) = $traffic | (.parameters.virtualNetwork.value.subnets.mgt.name) = $mgt'  ../shared/params.json > "$tmpfile"
mv -- "$tmpfile" ../shared/params.json

  • Since we will pair the Sensor with a Brain in a different vNet we need to peer the two vNets together. Peering will allow communication between different vNets. Peering requirements will vary based on deployment. Modify the variables in peer.sh in the peering directory to match your Brain and then run the script to create your peers.

  • Sample script below

#!/bin/bash

# Variables
brain_rg="<Brain Resource Group>"
brain_vnet="<Brain Vnet Name>"
sensor_rg=($(jq -r '.parameters.virtualNetwork.value.resourceGroup' ../shared/params.json))
sensor_vnet=($(jq -r '.parameters.virtualNetwork.value.name' ../shared/params.json))

# Get the id for Brain.
vNet1Id=$(az network vnet show \
  --resource-group $brain_rg \
  --name $brain_vnet \
  --query id --out tsv)

# Get the id for Sensor.
vNet2Id=$(az network vnet show \
  --resource-group $sensor_rg \
  --name $sensor_vnet \
  --query id \
  --out tsv)

az network vnet peering create \
  --name brain-to-sensor \
  --resource-group $brain_rg \
  --vnet-name $brain_vnet \
  --remote-vnet $vNet2Id \
  --allow-vnet-access

az network vnet peering create \
  --name sensor-to-brain \
  --resource-group $sensor_rg \
  --vnet-name $sensor_vnet \
  --remote-vnet $vNet1Id \
  --allow-vnet-access

You can verify your peers in the Azure Portal by typing Virtual Networks in the search bar and selecting your vNet and click Peerings Peer

Sensor Deployment

A Vectra sensor consists of a Load Balancer and a VM Scale Set. You can deploy the Sensor from the MarketPlace or a template in Azure CLI. For this lab we will use Azure CLI with a template (mainTemplate.json and params.json) provided by Vectra. The params.json file was automatically updated by base.sh. Please review the contents of ./shared/params.json. It should look similar to the below but updated with your values.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "baseName": {
      "value": "aspen"
    },
    "brainIP": {
      "value": "10.0.0.4"
    },
    "registrationToken": {
      "value": "nlnwlnvzsvngzdmynbcczgdpvmnfxkxg"
    },
    "sshKey": {
      "value": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/iU3O9ofBW4IF4YXxmvC4Hij2WJcmfkQMycBtN07Z9Wd4jv8IVlOTYk/Z+URi6g+EAr+AUbd6BVhWpaJbm9ATokT4JDRtey69iiUhyczZuLokx9OgplV8E5fqWtMdY/DiIVlTdCQCfuYt+SLloxKusWm6QmnhjstHlRt4r4Jg9BEjpWkSZYwwc1OasDDe/OSQXllTTat+V2cxP4yXXzz2pNoCVfMVHY5wdft/xsxoQpZr/8I/dYwsGZmJJVFmfI0s0u/BYbmx1yJjW3vUc/QGXtNgOA4OheroKqZRKpdaZM7b0deOb2OnJMrtQDCiEiyTe3lK+ruoqiCCI4Rk3BNVlq3FOZjyfJw+IXatiCBKFu/Pv1vQ15TlIL7SqSAZx15yC4uAi2yuF8KQpOYCOpYiIVnTwgewtCI/NHuEZ08hQ/q+W0VpxfmaToYSC44HPLVXRz4y9S+koVELyqMMPR81xjgT5N0QUd+SgCSBsU+z4IsHyj3H/KlZILAghypm3qxEtJ6NPdo5aM7IHY1Mr04XjBA90h/byhOHVDUEYopvzHD5w9zLBh1B7enOIA97Inw7QfWOl3iM5Tp4IBzYj9ZnsrmtpiEFQ+aAP+NuL6HU7uQnvJIS4TIc8E/ZwT877Qa1PSSis2Tvh68bI4s7JnMb+8DxTenxgA7Hr7oWbSWtkw== vectra"
    },
    "location": {
      "value": "westus2"
    },
    "virtualNetwork": {
      "value": {
        "newOrExisting": "existing",
        "name": "student20-vnet",
        "resourceGroup": "student20",
        "subnets": {
          "traffic": {
            "name": "tap-subnet"
          },
          "mgt": {
            "name": "mgmt-subnet"
          }
        }
      }
    },
    "instanceSize": {
      "value": "Standard_DS3_v2"
    },
    "sshKeyUser": {
      "value": "vectra"
    }
  }
}

  • The shell script sensor.sh in the sensor directory will create Vectra resources in Azure using the Azure Deployment Manager with an ARM Template (mainTemplate.json and params.json) . The shell script also outputs the IP address of the Load Balancer to a file which will be used by cPacket. The script does NOT need to be modified for the Vectra lab. If using at a customer then you need to modify subid with the customers Subscription ID.

#!/bin/bash

# Add Azure Subscription ID
subid="48c78df7-2340-465e-819f-70f07d4da296"

# Do not modify
rg=($(jq -r '.parameters.virtualNetwork.value.resourceGroup' ../shared/params.json))
vmain=($(jq -r '.resources[2].properties.virtualMachineProfile.storageProfile.imageReference.version' ../sensor/mainTemplate.json))
vmp=$(az vm image list --all --publisher vectraaiinc --query '[0].version' -o tsv)
    if [ "$vmain" = "$vmp" ]; then
        echo "Template validation successful"
        echo "Deploying Vectra Sensor in $rg Resource Group"
        az deployment group create --subscription $subid --resource-group $rg --template-file ../sensor/mainTemplate.json --parameters ../shared/params.json
    else
        echo "Template validation not successful.  Please contact your Vectra account team for latest Sensor deployment."
    fi

# Get lb ip for cpacket remote tool input
lbname=($(jq -r '.parameters.baseName.value' ../shared/params.json))
lbname+="-lb"
lb_private_ip_address=$(az network lb frontend-ip list --resource-group $rg --lb-name $lbname --query '[0].privateIpAddress' -o tsv)
echo "LB private IP address: $lb_private_ip_address"

# Store ip in file
jq -n --arg ip $lb_private_ip_address '{"value":"\($ip)"}' > ../shared/lbip.json

  • Once the Sensor setup is complete logon to the Brain and verify it has connected and forwarding.