Deploy Azure POP in New and Existing Infrastructure
Before you start the PoP deployment, make sure to set up the prerequisites to deploy PoP. For details, see Prerequisites.
After successful PoP deployment, the PoP details and its health status is reported under PoP Management.
Step 1: Download the PoP Deployment Package
Follow the below steps to download the PoP deployment package.
To download the PoP Deployment Package:
- Log in to Skyhigh CASB.
- Go to Service Management > Microsoft Azure, and choose a registered Azure Account.
- In the Overview tab, click Deploy New PoP.
- Click Download Deployment package and download the package.
The downloaded PoP Deployment package contains the installation files to deploy the PoP and the required artifacts for the PoP to communicate with the Skyhigh CASB. The Package is valid for seven days after it is downloaded from Skyhigh CASB.
Step 2: Deploy the required Infrastructure through the Azure ARM template
The ‘Infrastructure.tar,’ which is part of the PoP Deployment Package (PopDeployment.tar), contains the ARM template (‘Azure_NewInfra.json’) to create infrastructure in the azure and deploy the PoP.
Deploy the PoP using new infrastructure setup
To deploy the PoP using new Infra set up through Azure ARM template:
- Go to the Templates in Azure Console.
- Go to Templates > Add > Provide Name and Description > Copy and paste the Azure_NewInfra.json contents > Add.
- Once the template is created, select Deploy.
- Provide the required input parameters in the template:
- Subscription. Azure Subscription account name
- Resource Group. Select Resource group name which is created before deployment.
- Location. Auto-Populated according to the resource group.
- Pop Name. Specify the unique name for the PoP that you need to create in the Pop Name field.
- Zone. An availability zone is a logical data center in a region available for use by any Azure customer. Select the number of Availability zones that need to be configured from the menu.
- Virtual Machine size. Specify the required virtual machine size. Minimum and recommended size is Standard_D2s_v3.
- Admin Username. Enter the desired username for the virtual machine.
- Admin Password Or Key. Go to the SSH key created in the prerequisites step, copy the Public key value and provide it as input here.
- Actions. List of roles assigned to PoP Virtual Machines to Allow actions on Azure Resources. The recommended list is:
["Microsoft.Authorization/*/Read","Microsoft.Authorization/*/Write","Microsoft.Compute/locations/*", "Microsoft.Compute/virtualMachines/*","Microsoft.Compute/virtualMachineScaleSets/*","Microsoft.Compute/disks/*", "Microsoft.Insights/alertRules/*","Microsoft.Network/applicationGateways/backendAddressPools/join/action", "Microsoft.Network/loadBalancers/*","Microsoft.Network/locations/*","Microsoft.Network/networkInterfaces/*", "Microsoft.Network/networkSecurityGroups/*","Microsoft.Network/publicIPAddresses/*", "Microsoft.Network/virtualNetworks/*","Microsoft.Network/privateLinkServices/*", "Microsoft.Network/privateEndpoints/*","Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*","Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Network/privateDnsZones/*","Microsoft.Network/privateDnsOperationResults/*", "Microsoft.Network/privateDnsOperationStatuses/*","Microsoft.Storage/*/read","Microsoft.Storage/storageAccounts/*"]
- Not actions. List of roles assigned to PoP Virtual Machines to Deny action on Azure Resources. The recommended list is:
["Microsoft.Authorization/*/Delete","Microsoft.Authorization/elevateAccess/Action", "Microsoft.Blueprint/blueprintAssignments/write","Microsoft.Blueprint/blueprintAssignments/delete", "Microsoft.Compute/galleries/share/action"]
- Role Name. Provide a unique name for the role definition.
- Role Description. Provide a detailed description of the role definition.
- Desired Secondary Node Capacity. Enter the desired capacity of nodes i.e., the number of secondary machines/Virtual machine scale sets. [Min=1, Max=10]
- Cwpp Package Url. Provide PoPDeployment.tar URL path stored in Azure Storage as mentioned in prerequisites step within single quotes like 'https://URL'
- Cwpp Deployment Script. Provide AzureDeploymentScript.sh URL path stored in Azure Storage as mentioned in prerequisites step without single quotes like https://URL
After launching Cloud Formation, it takes about 20 minutes to deploy the PoP. You can check the deployment status in the cloud formation stack console in AWS.
After the PoP Deployment, the deployed PoP in your account updates the status in Skyhigh CASB. You can check the PoP details on the PoP Management page.
Deploy the PoP using existing infrastructure setup
Before deploying the PoP in an existing Virtual Network, the following prerequisites are required:
- Resource group and the Private SSH key.
- Virtual network within the resource group with a subnet to configure PoP infrastructure and Bastion subnet for Azure Bastion host.
- Bastion host to access the virtual machine.
- Standard NAT Gateway should be present which is associated with the subnet in the virtual network.
- Network Security group with the following inbound and outbound security rules should be present and associated with the subnet.
Once these things are validated, extract the ‘Infrastructure.tar,’ which is part of the PoP Deployment Package (PopDeployment.tar). The tar contains the ARM template (‘Azure_ExistingInfra.json’) to create infrastructure in Azure and deploy the PoP.
- Go to the Templates in Azure Console.
- Go to Templates > Add > Provide Name and Description. Copy and paste the Azure_NewInfra.json contents then choose Add.
- In the newly created template, choose Deploy.
- Provide the inputs for the PoP Deployment Template similar to the steps mentioned in section Deploy Azure POP In a new Infrastructure.