Table of contents

Create stacks in Azure


Prerequisites

  1. Install the Azure command-line interface (CLI). All versions are supported.
  2. Prepare a Service Principal

Create an all-in-one stack using template link

  1. Create the all-in-one stack in Azure

    • Log in to the Azure account where you want to deploy the stack.
    • Select this link: Deploy to Azure button

      You will be redirected to the Azure Custom deployment page.

    • Follow the instructions in Deploy the all-in-one stack to fill in the required fields and create the stack.

  2. Verify that the stack creation is complete

    • Go to Subscriptions > your subscription > Deployments.
    • Look for your all-in-one stack. When the stack has reached the Succeeded state, your all-in-one stack is ready.

Create a scanner stack using template link

  1. Create the scanner stack in Azure

    • Select this link: Deploy to Azure button

      You will be redirected to the Azure Custom deployment page.

    • For supported regions, see What regions are supported?

    • Follow the instructions in Add a scanner stack to fill in the required fields and create the stack.
  2. Verify that the stack creation is complete

    • Go to Resource groups > your scanner stack resource group > Deployments.
    • Look for your scanner stack deployment. It will display Succeeded when done.

Create a storage stack using template link

  1. Create the storage stack in Azure

    • Select this link: Deploy to Azure button

      You will be redirected to the Azure Custom deployment page.

    • For supported regions, see What regions are supported?

    • Follow the instructions in Add a storage stack to fill in the required fields and create the stack.
  2. Verify that the stack creation is complete

    • Go to Resource groups > your storage stack resource group > Deployments.
    • Look for your storage stack deployment. It will display Succeeded when done.

Using Azure CLI

Create an all-in-one stack using Azure CLI

  1. Create the all-in-one stack in Azure

    • On the computer where you installed the Azure CLI, in a program such as bash or PowerShell, enter the following command to create the stack:
      az deployment sub create \
          --name ALLINONE-STACK-NAME \
          --location REGION \
          --template-uri https://file-storage-security.s3.amazonaws.com/latest/arm-templates/FSS-All-In-One-Template.json \
          --parameters \
              FileStorageSecurityServicePrincipalID=FSS-SERVICE-PRINCIPAL-ID \
              CloudOneRegion=CLOUD-ONE-REGION \
              ScannerStackResourceGroup=SCANNER-STACK-RESOURCE-GROUP \
              StorageStackResourceGroup=STORAGE-STACK-RESOURCE-GROUP \
              BlobStorageAccountResourceID=BLOB-STORAGE-ACCOUNT-RESOURCE-ID \
              BlobSystemTopicExist=BLOB-SYSTEM-TOPIC-EXIST \
              BlobSystemTopicName=BLOB-SYSTEM-TOPIC-NAME  \
              UpdateScanResultToBlobMetadata=UPDATE-SCAN-RESULT-TO-BLOB-METADATA \
              StorageStackFunctionAppServicePlan=STORAGE-STACK-FUNCTION-APP-SERVICE-PLAN
      

    where...

    • ALLINONE-STACK-NAME must be replaced with the name of the deployment. You can use any name. Example: FileStorageSecurity-All-In-One
    • REGION must be replaced with the region where you want to install the stack. For supported regions, see What regions are supported? Examples: eastus, japaneast
    • FSS-SERVICE-PRINCIPAL-ID must be replaced with the Service Principal ID we obtained in Prepare a Service Principal
    • CLOUD-ONE-REGION must be one of the supported Cloud One regions. Example: us-1
    • SCANNER-STACK-RESOURCE-GROUP must be replaced with the name of the Scanner Stack. You can use any name. Example: Scanner-TM-FileStorageSecurity
    • STORAGE-STACK-RESOURCE-GROUP must be replaced with the name of the Storage Stack. You can use any name. Example: Storage-TM-FileStorageSecurity
    • BLOB-STORAGE-ACCOUNT-RESOURCE-ID must be replaced with the resource ID of your Protecting Storage Account, as it appears in Azure storage account. You can only specify one storage account. For supported storage account types, see What services are supported?. You can find the resource ID through the Azure CLI, by entering the following command:

      az storage account show -n STORAGE-ACCOUNT-NAME --query 'id' -o tsv
      

      where...

      STORAGE-ACCOUNT-NAME is replaced with the name of the storage account.

      Example: /subscriptions/1234abcd-3c6d-4347-9019-123456789012/resourceGroups/storage-resource-group/providers/Microsoft.Storage/storageAccounts/protectingstorageaccount

    • BLOB-SYSTEM-TOPIC-EXIST must be replaced with Yes or No, depending on if the system topic of the protecting storage is already created.

    • BLOB-SYSTEM-TOPIC-NAME must be replaced with the name of the existing system topic or the name of system topic to be created.
    • UPDATE-SCAN-RESULT-TO-BLOB-METADATA must be replaced with Yes or No, depending on if update the scan results to blob metadata and blob index tag or only update blob index tag.
    • STORAGE-STACK-FUNCTION-APP-SERVICE-PLAN must be replaced with EP1 or Y1, depending on if you want to use a higher tier of the service plan for the Azure functions. EP1 is a premium SKU with better performance, and Y1 is a consumption SKU with lower cost.

    For details on what values to use, see the Deploy the all-in-one stack page. This page includes descriptions of the parameters in the all-in-one ARM template, which are the same as the parameters in the CLI.

  2. Verify that the stack creation is complete

    • Enter the following Azure CLI command:
      az deployment sub show \
          --name ALLINONE-STACK-NAME \
          --query 'properties.provisioningState' \
          --output tsv
      

    where...

    ALLINONE-STACK-NAME is replaced with the name of your all-in-one stack.

    • When the stack is ready, the status will become Succeeded.

Create a scanner stack using Azure CLI

  1. Create the scanner stack in Azure

    • On the computer where you installed the Azure CLI, in a program such as bash or PowerShell, enter the following command to create the stack:
      az group create \
          --name SCANNER-STACK-NAME \
          --location REGION
      
      az deployment group create \
          --name scannerStack \
          --resource-group SCANNER-STACK-NAME \
          --template-uri https://file-storage-security.s3.amazonaws.com/latest/arm-templates/FSS-Scanner-Stack-Template.json \
          --parameters \
              FileStorageSecurityServicePrincipalID=FSS-SERVICE-PRINCIPAL-ID \
              CloudOneRegion=CLOUD-ONE-REGION
      

    where...

    • SCANNER-STACK-NAME must be replaced with the name of the stack. You can use any name. Example: FSSScanner2
    • REGION must be replaced with the region where you want to install the stack. For supported regions, see What regions are supported? Examples: eastus, japaneast
    • FSS-SERVICE-PRINCIPAL-ID must be replaced with the Service Principal ID we obtained in Prepare a Service Principal
    • CLOUD-ONE-REGION must be one of the supported Cloud One regions. Example: us-1 For details on the values to use, see the Add a scanner stack page. This page includes descriptions of the parameters in the scanner stack Azure Resource Manager (ARM) template, which are the same as the parameters in the CLI.
  2. Verify that the stack creation is complete

    • Enter the following Azure CLI command:

      az deployment group show \
          --name scannerStack \
          --resource-group SCANNER-STACK-NAME \
          --query 'properties.provisioningState' \
          --output tsv
      

      where...

      SCANNER-STACK-NAME is replaced with the name of your scanner stack.

    • When the stack is ready, the status will become Succeeded.

Create a storage stack using Azure CLI

  1. Create the storage stack in Azure

    • On the computer where you installed the Azure CLI, in a program such as bash or PowerShell, enter the following command to create the stack:
      az group create \
          --name STORAGE-STACK-NAME \
          --location REGION
      
      az deployment group create \
          --name storageStack \
          --resource-group STORAGE-STACK-NAME \
          --template-uri https://file-storage-security.s3.amazonaws.com/latest/arm-templates/FSS-Storage-Stack-Template.json \
          --parameters \
              FileStorageSecurityServicePrincipalID=FSS-SERVICE-PRINCIPAL-ID \
              CloudOneRegion=CLOUD-ONE-REGION \
              ScannerIdentityPrincipalID=SCANNER-IDENTITY-PRINCIPAL-ID \
              ScannerQueueNamespace=SCANNER-QUEUE-NAMESPACE \
              BlobStorageAccountResourceID=BLOB-STORAGE-ACCOUNT-RESOURCE-ID \
              BlobSystemTopicExist=BLOB-SYSTEM-TOPIC-EXIST \
              BlobSystemTopicName=BLOB-SYSTEM-TOPIC-NAME  \
              UpdateScanResultToBlobMetadata=UPDATE-SCAN-RESULT-TO-BLOB-METADATA \
              StorageStackFunctionAppServicePlan=STORAGE-STACK-FUNCTION-APP-SERVICE-PLAN
      

    where...

    • STORAGE-STACK-NAME must be replaced with the name of the stack. You can use any name. Example: FSSStorage2
    • REGION must be replaced with the region where you want to install the stack. For supported regions, see What regions are supported? Examples: eastus, japaneast
    • FSS-SERVICE-PRINCIPAL-ID must be replaced with the Service Principal ID we obtained in Prepare a Service Principal
    • CLOUD-ONE-REGION must be one of the supported Cloud One regions. Example: us-1
    • SCANNER-IDENTITY-PRINCIPAL-ID must be replaced with the ID of Scanner Identity Principal. You can find this ID:

      • Through the Azure portal, under Resource groups > your scanner stack resource group > Deployments > your scanner stack deployment > Outputs > scannerIdentityPrincipalID
      • Through the Azure CLI, by entering the following command:
        az deployment group show \
            --name scannerStack \
            --resource-group SCANNER-STACK-NAME \
            --query 'properties.outputs'
        

      where...

      SCANNER-STACK-NAME is replaced with the name of your scanner stack.

    • SCANNER-QUEUE-NAMESPACE must be replaced with the Scanner Queue Namespace. You can find this namespace:

      • Through the Azure portal, under Resource groups > your scanner stack resource group > Deployments > your scanner stack deployment > Outputs > scannerQueueNamespace
      • Through the Azure CLI, by entering the following command:
        az deployment group show \
            --name scannerStack \
            --resource-group SCANNER-STACK-NAME \
            --query 'properties.outputs'
        

      where...

      SCANNER-STACK-NAME is replaced with the name of your scanner stack.

    • BLOB-STORAGE-ACCOUNT-RESOURCE-ID must be replaced with the resource ID of your Protecting Storage Account, as it appears in Azure storage account. You can only specify one storage account. For supported storage account types, see What services are supported?. You can find the resource ID through the Azure CLI, by entering the following command:

      az storage account show -n STORAGE-ACCOUNT-NAME --query 'id' -o tsv
      

      where...

      STORAGE-ACCOUNT-NAME is replaced with the name of the storage account.

    • BLOB-SYSTEM-TOPIC-EXIST must be replaced with Yes or No, depending on if the system topic of the protecting storage is already created.

    • BLOB-SYSTEM-TOPIC-NAME must be replaced with the name of the existing system topic or the name of system topic to be created.
    • UPDATE-SCAN-RESULT-TO-BLOB-METADATA must be replaced with Yes or No, depending on if update the scan results to blob metadata and blob index tag or only update blob index tag.
    • STORAGE-STACK-FUNCTION-APP-SERVICE-PLAN must be replaced with EP1 or Y1, depending on if you want to use a higher tier of the service plan for the Azure functions. EP1 is a premium SKU with better performance, and Y1 is a consumption SKU with lower cost.

    For details on the values to use, see the Add a storage stack page. This page includes descriptions of the parameters in the storage stack Azure Resource Manager (ARM) template, which are the same as the parameters in the CLI.

  2. Verify that the stack creation is complete

    • Enter the following Azure CLI command:

      az deployment group show \
          --name storageStack \
          --resource-group STORAGE-STACK-NAME \
          --query 'properties.provisioningState' \
          --output tsv
      

      where...

      STORAGE-STACK-NAME is replaced with the name of your storage stack.

    • When the stack is ready, the status will become Succeeded.