Private VNet protection deployment

This option describes how to deploy and configure a private VNet deployment in Azure. The private VNet deployment option inspects traffic between internal networks as opposed to inbound and outbound internet traffic. Virtual networks connect through VNet Peering so they can communicate with each other. Traffic inspection will begin after the network and User Defined Routes (UDRs) are set up, and all virtual machine resources within the spoke VNets will communicate with each other through Network Security.

Private VNet topology

|


Private VNet traffic flow

This graphic shows the east/west traffic flow between the workload VNets.

|

Set up network environment

To set up your environment you will complete these tasks:

  1. Create a resource group
  2. Create spoke virtual networks and subnets
  3. Create hub virtual network and subnets
  4. Add peering to connect the VNets
  5. Deploy the Network Security virtual appliance
  6. Configure the route tables and routes



Note

Review Azure's naming conventions before you begin.



Create a resource group

Create a resource group if one does not already exist in your environment.

  1. Navigate to Resource groups+ Add.
  2. Select your Subscription, name the resource group, then select a region.
  3. Click Review + Create.


Create the spoke virtual networks and workload subnets

  1. Navigate to Virtual Networks+ Add.
  2. Enter values for the fields in the Basics tab, naming the instance Spoke1-VNet.
  3. In the IP Address tab, edit the IPv4 address space and enter a new address.
  4. Click + Add Subnet and fill in these details:
    • Subnet name: Workload1-subnet
    • Address range (example): 10.1.1.x/x
  5. Click OK.
  6. Skip the Security and Tags tabs.
  7. Click Review + CreateCreate.
  8. From the Virtual Networks page, click + Add.
  9. Enter values for the fields in the Basics tab, naming the instance Spoke2-VNet.
  10. In the IP Address tab, edit the IPv4 address space and enter a new address.
  11. Click + Add Subnet and fill in these details:
    • Subnet name: Workload2-subnet
    • Address range (example): 10.2.1.x/x
  12. Click OK.
  13. Skip the Security and Tags tabs.
  14. Click Review + CreateCreate.


Create a Workload virtual machine (optional)

Follow these steps if you are creating this environment as a proof of concept or if you do not have an existing workload in your environment.

  1. Navigate to Virtual machines+ AddVirtual machine.
  2. In the Basics tab, fill in the required fields. Use these values for the Name and Inbound port rules:
    • Name: WorkloadVM
    • Public inbound ports: None
  3. In the Disks tab, select Standard HDD for the OS disk type and configure the other settings.
  4. In the Networking tab, enter these values:
    • Virtual network: <Your Spoke-VNet>
    • Subnet: WorkloadSubnet
    • Public inbound ports: None
  5. Fill in the information in the remaining tabs.
  6. Click Review + CreateCreate.
  7. Write down the Private IP address after the deployment is complete.


Backend workloads example

If you followed the steps above to create a workload in your Azure environment, the following table provides an example of configuration details for two virtual machine web workloads. Install an HTTP server if you intend to configure backend workloads after they are created.

Network interface Subnet IP example
WorkloadVM1 WorkloadSubnet1 10.3.x.x
WorkloadVM2 WorkloadSubnet2 10.4.x.x


Create the hub virtual network and subnets

  1. Navigate to Virtual Networks+ Add.

  2. Enter values for the fields in the Basics tab, naming the instance Hub-VNet.

  3. In the IP Address tab, edit the IPv4 address space and enter a CIDR.

  4. Add three subnets to the Hub-VNet. Click + Add Subnet and enter this information:

    Subnet name Subnet CIDR examples
    Managment-subnet 10.0.0.x/x
    Inspection-subnet 10.0.1.x/x
    Sanitized-subnet 10.0.2.x/x
  5. Click Review + CreateCreate.


Add peering to connect the hub and spoke VNets

Create peering connections between the inspection VNet (Hub-VNet) and the workload VNets. The instructions below

  1. Navigate to the Virtual networks page.
  2. Click into the Spoke1-VNetPeerings+ Add.
  3. The first peering connection is from the Spoke1-VNet to the inspection VNet. Enter the following configuration details, then click Ok.
    • Peering connection name: Spoke1-to-Hub
    • Virtual network deployment model: Resource manager
    • Subscription: your subscription
    • Virtual network: <your Spoke VNet>
    • Peering connection name: Hub-to-Spoke1
    • Allow virtual network access from Hub-VNet to Spoke1: Enabled
    • Allow virtual network access from Spoke1 to Hub_VNet: Enabled
    • Allow forwarded traffic from Spoke1-to-Hub: Enabled
    • Allow virtual network access from Hub-to-Spoke: Enabled
    • Allow gateway transit: Disable
  4. Repeat steps 2 and 3 for Spoke2-VNet using these values:
    • Peering connection name: Spoke2-to-Hub
    • Virtual network deployment model: Resource manager
    • Subscription: your subscription
    • Virtual network: <your Spoke VNet>
    • Peering connection name: Hub-to-Spoke2
    • Allow virtual network access from Hub-VNet to Spoke1: Enabled
    • Allow virtual network access from Spoke1 to Hub_VNet: Enabled
    • Allow forwarded traffic from Spoke1-to-Hub: Enabled
    • Allow virtual network access from Hub-to-Spoke: Enabled
    • Allow gateway transit: Disable


Deploy the Network Security virtual appliance

The Network Security virtual appliance is available from the Azure Marketplace as a public offer. To deploy the Network Security virtual appliance, navigate to Azure Portal → Marketplace → Trend Micro Cloud One™ – Network Security.

Gather the following information before you begin the deployment:



Note

Best practice is to copy and paste the exact names of the resource group, hub-VNet, and subnets in the following instructions.



  1. Log into Azure and select Create a resource (this will direct you to the Marketplace).
  2. Search for Trend Micro Network Security.
  3. Next to Select a plan, choose Single VM from the dropdown menu.
  4. Click Create.
  5. Enter the following information in the Basics tab:
  6. Select the following information in the Networking tab:
    • Your virtual network
    • All of the subnets you created in the inspection-VNet
  7. Enter or select the following information in the Advanced tab:
    • (Suggested) Keep the Boot diagnostics setting enabled
    • Select your boot diagnostic account, or create a new one
    • Enter the Log Analytics workspace ID and Primary Key in order to upload your logs to the Network Security management portal
  8. Click Review + CreateDeploy.


Configure route tables and routes

After the Network Security virtual appliance is deployed, add and configure the route tables and routes that will place your virtual appliance in-line and begin inspecting traffic. Network traffic is subjected to the firewall rules when network traffic is routed to the firewall as the subnet default gateway.

You will need the following information in order to complete this process:


Step 1: Create two route tables

  1. Navigate to Route tables+ Add
  2. Enter these values:

    • Table one: Spoke1-rt
    • Table two: Spoke2-rt
  3. Click Review + Create.

  4. Repeat this process for table two.


Step 2: Configure the route tables

  1. From the Route tables page, select the Spoke1-rt table → Routes+ Add.
  2. Enter this information:
    • Name: toSpoke1
    • Address prefix: <CIDR of the Spoke2-VNet>
    • Next hop type: Virtual Appliance
    • Next hop address: <NIC 1A private IP of Network Security virtual appliance>
    • Click OK.
  3. Select the Spoke2-rt table → Routes+ Add.
    • Name: toSpoke2
    • Address prefix: <CIDR of the Spoke1-VNet>
    • Next hop type: Virtual Appliance
    • Next hop address: <NIC 1A private IP of Network Security virtual appliance>
    • Click OK.


Step 3: Associate route table to related subnet

  1. Select your Spoke1-rt table, then click Subnets+ Associate.
    • Virtual network: Spoke1-VNet
    • Subnet: Workload1-subnet
  2. Select your Spoke2-rt table,then click Subnets+ Associate.
    • Virtual network: Spoke2-VNet
    • Subnet: Workload2-subnet


High availability

High availability fail-open is available for this deployment. Learn more. Contact your Trend Micro TippingPoint representative for assistance with configuration.


Manual Fallback

Manually place your virtual appliance(s) in fallback mode by enabling this setting.