Scale set private VNet protection deployment

This option describes how to deploy a scale set of virtual appliances using the private VNet deployment. Deploying a scale set behind the Azure Load Balancer provides additional layers of availability which translates to minimal disruption if a virtual appliance experiences an outage.


Scale set traffic flow

The image below shows east/west traffic flow from Workload VNet 1 to Workload VNet 2.

|


IMPORTANT: Internet connectivity notice

During the Deploy the Network Security virtual appliance step, the Network Security virtual appliance is configured behind a standard internal load balancer. The placement of this load balancer blocks the outbound internet connectivity by default unless internet connectivity has been explicitly declared. For this deployment, there are two configuration options that allow outbound connectivity so that your Network Security virtual appliance can communicate with Cloud One Network Security.

Option 1: Add a NAT gateway to the management subnet to allow outbound connectivity. This option is configured before the Network Security virtual appliance is deployed.

Option 2 (recommended): Add a public load balancer with an outbound rule that allows outbound connectivity. This option is configured after the Network Security virtual appliance is deployed.


Set up network environment

To set up your environment you will complete these tasks:

  1. Create a resource group
  2. Create the inspection virtual network and subnets
  3. Add a NAT gateway to the management subnet (internet connectivity option)
  4. Deploy the Network Security virtual appliance scale set
  5. Create the spoke virtual network and subnets
  6. Add peering to connect the VNets
  7. Configure route tables and routes



Note

Review Azure's naming conventions before you begin.



Before you begin

Set up Azure Monitor before you begin this deployment. Write down the Log Monitor Workspace ID and Log Monitor Primary Key.

Generate and write down a Trend Micro Cloud One API key.


Create a resource group

Create a resource group if one does not already exist in your environment.

  1. Navigate to Resource groups+ Add.
  2. Select your Subscription, name the resource group, then select a region.
  3. Click Review + Create.


Create the inspection virtual network and subnets

Use the procedure below to manually set up the inspection-VNet and subnets. You will select all of the subnets when you deploy your Network Security virtual appliance.

  1. Navigate to Virtual NetworksAdd.

  2. Enter values for the fields in the Basics tab, naming the instance Hub-VNet.

  3. In the IP Address tab, edit the IPv4 address space and enter a CIDR.

  4. Add five subnets to the Hub-VNet. Click + Add Subnet and enter this information:

    Subnet name Subnet CIDR examples
    Management-subnet 10.0.0.x/x
    Inspection-subnet 10.0.1.x/x
    Sanitized-subnet 10.0.2.x/x
    Loadbalancer-subnet 10.0.3.x/x

    Note: The internal load balancer (ILB) will be created when you deploy your Network Security virtual appliance from the Azure Marketplace.


  5. Click Review + CreateCreate.


Add a NAT gateway to the management subnet

If you chose option 1 in the Internet connectivity notice section, a NAT gateway associated with the management subnet must be added to your configuration to allow the Network Security virtual appliance to communicate with Cloud One Network Security.



Note

There is an option to automatically generate a NAT gateway when you deploy the Network Security virtual appliance. Select the option to automatically generate the NAT gateway in the Deploy the Network Security virtual appliance section or use these steps to manually deploy the NAT gateway.



  1. Navigate to NAT gateways+ Add.
  2. Fill in the information in the Basics tab.
  3. In the Outbound IP tab, select Public IP addresses or Public IP prefixes depending on how your resources are arranged.
    • Public IP address: this is a single IP address
    • Public IP prefixes: this is a range of public IP addresses
  4. In the Subnet tab, select your Hub-VNet name, then select the management-subnet.
  5. Click Review + CreateCreate.


The management subnet can be associated after the NAT gateway is created by clicking the Subnet menu option from the NAT gateway details page.

Deploy the Network Security virtual appliance

The Network Security virtual appliance is available from the Azure Marketplace as a public offer. To deploy the Network Security virtual appliance, navigate to Azure Portal → Marketplace → Trend Micro Cloud One™ – Network Security.

Manually add virtual appliances if the Azure Marketplace deployment does not properly register the virtual appliance(s) to Network Security.

Gather the following information before you begin the deployment:



Note

Best practice is to copy and paste the exact names of the resource group, hub-VNet, and subnets in the following instructions.



  1. Log into Azure and select Create a resource (this will direct you to the Marketplace).
  2. Search for Trend Micro Network Security.
  3. Next to Select a plan, choose Scale Set VM in the dropdown menu.
  4. Click Create.
  5. Enter the following information in the Basics tab:
  6. Select the following information in the Networking tab:
    • Your virtual network
    • All of the subnets you created in the inspection-VNet
    • For NAT Gateway, either choose Create new to automatically create a new NAT gateway when you deploy the virtual appliance, or choose Select existing if you already manually created a NAT gateway.
  7. Enter or select the following information in the Advanced tab:
    • (Suggested) Keep the Boot diagnostics setting enabled
    • Select your boot diagnostic account, or create a new one
    • Enter the Log Analytics workspace ID and Primary Key in order to upload your logs to the Network Security management portal
  8. Click Review + CreateDeploy.


Create an outbound-only public load balancer

If you chose option 2 in the Internet connectivity notice section, a public load balancer must be added to your configuration to allow the Network Security virtual appliance to communicate with Cloud One Network Security.

Step 1: Create a public load balancer

  1. Navigate to Load balancers+ Add.
  2. Configure the settings below, leaving the other settings in their default state.
    • Type: Public
    • SKU: Standard
    • Public IP address: Create new or use existing
    • Availability zone (create new IP option only): Zone-redundant
    • Choose public IP address (use existing IP option only): select an IP
  3. Click Review + CreateCreate.

Step 2: Create a public backend pool

  1. In your public load balancer, select Backend pools.
  2. Click + Add.
  3. Configure the settings below, leaving the other settings in their default state.
    • Virtual network: select your VNet
    • IP version: IPv4
    • Virtual machine scale set: select your VMSS Network Security virtual appliance
    • IP address: select the management port
  4. Click Add.

Step 3: Configure a public load balancer outbound rule

  1. In your public load balancer, select Outbound rules.
  2. Click + Add.
    • Frontend IP address: Create New or use existing
    • Protocol: All
    • Idle timeout: set to 15 minutes
    • TCP reset: Enabled
    • Backend pool: <your backend pool>
    • Port allocation: Use the default number of outbound ports.
  3. Click Add.

More information about testing the outbound connectivity can be found on Microsoft's Azure documentation.


Create the spoke virtual networks and subnets

Create two spoke-VNets for your workload subnets. This step is optional if you already have spokes and workloads in your environment.

  1. Navigate to Virtual Networks+ Add.
  2. Enter values for the fields in the Basics tab, naming the instance Spoke1-VNet.
  3. In the IP Address tab, edit the IPv4 address space and enter a new address.
  4. Click + Add Subnet and fill in these details:
    • Subnet name: Workload1-subnet
    • Address range (example): 10.1.1.x/x
  5. Click OK.
  6. Skip the Security and Tags tabs.
  7. Click Review + CreateCreate.
  8. Repeat steps 1-7 for the second Spoke-VNet, naming the spoke Spoke2-VNet and workload subnet Workload2-subnet.


Create a Workload virtual machine (optional)

Follow these steps if you are creating this environment as a proof of concept or if you do not have an existing workload in your environment.

  1. Navigate to Virtual machines+ AddVirtual machine.
  2. In the Basics tab, fill in the required fields. Use these values for the Name and Inbound port rules:
    • Name: WorkloadVM
    • Public inbound ports: None
  3. In the Disks tab, select Standard HDD for the OS disk type and configure the other settings.
  4. In the Networking tab, enter these values:
    • Virtual network: <Your Spoke-VNet>
    • Subnet: WorkloadSubnet
    • Public inbound ports: None
  5. Fill in the information in the remaining tabs.
  6. Click Review + CreateCreate.
  7. Write down the Private IP address after the deployment is complete.


Backend workloads example

If you followed the steps above to create a workload in your Azure environment, the following table provides an example of configuration details for two virtual machine web workloads. Install an HTTP server if you intend to configure backend workloads after they are created.

Network interface Subnet IP example
WorkloadVM1 WorkloadSubnet1 10.3.x.x
WorkloadVM2 WorkloadSubnet2 10.4.x.x


Add peering to connect the hub and spoke VNets

Create peering connections between the inspection VNet (Hub-VNet) and the workload VNets. The instructions below

  1. Navigate to the Virtual networks page.
  2. Click into the Spoke1-VNetPeerings+ Add.
  3. The first peering connection is from the Spoke1-VNet to the inspection VNet. Enter the following configuration details, then click Ok.
    • Peering connection name: Spoke1-to-Hub
    • Virtual network deployment model: Resource manager
    • Subscription: your subscription
    • Virtual network: <your Spoke VNet>
    • Peering connection name: Hub-to-Spoke1
    • Allow virtual network access from Hub-VNet to Spoke1: Enabled
    • Allow virtual network access from Spoke1 to Hub_VNet: Enabled
    • Allow forwarded traffic from Spoke1-to-Hub: Enabled
    • Allow virtual network access from Hub-to-Spoke: Enabled
    • Allow gateway transit: Disable
  4. Repeat steps 2 and 3 for Spoke2-VNet using these values:
    • Peering connection name: Spoke2-to-Hub
    • Virtual network deployment model: Resource manager
    • Subscription: your subscription
    • Virtual network: <your Spoke VNet>
    • Peering connection name: Hub-to-Spoke2
    • Allow virtual network access from Hub-VNet to Spoke1: Enabled
    • Allow virtual network access from Spoke1 to Hub_VNet: Enabled
    • Allow forwarded traffic from Spoke1-to-Hub: Enabled
    • Allow virtual network access from Hub-to-Spoke: Enabled
    • Allow gateway transit: Disable


Configure route tables and routes

After the Network Security virtual appliance is deployed, add and configure the route tables and routes that will place your virtual appliance in-line and begin inspecting traffic. Network traffic is subjected to the firewall rules when network traffic is routed to the firewall as the subnet default gateway.

You will need the following information in order to complete this process:


Step 1: Create two route tables

  1. Navigate to Route tables+ Add
  2. Enter these values:

    • Table one: Spoke1-rt
    • Table two: Spoke2-rt
  3. Click Review + Create.

  4. Repeat this process for table two.


Step 2: Configure the route tables

  1. From the Route tables page, select the Spoke1-rt table → Routes+ Add.
  2. Enter this information:
    • Name: toSpoke1
    • Address prefix: <CIDR of the Spoke2-VNet>
    • Next hop type: Virtual Appliance
    • Next hop address:<IP address of the internal load balancer>
    • Click OK.
  3. Select the Spoke2-rt table → Routes+ Add.
    • Name: toSpoke2
    • Address prefix: <CIDR of the Spoke1-VNet>
    • Next hop type: Virtual Appliance
    • Next hop address: <IP address of the internal load balancer>
    • Click OK.


Step 3: Associate route table to related subnet

  1. Select your Spoke1-rt table, then click Subnets+ Associate.
    • Virtual network: Spoke1-VNet
    • Subnet: Workload1-subnet
  2. Select your Spoke2-rt table,then click Subnets+ Associate.
    • Virtual network: Spoke2-VNet
    • Subnet: Workload2-subnet


High availability

Do not use manual fallback in this deployment option.

High availability fail-open is available for this deployment. Learn more. Contact your Trend Micro TippingPoint representative for assistance with configuration.