Inspect inbound and outbound traffic with Azure Gateway Load Balancer

This option describes how to deploy a scale set of virtual appliances with Gateway Load Balancer. Deploying with Gateway Load Balancer provides a simpler process that requires very few changes to your existing network environment. Gateway Load Balancer also adds additional layers of availability which translates to minimal disruption if a virtual appliance experiences an outage.

Scale set traffic flow

The image below shows an example of the traffic flow for this deployment using Gateway Load Balancer.

IMPORTANT: Internet connectivity notice

During the Deploy the Network Security virtual appliance step, the Network Security virtual appliance is configured behind a standard internal load balancer. The placement of this load balancer blocks the outbound internet connectivity by default unless internet connectivity has been explicitly declared. For this deployment, we recommend that you add a NAT gateway to the management subnet to allow outbound connectivity. This option is configured before the Network Security virtual appliance is deployed.

Set up network environment

To set up your environment you will complete these tasks:

Before you begin

Set up Azure Monitor before you begin this deployment. Write down the Log Monitor Workspace ID and Log Monitor Primary Key.

Generate a Trend Micro Cloud One appliance deployment token and review Azure's naming conventions.

Deploy the virtual network and the Network Security virtual appliance

The Network Security virtual appliance is available from the Azure Marketplace as a public offer. To deploy the Network Security virtual appliance, navigate to Azure Portal → Marketplace → Trend Micro Cloud One™ – Network Security.

Manually add virtual appliances if the Azure Marketplace deployment does not properly register the virtual appliance(s) to Network Security.

Gather the following information before you begin the deployment:

Trend Micro Cloud One appliance deployment token
Log Analytics workspace ID and Primary Key - Register your Log Analytics workspace during the deployment process so that your logs will be sent to the Network Security management interface.
Log into Azure and select Create a resource (this will direct you to the Marketplace).
Search for Trend Micro Network Security.
Next to Select a plan, choose Scale Set VM with Gateway Load Balancer in the dropdown menu.
Click Create.
Enter the following information in the Basics tab:
- Enter the Trend Micro Cloud One appliance deployment token
- If selected, create a public user key (SSH key)
Select the following information in the Networking tab:
- Select New Inspection VNet
- Select the subnets for the new Inspection VNet
- For NAT Gateway, choose Create new to automatically create a new NAT gateway when you deploy the virtual appliance, choose Select existing if you already manually created a NAT gateway, or choose Ignore if your Management subnet already has internet connectivity.
Enter or select the following information in the Advanced tab:
- (Suggested) Keep the Boot diagnostics setting enabled
- Select your boot diagnostic account, or create a new one
- Enter the Log Analytics workspace ID and Primary Key in order to upload your logs to the Network Security management portal
Click Review + Create → Deploy.

Connect the Gateway Load Balancer to the public load balancer

Use the following steps to connect your existing public load balancer to the Gateway Load Balancer that was created when you deployed the Network Security virtual appliance from the Marketplace.

NOTE

Your public load balancer must have a Standard SKU to connect to the GWLB. Learn more.

From the Azure portal, navigate to the Load balancers resource page.
Select the public load balancer that you want to connect to your Gateway Load Balancer.
Under Settings in the left navigation, click Fronted IP configuration.
Select the Frontend load balancer, then select your Gateway Load Balancer from the dropdown menu.
Click Save after making your configuration changes.