Deploy a Network Security instance in Microsoft Azure

Network Security for Azure allows you to monitor and protect your network traffic by placing Network Security virtual appliances inline in your Azure virtual environment.

Depending on the deployment option you choose, high availability is ensured using Azure Function to monitor and reroute network traffic, manually rerouting traffic rules, or by load balancers. Manage your virtual appliances through the Network Security management interface. Use the Azure Monitor log analytics function and the command line interface to monitor the health of your web applications.

This user guide describes how to deploy and manage a Network Security instance in a compatible environment.

Virtual appliance size recommendations

The appliance sizes listed below are available options for each deployment. You will select an appliance size during the Deploy the Network Security virtual appliance procedure.

Standard_F8s_v2
Standard_F16s_v2
Standard_F8s
Standard_F16s

Permissions for Azure deployments

To deploy Network Security in Azure, you must first manually configure the appropriate permissions and roles.

Azure uses role-based access control/identity access management (RBAC/IAM) to authorize the users and groups who access Azure services and resources. The RBAC/IAM required for all Azure deployments includes two sets of permissions: one set for deployment and one set for operations.

Learn more about RBAC and Azure roles.

Note

High availability deployments required additional permission configuration. Learn more.

Each role you assign to an Azure service or resource consists of three elements:

security principal – user, group, service principal, or managed identity requesting access to Azure resources
role or role definition – indicates which permissions, such as read and write, can be performed by the security principal. Use a Contributor role for any role that does not require permission configuration.
scope – the set of resources being granted access. The levels of scope are management group, subscription, resource group, and resource. You assign roles to any of the scope levels you use.

Permissions for deployment

Ensure that any user performing the deployment is granted a Contributor role within the Resource Group of the Network Security virtual appliance.

Permissions for operations

You must configure the proper user-defined routes (UDRs) to enable your Network Security virtual appliance to inspect traffic. Follow the instructions below to set up a new custom role and assign the necessary permissions needed in order to manipulate the UDRs.

Navigate to your resource group in your Azure portal.
Select Access control (IAM) from the menu on the left.
Click Add → Add custom role.
Grant users the following permissions:
- Microsoft.Network/virtualNetworks/subnets/read
- Microsoft.Network/virtualNetworks/subnets/write
- Microsoft.Network/routeTables/read
- Microsoft.Network/routeTables/write
- Microsoft.Network/routeTables/routes/write
- Microsoft.Network/routeTables/join/action

Azure resources

Before deploying Network Security in your Azure environment, be sure you are familiar with these basic Azure concepts:

Always refer to Microsoft's Azure documentation to better understand your platform's capabilities.

Additional recommendations

Refer to Microsoft's regional product availability site to ensure an Azure datacenter is available in your region.
Review Azure’s subscription and services limitations to ensure your account has sufficient capability to deploy Network Security.
Troubleshoot outages or Azure service health by referring to the Microsoft’s Azure Status page.
Ensure virtual machine SKUs are available in your region. You can use the use the Azure virtual machine list-SKU command to determine this. Refer to Microsoft’s documentation for more information about the Azure CLI.
Ensure you have the proper permissions and Azure roles.
Use the Azure Resource Manager to troubleshoot common errors.

Topics on this page