Table of contents
Topics on this page
HA deployment permissions
HA operational permissions
Launch HA from Azure Marketplace
Launch HA
Verifying HA in Azure
Scale Set Appliances

High availability deployment

High availability (HA) prevents network service disruption after a failure stops your virtual appliance from inspecting traffic.

To configure fail-open HA through Azure Marketplace, you must first manually configure the appropriate permissions and roles, and then configure the Azure Function Application.

Azure uses role-based access control/identity access management (RBAC/IAM) to authorize the users and groups who access Azure services and resources. The RBAC/IAM required for HA functionality includes two sets of permissions: one set for deployment and one set for operations.

HA deployment permissions

Before you configure operational HA permissions, you must first configure the correct permissions and roles for an HA deployment. Each role you assign to an Azure service or resource consists of three elements:

  • Security principal – user, group, service principal, or managed identity requesting access to Azure resources
  • Role or role definition – indicates which permissions, such as read and write, can be performed by the security principal. Use a Contributor role for any role that does not require permission configuration.
  • Scope – the set of resources being granted access. The levels of scope are management group, subscription, resource group, and resource. You assign roles to any of the scope levels you use.

Learn more about RBAC and Azure roles.

Use the guidelines in the following table to set up your roles and permissions for an HA deployment:

Components / Actions Security principal Role Scope Required for
Register an App User Application Developer Azure Active Directory subscription Step 1
Step 2
Add role and assign to App User User Access Administrator Resource Group of Function App Step 3
Step 4
Step 5
Managed Identity User Contributor Resource Group of Function App Step 6
Assign role to Identity User Contributor Resource Group of Function App Step 7
Storage account User Contributor Resource Group of Function App
App service plan User Contributor Resource Group of Function App
Function App User Contributor Resource Group of Function App
App insights User Contributor Resource Group of Function App

HA operational permissions

Manually complete the following steps to configure the permissions and roles:

  1. Register a new application.
  2. Create a new secret.
  3. Create new custom roles.
  4. Assign the custom roles to the new application account.
  5. Assign a monitoring role to the new application account
  6. Create a Managed Identity.
  7. Assign the Contributor role to the new managed identity.

The application registration step and the create a new secret step authorize the HA function to perform its daily operation.

Step 1. Register a new application for the service principal

  1. From you Microsoft Azure portal, type Azure Active Directory in the search field to navigate to the Azure Active Directory.
  2. In the Azure Active Directory, click App Registrations from the left navigation panel.
  3. On the App Registrations page, click the New Registrations tab.
  4. In the Name field, type a name for the application, which you can change at any time.
  5. Click Register. Your application will now be listed on the App Registrations page.

Step 2. Create a new secret

  1. From you Microsoft Azure portal, type Azure Active Directory in the search field to navigate to the Azure Active Directory.
  2. Click App Registrations from the left navigation panel.
  3. From the list of applications, click your application.
  4. From the left navigation panel, click Certificates & secrets.
  5. Click New client secret.
  6. In the Add a client secret popup, add a description for the secret (for example, MySecret), select an expiration time that best fits your environment, and click Add.
  7. Under the Client secrets panel, you can verify the secret that you just generated. Click the copy icon to the right of the secret to copy the secret to your clipboard for pasting.

Step 3. Create new custom roles

  1. From you Microsoft Azure portal, type Resource groups in the search field to navigate to the Resource groups page.

  2. In the Filter by name field, enter the name of your resource group, and then select that group.

  3. Click Access Control (IAM).

  4. Click Add > Add Custom Role.

  5. On the Create a Custom Role page, enter a name for the role and an optional description under the Basics tab.

  6. Under the Permissions tab, click Add Permissions to add the following permissions for scale set deployments.

    For Scale Set deployments without Gateway Load Balancer:

    For an appliance resource group, search for these operational permissions:

    • Microsoft.Network/loadBalancers/read
    • Microsoft.Insights/Metrics/Read
    • Microsoft.Compute/virtualMachineScaleSets/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualmachines/restart/action

    For a connected VNet resource group, add these operational permissions:

    • Microsoft.Network/virtualNetworks/subnets/read
    • Microsoft.Network/virtualNetworks/subnets/write
    • Microsoft.Network/routeTables/read
    • Microsoft.Network/routeTables/write
    • Microsoft.Network/routeTables/routes/write
    • Microsoft.Network/routeTables/join/action

    For Gateway Load Balancer deployments:

    For an appliance resource group, search for these operational permissions:

    • Microsoft.Network/loadBalancers/read
    • Microsoft.Insights/Metrics/Read
    • Microsoft.Compute/virtualMachineScaleSets/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualmachines/restart/action
    • Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action

    For a connected public load balancer group, add these operational permissions:

    • Microsoft.Network/loadBalancers/read
    • Microsoft.Network/loadBalancers/write
    • Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action
    • Microsoft.Network/publicIPAddresses/join/action

  7. Click Next. Under the Assignable scopes tab, click Add assignable scopes.

  8. From the Add assignable scopes page, search on and click the resource groups you want to add as assignable scopes. Click Add.

  9. Click Next. Under the Review + create tab, click Create.

Step 4. Assign the custom roles to the new application account

  1. From the Resource Groups ** page, select your resource group name, and click Access Control (IAM)**.
  2. Under the Roles tab, enter a name in the Name field and select CustomRole from the Type field.
  3. For each resource group, click Access Control (IAM), click Add, and then select Add role assignment.
  4. Select your role name and your APP name that you created in step 1.
  5. In the Assign access to field, select the user, group, or service principal, and then click Save.

Step 5. Assign a monitoring role to the new application account

  1. From the Resource Groups page, select your resource group name, and click Access Control (IAM).
  2. For each resource group, click Access Control (IAM), click Add, and then select Add role assignment.
  3. Select the Monitoring Metric Publisher role and your APP name that you created in step 1.
  4. In the Assign access to field, select the user, group, or service principal, and then click Save.

Step 6. Create a managed identity

  1. From you Microsoft Azure portal, type Managed Identities in the search field to navigate to the Azure Active Directory.
  2. Click Add.
  3. Select an existing resource group or click Create new under Subscription > Resource Group.
  4. Specify a name in the Name field and click Create.

Step 7. Assign a role to the new identity

  1. From the Microsoft Azure portal, type Resource groups in the search field to navigate to the Resource groups page.
  2. Select the resource group from which you want to deploy your Function App.
  3. Click Access Control (IAM).
  4. Click Add > Add role assignment.
  5. Select Contributor from the dropdown menu and then select your managed identity to which the role will be applied.
  6. Click Save.

Launch HA from Azure Marketplace

If you launched the HA function before September 5th, 2023, we recommend that you delete your previously deployed function and relaunch a new HA function to update your Python runtime to version 3.10. Use the following steps to make this update:

To manually update Python runtime to 3.10 in Azure Marketplace:

  1. From the Microsoft Azure portal, type Resource groups in the search field to navigate to the Resource groups page.
  2. Select the resource group from which you want to deploy your Function App.

  3. From the list of resouces for this function, delete the following resource types:

    • Application Insights
    • App Service plan
    • Function App

  4. Follow the steps below to launch the new HA function that includes the latest Python runtime version.

Launch HA

To complete HA configuration, use the steps below to deploy an ARM template with all the compiled parameters, and then combine this template with Azure UI components to launch it as a product.

  1. Open your account on Microsoft Azure Marketplace.

  2. Search for Trend Micro Cloud One – Network Security.

  3. Next to Select a plan, choose Network Security High Availability, and then click Create.

  4. Under the Basics tab:

  5. Under the Hosting and Monitoring tab:

    • Specify an existing storage account, or create a new one. Only general purpose accounts are supported. Zone-redundant replication is not supported. For more information, refer to Storage account requirements.
    • Specify an existing Consumption plan, or create a new one. This is useful if you have no other hosting plan deployed that can be shared. For more information, refer to Azure Function scale and hosting and Estimating Consumption plan costs.
    • Specify an existing Application Insights, or create a new one.

  6. Under the App parameters tab:

    • Specify the same application you created in Register a new application. If you decide to create a new application instead, you must again complete the other manual steps for configuring the permissions and roles.

    • You must specify a load balancer. If you are using an Azure Application Gateway for your deployment, you must specify an application gateway.

    If you select a Gateway Load Balancer, you do not need to select an Application Gateway or Firewall.

    • If you are using a firewall for your deployment, you must specify the firewall type. Select Azure Firewall, or select Third-party firewall if your deployment uses a third-party firewall instead of an Azure firewall.

  7. Under the Associate resources tab:

    For Scale Set deployments without Gateway Load Balancer:

    • Enter the resource ID of the route tables. Click on the Properties of the associated route table to find the route table resource ID.
    • Enter the resource ID of the subnets associated with that route table. Click on the Properties of the associated subnet to find the subnet resource ID.

    Resource IDs must be provided for all connected subnets, including Application Gateway and firewall subnets.

    For Gateway Load Balancer deployments:

    • Enter the resource ID for the public load balancer.
    • Enter the resource ID for the public load balancer frontends that are associated with the gateway load balancer. Steps to find the public load balancer fronted resource ID can be found here.

  8. Under the Review + create tab, verify that all the information you have configures is correct and click Create.


Manual Fallback

Manually place your virtual appliances in fallback mode by enabling this setting.

Verifying HA in Azure

Use these steps to verify that HA is functioning in Azure. These steps are optional during deployment but should be used to verify that HA is enabled and working before you upgrade any of your virtual appliances.

Scale Set Appliances

It is important to upgrade your appliances one at a time if you have Azure scale sets enabled in your environment. Follow the steps below to verify if your Azure deployment includes HA Fail Over functionality:

Verify the Resource Group, VM Name and Scale Set:

  1. Log in to Network Security.
  2. Navigate to ApplianceAll Appliances[Appliance name].
  3. In the General tab, check the Version in the Appliance section.
  4. On the same page, check the Resource Group, VM Name in the Instance section.

Verify the Load Balancer name:

  1. In the management console, navigate to Resource Groups page, and click the resource group that the VM Scale Set or the VM Scale Set with Gateway Load Balancer created during deployment.
  2. Under Resources, enter Virtual Machine Scale Set for type to filter your search results and find your scale set.
  3. Click Instances on the left panel. Select the instance being used to locate the load balancer name.
  4. On the Scale Set instance page, click Networking on the left panel.
  5. Using the tabs at the top, navigate to dataport > Load Balancing to check the name of the Load Balancer.

Check the HA Function App:

  1. Navigate to the Resource Groups page on the management console, and click the Resource Group that needs HA verification.
  2. In this Resource Group, select type as Function App, find your HA function, and click the Azure function.
  3. Click Configuration from the Settings section on the left panel.
  4. Under Application settings, click LOAD_BALANCER_ID.
  5. Check the value. The end of the value should be .../Microsoft.Network/loadBalancers/[Load Balancer Name]. If the [Load Balancer Name] is the same as your appliance load balancer name, then HA is enabled.