High availability deployment

High availability (HA) prevents network service disruption after a failure stops your virtual appliance from inspecting traffic.

To configure fail-open HA through Azure Marketplace, you must first manually configure the appropriate permissions and roles, and then configure the Azure Function Application.

Azure uses role-based access control/identity access management (RBAC/IAM) to authorize the users and groups who access Azure services and resources. The RBAC/IAM required for HA functionality includes two sets of permissions: one set for deployment and one set for operations.

HA deployment permissions

Before you configure operational HA permissions, you must first configure the correct permissions and roles for an HA deployment. Each role you assign to an Azure service or resource consists of three elements:

  • Security principal – user, group, service principal, or managed identity requesting access to Azure resources
  • Role or role definition – indicates which permissions, such as read and write, can be performed by the security principal. Use a Contributor role for any role that does not require permission configuration.
  • Scope – the set of resources being granted access. The levels of scope are management group, subscription, resource group, and resource. You assign roles to any of the scope levels you use.

Learn more about RBAC and Azure roles.

Use the guidelines in the following table to set up your roles and permissions for an HA deployment:

Components / Actions Security principal Role Scope Required for
Register an App User Application Developer Azure Active Directory subscription Step 1
Step 2
Add role and assign to App User User Access Administrator Resource Group of Function App Step 3
Step 4
Managed Identity User Contributor Resource Group of Function App Step 5
Assign role to Identity User Contributor Resource Group of Function App Step 6
Storage account User Contributor Resource Group of Function App
App service plan User Contributor Resource Group of Function App
Function App User Contributor Resource Group of Function App
App insights User Contributor Resource Group of Function App

HA operational permissions

Manually complete the following steps to configure the permissions and roles:

  1. Register a new application.
  2. Create a new secret.
  3. Create new custom roles.
  4. Assign the custom roles to the new application account.
  5. Assign a monitoring role to the new application account
  6. Create a Managed Identity.
  7. Assign the Contributor role to the new managed identity.

The application registration step and the create a new secret step authorize the HA function to perform its daily operation.

Step 1. Register a new application for the service principal

  1. From you Microsoft Azure portal, type Azure Active Directory in the search field to navigate to the Azure Active Directory.
  2. In the Azure Active Directory, click App Registrations from the left navigation panel.
  3. On the App Registrations page, click the New Registrations tab.
  4. In the Name field, type a name for the application, which you can change at any time.
  5. Click Register. Your application will now be listed on the App Registrations page.

Step 2. Create a new secret

  1. From you Microsoft Azure portal, type Azure Active Directory in the search field to navigate to the Azure Active Directory.
  2. Click App Registrations from the left navigation panel.
  3. From the list of applications, click your application.
  4. From the left navigation panel, click Certificates & secrets.
  5. Click New client secret.
  6. In the Add a client secret popup, add a description for the secret (for example, MySecret), select an expiration time that best fits your environment, and click Add.
  7. Under the Client secrets panel, you can verify the secret that you just generated. Click the copy icon to the right of the secret to copy the secret to your clipboard for pasting.

Step 3. Create new custom roles

  1. From you Microsoft Azure portal, type Resource groups in the search field to navigate to the Resource groups page.

  2. In the Filter by name field, enter the name of your resource group, and then select that group.

  3. Click Access Control (IAM).

  4. Click Add > Add Custom Role.

  5. On the Create a Custom Role page, enter a name for the role and an optional description under the Basics tab.

  6. Under the Permissions tab, click Add Permissions to add the following operational permissions for a single VM deployment. For an appliance resource group, search for these permissions:

    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Insights/Metrics/Read
    • Microsoft.Compute/virtualMachines/restart/action

    For a connected VNet resource group, search for these operational permissions:

    • Microsoft.Network/virtualNetworks/subnets/read
    • Microsoft.Network/virtualNetworks/subnets/write
    • Microsoft.Network/routeTables/read
    • Microsoft.Network/routeTables/write
    • Microsoft.Network/routeTables/routes/write
    • Microsoft.Network/routeTables/join/action

    Make sure to check the checkbox next to each permission and click Add.

  7. Under the same tab, click Add Permissions to add the following permissions for scale set deployments. For an appliance resource group, search for these operational permissions:

    • Microsoft.Network/loadBalancers/read
    • Microsoft.Insights/Metrics/Read
    • Microsoft.Compute/virtualMachineScaleSets/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    • Microsoft.Compute/virtualMachineScaleSets/virtualmachines/restart/action

    For a connected VNet resource group, add these operational permissions:

    • Microsoft.Network/virtualNetworks/subnets/read
    • Microsoft.Network/virtualNetworks/subnets/write
    • Microsoft.Network/routeTables/read
    • Microsoft.Network/routeTables/write
    • Microsoft.Network/routeTables/routes/write
    • Microsoft.Network/routeTables/join/action
  8. Click Next. Under the Assignable scopes tab, click Add assignable scopes.

  9. From the Add assignable scopes page, search on and click the resource groups you want to add as assignable scopes. Click Add.

  10. Click Next. Under the Review + create tab, click Create.

Step 4. Assign the custom roles to the new application account

  1. From the Resource Groups page, select your resource group name, and click Access Control (IAM).
  2. Under the Roles tab, enter a name in the Name field and select CustomRole from the Type field.
  3. For each resource group, click Access Control (IAM), click Add, and then select Add role assignment.
  4. Select your role name and your APP name that you created in step 1.
  5. In the Assign access to field, select the user, group, or service principal, and then click Save.

Step 5. Assign a monitoring role to the new application account

  1. From the Resource Groups page, select your resource group name, and click Access Control (IAM).
  2. For each resource group, click Access Control (IAM), click Add, and then select Add role assignment.
  3. Select the Monitoring Metric Publisher role and your APP name that you created in step 1.
  4. In the Assign access to field, select the user, group, or service principal, and then click Save.

Step 6. Create a managed identity

  1. From you Microsoft Azure portal, type Managed Identities in the search field to navigate to the Azure Active Directory.
  2. Click Add.
  3. Select an existing resource group or click Create new under Subscription > Resource Group.
  4. Specify a name in the Name field and click Create.

Step 7. Assign a role to the new identity

  1. From you Microsoft Azure portal, type Resource groups in the search field to navigate to the Resource groups page.
  2. Select the resource group from which you want to deploy your Function App.
  3. Click Access Control (IAM).
  4. Click Add > Add role assignment.
  5. Select Contributor from the dropdown menu and then select your managed identity to which the role will be applied.
  6. Click Save.

Launch HA from Azure Marketplace

To complete HA configuration, you will deploy an ARM template with all the compiled parameters, and then combine this template with Azure UI components to launch it as a product.

  1. Open your account on Microsoft Azure Marketplace.

  2. Search for Trend Micro Cloud One – Network Security.

  3. Next to Select a plan, choose Network Security High Availability, and then click Create.

  4. Under the Basics tab:

  5. Under the Hosting and Monitoring tab:

    • Specify an existing storage account, or create a new one. Only general purpose accounts are supported. Zone-redundant replication is not supported. For more information, refer to Storage account requirements.
    • Specify an existing Consumption plan, or create a new one. This is useful if you have no other hosting plan deployed that can be shared. For more information, refer to Azure Function scale and hosting and Estimating Consumption plan costs.
    • Specify an existing Application Insights, or create a new one.
  6. Under the App parameters tab:

    • Specify the same application you created in Register a new application. If you decide to create a new application instead, you must again complete the other manual steps for configuring the permissions and roles.
    • Select the VM deployment type associated with your deployment. If your deployment is Single VM, you can provide an API key for the Trend Micro Cloud One API Key parameter so that Network Security reboots your virtual appliance when fail-open occurs. For the TSR URL parameter, specify a URL location where technical support reports can be sent.
    • If your deployment is Single VM, you must specify a virtual appliance. If your deployment is Scale Set VM, you must specify a load balancer. If you are using Edge protection deployment with Azure Application Gateway for your deployment, you must specify an application gateway.
    • If you are using the Edge protection deployment with Azure Firewall deployment model, you must specify the firewall type. Select Azure Firewall, or select Third-party firewall if your deployment uses a third-party firewall instead of an Azure firewall.
    • Specify whether you fallback threshold is triggered by every fallback or only by automatic fallback.
  7. Under the Associate subnets tab:

    • Enter the resource ID of the route tables. Click on the Properties of the associated route table to find the route table resource ID.

    • Enter the resource ID of the subnets associated with that route table. Click on the Properties of the associated subnet to find the subnet resource ID.


      NOTE

      Resource IDs must be provided for all connected subnets, including Application Gateway and firewall subnets.


  8. Under the Review + create tab, verify that all the information you have configures is correct and click Create.


Manual Fallback

Manually place your virtual appliances in fallback mode by enabling this setting.

Verifying HA in Azure

Use these steps to verify that HA is functioning in Azure. These steps are optional during deployment but should be used to verify that HA is enabled and working before you upgrade any of your virtual appliances.

Single Appliance

Follow the steps below to verify if your Azure deployment includes HA Fail Over functionality:

  1. Log in to Cloud One – Network Security.
  2. Navigate to ApplianceAll Appliances[Appliance name].
  3. In the General tab, check the Version in the Appliance section.
  4. On the same page, check the Resource Group, VM Name in the Instance section.
  5. Check the HA Function App.
  6. Navigate to the Resource Groups page on the management console and click the Resource Group that needs HA verification.
  7. In this Resource Group, select type as Function App, find your HA function, and click the Azure function.
  8. Click Configuration from the Settings section on the left panel.
  9. Under Application settings, click VIRTUAL_APPLIANCE_ID.
  10. Check the value. The end of value should be .../Microsoft.Compute/virtualMachines/[VM Name]. If the [VM Name] is the same as your appliance VM Name, then HA is enabled.

Scale Set Appliances

It is important to upgrade your appliances one at a time if you have Azure scale sets enabled in your environment. Follow the steps below to verify if your Azure deployment includes HA Fail Over functionality:

Use the steps above to verify the Resource Group, VM Name and Scale Set in the Instance section.

Verify the Load Balancer name:

  1. In the management console, navigate to Resource Groups > Virtual Machine Scale Set > Scale Set.
  2. Click Instances on the left panel. Select the instance being used to locate the load balancer name.
  3. On the Scale Set instance page, click Networking on the left panel.
  4. On the top tab navigate to dataport > Load Balancing to check the name of the Load Balancer.

Check the HA Function App:

  1. Navigate to the Resource Groups page on the management console, and click the Resource Group that needs HA verification.
  2. In this Resource Group, select type as Function App, find your HA function, and click the Azure function.
  3. Click Configuration from the Settings section on the left panel.
  4. Under Application settings, click LOAD_BALANCER_ID.
  5. Check the value. The end of the value should be .../Microsoft.Network/loadBalancers/[Load Balancer Name]. If the [Load Balancer Name] is the same as your appliance load balancer name, then HA is enabled.