BLACKSHIELD

Guía pública

Deploy Network Sensor on Azure

Capture traffic using Virtual Network TAP, deploy sensor VM with Bicep, and bridge network telemetry into the security platform. Audiencia: Platform engineers, Azure administrators, security engineers. Tiempo típico de configuración: 10 minutes.

quickstart

Úsalo si

Capture traffic using Virtual Network TAP, deploy sensor VM with Bicep, and bridge network telemetry into the security platform.

Audience
Platform engineers, Azure administrators, security engineers
Typical time
10 minutes

Antes de comenzar

  • You have an Azure subscription with production VMs running workloads.
  • You have created an ingestion API key in Settings → API Keys with Ingestion scope.
  • You have permissions to create VNet TAP resources and VMs in your resource group.

Camino rápido

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Obtén el bundle de código fuente

Descarga los archivos exactos usados en esta guía o ejecuta el instalador de un solo comando para escribirlos localmente antes del despliegue.

Azure network sensor Bicep source

Creates the Azure Bicep template under `deploy/azure-network-sensor/` with the current platform API URL prefilled for VNet TAP-based network telemetry ingestion.

deploy/azure-network-sensor/
bash
BLACKSHIELD_NETWORK_SENSOR_IMAGE=public.ecr.aws/blackshield-security/network-sensor:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/azure-network-sensor.sh)
cd deploy/azure-network-sensor
Descargar fuente

Ejecuta esto

azure-vnet-tap.sh

bash
#!/bin/bash
# Create Azure Virtual Network TAP for network sensor

RESOURCE_GROUP="myResourceGroup"
VNET_TAP_NAME="network-sensor-tap"

az network vnet tap create \
  --resource-group "$RESOURCE_GROUP" \
  --name "$VNET_TAP_NAME"

Entender y personalizar

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Paso 1

Configure Virtual Network TAP

Set up an Azure VNet TAP to duplicate traffic from production VMs to the sensor.

  • Create a Network Tap resource pointing to the sensor VM's NIC.
  • Attach the tap to source VM network interfaces (those you want to monitor).
  • Verify VNet TAP status is 'Connected' in the Azure portal.
  • Confirm mirrored traffic is flowing to the sensor NIC.

Cómo se ve el éxito

Confirm mirrored traffic is flowing to the sensor NIC.

Open Azure network sensor prep

Paso 2

Deploy sensor VM with Bicep

Use the source bundle on this page to download the Azure network sensor Bicep template and deploy it.

  • Use the source bundle on this page to download the Azure network sensor Bicep template into deploy/azure-network-sensor/ with `apiUrl` already prefilled for your deployed platform.
  • Copy parameters.json.example to parameters.json and customize: resource group, VNet, subnet, SSH key, and existing Key Vault details.
  • Run: az deployment group create --resource-group [rg] --template-file main.bicep --parameters parameters.json — deploys VM with managed identity and Key Vault integration.
  • The VM automatically retrieves the API key from Key Vault and starts the sensor container.

Cómo se ve el éxito

The VM automatically retrieves the API key from Key Vault and starts the sensor container.

Azure Deployment Guide

Paso 3

Validate findings ingestion

Confirm network telemetry is flowing into the platform.

  • Connect to the VM: az vm run-command invoke --resource-group [rg] --name [vm-name] --command-id RunShellScript --scripts 'docker logs $(docker ps -q) -f'
  • Look for 'VNet TAP capture active' or similar in the logs.
  • Check the platform Findings view for network-based security alerts.
  • Verify flow to the platform within 5 minutes of traffic on the mirrored interfaces.

Cómo se ve el éxito

Verify flow to the platform within 5 minutes of traffic on the mirrored interfaces.

View Findings · Requiere inicio de sesión

Cómo se ve el éxito

  • Findings appear in the platform Findings view with scanner=network (Azure).
  • VNet TAP status shows as 'Connected' for all monitored interfaces.
  • No authentication or connectivity errors in the sensor logs.
Deploy Network Sensor on Azure | Docs de BlackShield