BLACKSHIELD

Guía pública

Deploy Network Sensor on Azure

Capture traffic using Virtual Network TAP, deploy sensor VM with Bicep, and bridge network telemetry into the security platform. Audiencia: Platform engineers, Azure administrators, security engineers. Tiempo típico de configuración: 15 minutes.

quickstart

Úsalo si

Capture traffic using Virtual Network TAP, deploy sensor VM with Bicep, and bridge network telemetry into the security platform.

Audience
Platform engineers, Azure administrators, security engineers
Typical time
15 minutes

Antes de comenzar

  • You have an Azure subscription with production VMs running workloads.
  • You have created an ingestion API key in Settings → API Keys with Ingestion scope.
  • You have permissions to create VNet TAP resources and VMs in your resource group.

Camino rápido

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Solo demostración

Esta configuración está diseñada para facilitar el uso. Para desplegar clientes de escaneo a escala, planifique su arquitectura de despliegue en consecuencia o contáctenos para obtener las mejores prácticas empresariales.

Obtén el bundle de código fuente

Descarga los archivos exactos usados en esta guía o ejecuta el instalador de un solo comando para escribirlos localmente antes del despliegue.

Azure network sensor Bicep source

Creates the Azure Bicep template under `deploy/azure-network-sensor/` with the current platform API URL prefilled for VNet TAP-based network telemetry ingestion.

deploy/azure-network-sensor/
bash
BLACKSHIELD_NETWORK_SENSOR_IMAGE=public.ecr.aws/blackshield-security/network-sensor:1.0.6 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/azure-network-sensor.sh)
cd deploy/azure-network-sensor
Descargar fuente

Ejecuta esto

azure-vnet-tap.sh

bash
#!/bin/bash
# Complete Azure Virtual Network TAP setup script

RESOURCE_GROUP="my-prod-rg"
LOCATION="eastus"
TAP_NAME="network-sensor-tap"
SENSOR_NIC_IPCONFIG_ID="/subscriptions/.../resourceGroups/my-prod-rg/providers/Microsoft.Network/networkInterfaces/sensor-nic/ipConfigurations/ipconfig1"
SOURCE_NIC="prod-workload-nic"

echo "1. Creating Virtual Network TAP..."
az network vnet tap create \
  --resource-group "$RESOURCE_GROUP" \
  --name "$TAP_NAME" \
  --location "$LOCATION" \
  --destination "$SENSOR_NIC_IPCONFIG_ID" \
  --port 4789

echo "2. Retrieving TAP ID..."
TAP_ID=$(az network vnet tap show \
  --resource-group "$RESOURCE_GROUP" \
  --name "$TAP_NAME" \
  --query id -o tsv)

echo "3. Attaching TAP to the Source VM NIC..."
az network nic vtap-config create \
  --resource-group "$RESOURCE_GROUP" \
  --nic-name "$SOURCE_NIC" \
  --name "Mirror-To-Sensor" \
  --vnet-tap "$TAP_ID"

echo "Success! VNet TAP attached to $SOURCE_NIC."

azure-bicep-deploy.sh

bash
# 1. Set variables
RESOURCE_GROUP="my-prod-rg"
SUBNET_ID="/subscriptions/.../resourceGroups/.../providers/Microsoft.Network/virtualNetworks/.../subnets/default"

# 2. Deploy Infrastructure
cd deploy/azure-network-sensor
az deployment group create \
  --resource-group "$RESOURCE_GROUP" \
  --template-file main.bicep \
  --parameters subnetId="$SUBNET_ID" apiKey="sp_your_ingestion_key"

network-sensor.bicep

bicep
// Azure Bicep snippet for Network Sensor Deployment

param location string = resourceGroup().location
param subnetId string
@secure()
param apiKey string

resource sensorNic 'Microsoft.Network/networkInterfaces@2023-04-01' = {
  name: 'network-sensor-nic'
  location: location
  properties: {
    ipConfigurations: [
      {
        name: 'ipconfig1'
        properties: {
          subnet: { id: subnetId }
          privateIPAllocationMethod: 'Dynamic'
        }
      }
    ]
  }
}

resource sensorVm 'Microsoft.Compute/virtualMachines@2023-03-01' = {
  name: 'blackshield-network-sensor'
  location: location
  properties: {
    hardwareProfile: { vmSize: 'Standard_D2s_v5' }
    osProfile: {
      computerName: 'networksensor'
      adminUsername: 'azureuser'
      linuxConfiguration: { disablePasswordAuthentication: true }
    }
    storageProfile: {
      imageReference: {
        publisher: 'Canonical'
        offer: '0001-com-ubuntu-server-jammy'
        sku: '22_04-lts-gen2'
        version: 'latest'
      }
    }
    networkProfile: {
      networkInterfaces: [ { id: sensorNic.id } ]
    }
  }
}

// Extension to run the sensor container
resource vmExtension 'Microsoft.Compute/virtualMachines/extensions@2023-03-01' = {
  parent: sensorVm
  name: 'install-sensor'
  location: location
  properties: {
    publisher: 'Microsoft.Azure.Extensions'
    type: 'CustomScript'
    typeHandlerVersion: '2.1'
    autoUpgradeMinorVersion: true
    settings: {
      commandToExecute: 'apt-get update && apt-get install -y docker.io && docker run -d --net host -e BLACKSHIELD_API_KEY=${apiKey} -e BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com public.ecr.aws/blackshield-security/network-sensor:1.0.6'
    }
  }
}

Entender y personalizar

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Paso 1

Deploy Sensor VM with Bicep

Use the provided Bicep template to deploy the sensor VM. This acts as the destination for your mirrored traffic. The template configures the required Network Security Group (NSG) rules for VXLAN.

  • Use the source bundle below to download the Azure network sensor Bicep project into `deploy/azure-network-sensor/`.
  • Identify your Target Subnet ID and Resource Group.
  • Run `az deployment group create` passing your subnet ID and the ingestion API key as parameters.
  • Note the generated VM's Network Interface (NIC) ID from the deployment output — you'll need this to set up the VNet TAP destination.

Cómo se ve el éxito

Note the generated VM's Network Interface (NIC) ID from the deployment output — you'll need this to set up the VNet TAP destination.

Download source bundle

Paso 2

Configure Virtual Network TAP

Set up an Azure VNet TAP to duplicate traffic from your production VMs and route it to the sensor instance.

  • Create a Network Tap resource pointing to the sensor VM's NIC IP Configuration.
  • Attach the TAP configuration to the source VM network interfaces (the production VMs you want to monitor).
  • Ensure the sensor's NSG allows inbound UDP on port 4789 for VXLAN traffic.
  • Verify the VNet TAP status is 'Connected' in the Azure portal or via CLI.

Cómo se ve el éxito

Verify the VNet TAP status is 'Connected' in the Azure portal or via CLI.

Azure Deployment Guide

Helpful context

Azure Virtual Network TAP Docs

Paso 3

Validate Findings Ingestion

Confirm the sensor container is running properly on your VM and receiving the mirrored VXLAN traffic.

  • Connect to the VM logs: `az vm run-command invoke --resource-group [rg] --name [vm-name] --command-id RunShellScript --scripts 'docker logs $(docker ps -q) -f'`.
  • Look for 'capture interface ready' or 'findings sent' in the output logs.
  • Check the platform Findings view to see network-based alerts within 5 minutes of traffic flowing on the mirrored interfaces.

Cómo se ve el éxito

Check the platform Findings view to see network-based alerts within 5 minutes of traffic flowing on the mirrored interfaces.

View Findings · Requiere inicio de sesión

Cómo se ve el éxito

  • Findings appear in the platform Findings view with scanner=network (Azure).
  • VNet TAP status shows as 'Connected' for all monitored source interfaces.
  • No authentication or connectivity errors are present in the sensor logs.
Deploy Network Sensor on Azure | Docs de BlackShield