BLACKSHIELD

Guia público

Deploy Network Sensor on Azure

Capture traffic using Virtual Network TAP, deploy sensor VM with Bicep, and bridge network telemetry into the security platform. Público: Platform engineers, Azure administrators, security engineers. Tempo típico de configuração: 10 minutes.

quickstart

Use isto se

Capture traffic using Virtual Network TAP, deploy sensor VM with Bicep, and bridge network telemetry into the security platform.

Audience
Platform engineers, Azure administrators, security engineers
Typical time
10 minutes

Antes de começar

  • You have an Azure subscription with production VMs running workloads.
  • You have created an ingestion API key in Settings → API Keys with Ingestion scope.
  • You have permissions to create VNet TAP resources and VMs in your resource group.

Caminho rápido

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Obtém o bundle de código fonte

Descarrega os ficheiros exatos usados neste guia ou executa o instalador de um só comando para os escrever localmente antes do deploy.

Azure network sensor Bicep source

Creates the Azure Bicep template under `deploy/azure-network-sensor/` with the current platform API URL prefilled for VNet TAP-based network telemetry ingestion.

deploy/azure-network-sensor/
bash
BLACKSHIELD_NETWORK_SENSOR_IMAGE=public.ecr.aws/blackshield-security/network-sensor:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/azure-network-sensor.sh)
cd deploy/azure-network-sensor
Descarregar fonte

Executar isto

azure-vnet-tap.sh

bash
#!/bin/bash
# Create Azure Virtual Network TAP for network sensor

RESOURCE_GROUP="myResourceGroup"
VNET_TAP_NAME="network-sensor-tap"

az network vnet tap create \
  --resource-group "$RESOURCE_GROUP" \
  --name "$VNET_TAP_NAME"

Entender e personalizar

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Passo 1

Configure Virtual Network TAP

Set up an Azure VNet TAP to duplicate traffic from production VMs to the sensor.

  • Create a Network Tap resource pointing to the sensor VM's NIC.
  • Attach the tap to source VM network interfaces (those you want to monitor).
  • Verify VNet TAP status is 'Connected' in the Azure portal.
  • Confirm mirrored traffic is flowing to the sensor NIC.

Como é o sucesso

Confirm mirrored traffic is flowing to the sensor NIC.

Open Azure network sensor prep

Passo 2

Deploy sensor VM with Bicep

Use the source bundle on this page to download the Azure network sensor Bicep template and deploy it.

  • Use the source bundle on this page to download the Azure network sensor Bicep template into deploy/azure-network-sensor/ with `apiUrl` already prefilled for your deployed platform.
  • Copy parameters.json.example to parameters.json and customize: resource group, VNet, subnet, SSH key, and existing Key Vault details.
  • Run: az deployment group create --resource-group [rg] --template-file main.bicep --parameters parameters.json — deploys VM with managed identity and Key Vault integration.
  • The VM automatically retrieves the API key from Key Vault and starts the sensor container.

Como é o sucesso

The VM automatically retrieves the API key from Key Vault and starts the sensor container.

Azure Deployment Guide

Passo 3

Validate findings ingestion

Confirm network telemetry is flowing into the platform.

  • Connect to the VM: az vm run-command invoke --resource-group [rg] --name [vm-name] --command-id RunShellScript --scripts 'docker logs $(docker ps -q) -f'
  • Look for 'VNet TAP capture active' or similar in the logs.
  • Check the platform Findings view for network-based security alerts.
  • Verify flow to the platform within 5 minutes of traffic on the mirrored interfaces.

Como é o sucesso

Verify flow to the platform within 5 minutes of traffic on the mirrored interfaces.

View Findings · Requer login

Como é o sucesso

  • Findings appear in the platform Findings view with scanner=network (Azure).
  • VNet TAP status shows as 'Connected' for all monitored interfaces.
  • No authentication or connectivity errors in the sensor logs.
Deploy Network Sensor on Azure | Documentação BlackShield