BLACKSHIELD

Guia público

Deploy Network Sensor on Azure

Capture traffic using Virtual Network TAP, deploy sensor VM with Bicep, and bridge network telemetry into the security platform. Público: Platform engineers, Azure administrators, security engineers. Tempo típico de configuração: 15 minutes.

quickstart

Use isto se

Capture traffic using Virtual Network TAP, deploy sensor VM with Bicep, and bridge network telemetry into the security platform.

Audience
Platform engineers, Azure administrators, security engineers
Typical time
15 minutes

Antes de começar

  • You have an Azure subscription with production VMs running workloads.
  • You have created an ingestion API key in Settings → API Keys with Ingestion scope.
  • You have permissions to create VNet TAP resources and VMs in your resource group.

Caminho rápido

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Apenas para demonstração

Esta configuração foi concebida para facilitar a utilização. Para implementar clientes de scanner em escala, planeie a sua arquitetura de implementação adequadamente ou contacte-nos para obter as melhores práticas empresariais.

Obtém o bundle de código fonte

Descarrega os ficheiros exatos usados neste guia ou executa o instalador de um só comando para os escrever localmente antes do deploy.

Azure network sensor Bicep source

Creates the Azure Bicep template under `deploy/azure-network-sensor/` with the current platform API URL prefilled for VNet TAP-based network telemetry ingestion.

deploy/azure-network-sensor/
bash
BLACKSHIELD_NETWORK_SENSOR_IMAGE=public.ecr.aws/blackshield-security/network-sensor:1.0.6 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/azure-network-sensor.sh)
cd deploy/azure-network-sensor
Descarregar fonte

Executar isto

azure-vnet-tap.sh

bash
#!/bin/bash
# Complete Azure Virtual Network TAP setup script

RESOURCE_GROUP="my-prod-rg"
LOCATION="eastus"
TAP_NAME="network-sensor-tap"
SENSOR_NIC_IPCONFIG_ID="/subscriptions/.../resourceGroups/my-prod-rg/providers/Microsoft.Network/networkInterfaces/sensor-nic/ipConfigurations/ipconfig1"
SOURCE_NIC="prod-workload-nic"

echo "1. Creating Virtual Network TAP..."
az network vnet tap create \
  --resource-group "$RESOURCE_GROUP" \
  --name "$TAP_NAME" \
  --location "$LOCATION" \
  --destination "$SENSOR_NIC_IPCONFIG_ID" \
  --port 4789

echo "2. Retrieving TAP ID..."
TAP_ID=$(az network vnet tap show \
  --resource-group "$RESOURCE_GROUP" \
  --name "$TAP_NAME" \
  --query id -o tsv)

echo "3. Attaching TAP to the Source VM NIC..."
az network nic vtap-config create \
  --resource-group "$RESOURCE_GROUP" \
  --nic-name "$SOURCE_NIC" \
  --name "Mirror-To-Sensor" \
  --vnet-tap "$TAP_ID"

echo "Success! VNet TAP attached to $SOURCE_NIC."

azure-bicep-deploy.sh

bash
# 1. Set variables
RESOURCE_GROUP="my-prod-rg"
SUBNET_ID="/subscriptions/.../resourceGroups/.../providers/Microsoft.Network/virtualNetworks/.../subnets/default"

# 2. Deploy Infrastructure
cd deploy/azure-network-sensor
az deployment group create \
  --resource-group "$RESOURCE_GROUP" \
  --template-file main.bicep \
  --parameters subnetId="$SUBNET_ID" apiKey="sp_your_ingestion_key"

network-sensor.bicep

bicep
// Azure Bicep snippet for Network Sensor Deployment

param location string = resourceGroup().location
param subnetId string
@secure()
param apiKey string

resource sensorNic 'Microsoft.Network/networkInterfaces@2023-04-01' = {
  name: 'network-sensor-nic'
  location: location
  properties: {
    ipConfigurations: [
      {
        name: 'ipconfig1'
        properties: {
          subnet: { id: subnetId }
          privateIPAllocationMethod: 'Dynamic'
        }
      }
    ]
  }
}

resource sensorVm 'Microsoft.Compute/virtualMachines@2023-03-01' = {
  name: 'blackshield-network-sensor'
  location: location
  properties: {
    hardwareProfile: { vmSize: 'Standard_D2s_v5' }
    osProfile: {
      computerName: 'networksensor'
      adminUsername: 'azureuser'
      linuxConfiguration: { disablePasswordAuthentication: true }
    }
    storageProfile: {
      imageReference: {
        publisher: 'Canonical'
        offer: '0001-com-ubuntu-server-jammy'
        sku: '22_04-lts-gen2'
        version: 'latest'
      }
    }
    networkProfile: {
      networkInterfaces: [ { id: sensorNic.id } ]
    }
  }
}

// Extension to run the sensor container
resource vmExtension 'Microsoft.Compute/virtualMachines/extensions@2023-03-01' = {
  parent: sensorVm
  name: 'install-sensor'
  location: location
  properties: {
    publisher: 'Microsoft.Azure.Extensions'
    type: 'CustomScript'
    typeHandlerVersion: '2.1'
    autoUpgradeMinorVersion: true
    settings: {
      commandToExecute: 'apt-get update && apt-get install -y docker.io && docker run -d --net host -e BLACKSHIELD_API_KEY=${apiKey} -e BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com public.ecr.aws/blackshield-security/network-sensor:1.0.6'
    }
  }
}

Entender e personalizar

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Passo 1

Deploy Sensor VM with Bicep

Use the provided Bicep template to deploy the sensor VM. This acts as the destination for your mirrored traffic. The template configures the required Network Security Group (NSG) rules for VXLAN.

  • Use the source bundle below to download the Azure network sensor Bicep project into `deploy/azure-network-sensor/`.
  • Identify your Target Subnet ID and Resource Group.
  • Run `az deployment group create` passing your subnet ID and the ingestion API key as parameters.
  • Note the generated VM's Network Interface (NIC) ID from the deployment output — you'll need this to set up the VNet TAP destination.

Como é o sucesso

Note the generated VM's Network Interface (NIC) ID from the deployment output — you'll need this to set up the VNet TAP destination.

Download source bundle

Passo 2

Configure Virtual Network TAP

Set up an Azure VNet TAP to duplicate traffic from your production VMs and route it to the sensor instance.

  • Create a Network Tap resource pointing to the sensor VM's NIC IP Configuration.
  • Attach the TAP configuration to the source VM network interfaces (the production VMs you want to monitor).
  • Ensure the sensor's NSG allows inbound UDP on port 4789 for VXLAN traffic.
  • Verify the VNet TAP status is 'Connected' in the Azure portal or via CLI.

Como é o sucesso

Verify the VNet TAP status is 'Connected' in the Azure portal or via CLI.

Azure Deployment Guide

Helpful context

Azure Virtual Network TAP Docs

Passo 3

Validate Findings Ingestion

Confirm the sensor container is running properly on your VM and receiving the mirrored VXLAN traffic.

  • Connect to the VM logs: `az vm run-command invoke --resource-group [rg] --name [vm-name] --command-id RunShellScript --scripts 'docker logs $(docker ps -q) -f'`.
  • Look for 'capture interface ready' or 'findings sent' in the output logs.
  • Check the platform Findings view to see network-based alerts within 5 minutes of traffic flowing on the mirrored interfaces.

Como é o sucesso

Check the platform Findings view to see network-based alerts within 5 minutes of traffic flowing on the mirrored interfaces.

View Findings · Requer login

Como é o sucesso

  • Findings appear in the platform Findings view with scanner=network (Azure).
  • VNet TAP status shows as 'Connected' for all monitored source interfaces.
  • No authentication or connectivity errors are present in the sensor logs.
Deploy Network Sensor on Azure | Documentação BlackShield