BLACKSHIELD

公开指南

Deploy Network Sensor on Azure

Capture traffic using Virtual Network TAP, deploy sensor VM with Bicep, and bridge network telemetry into the security platform. 受众: Platform engineers, Azure administrators, security engineers. 典型配置时长: 15 minutes.

quickstart

Use this if

Capture traffic using Virtual Network TAP, deploy sensor VM with Bicep, and bridge network telemetry into the security platform.

Audience
Platform engineers, Azure administrators, security engineers
Typical time
15 minutes

开始之前

  • You have an Azure subscription with production VMs running workloads.
  • You have created an ingestion API key in Settings → API Keys with Ingestion scope.
  • You have permissions to create VNet TAP resources and VMs in your resource group.

Fast path

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Demonstration only

This configuration is designed for ease of use. To deploy scanner clients at scale, please plan your deployment architecture accordingly or contact us for enterprise best practices.

Get the source bundle

Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.

Azure network sensor Bicep source

Creates the Azure Bicep template under `deploy/azure-network-sensor/` with the current platform API URL prefilled for VNet TAP-based network telemetry ingestion.

deploy/azure-network-sensor/
bash
BLACKSHIELD_NETWORK_SENSOR_IMAGE=public.ecr.aws/blackshield-security/network-sensor:1.0.6 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/azure-network-sensor.sh)
cd deploy/azure-network-sensor
Download source

运行命令

azure-vnet-tap.sh

bash
#!/bin/bash
# Complete Azure Virtual Network TAP setup script

RESOURCE_GROUP="my-prod-rg"
LOCATION="eastus"
TAP_NAME="network-sensor-tap"
SENSOR_NIC_IPCONFIG_ID="/subscriptions/.../resourceGroups/my-prod-rg/providers/Microsoft.Network/networkInterfaces/sensor-nic/ipConfigurations/ipconfig1"
SOURCE_NIC="prod-workload-nic"

echo "1. Creating Virtual Network TAP..."
az network vnet tap create \
  --resource-group "$RESOURCE_GROUP" \
  --name "$TAP_NAME" \
  --location "$LOCATION" \
  --destination "$SENSOR_NIC_IPCONFIG_ID" \
  --port 4789

echo "2. Retrieving TAP ID..."
TAP_ID=$(az network vnet tap show \
  --resource-group "$RESOURCE_GROUP" \
  --name "$TAP_NAME" \
  --query id -o tsv)

echo "3. Attaching TAP to the Source VM NIC..."
az network nic vtap-config create \
  --resource-group "$RESOURCE_GROUP" \
  --nic-name "$SOURCE_NIC" \
  --name "Mirror-To-Sensor" \
  --vnet-tap "$TAP_ID"

echo "Success! VNet TAP attached to $SOURCE_NIC."

azure-bicep-deploy.sh

bash
# 1. Set variables
RESOURCE_GROUP="my-prod-rg"
SUBNET_ID="/subscriptions/.../resourceGroups/.../providers/Microsoft.Network/virtualNetworks/.../subnets/default"

# 2. Deploy Infrastructure
cd deploy/azure-network-sensor
az deployment group create \
  --resource-group "$RESOURCE_GROUP" \
  --template-file main.bicep \
  --parameters subnetId="$SUBNET_ID" apiKey="sp_your_ingestion_key"

network-sensor.bicep

bicep
// Azure Bicep snippet for Network Sensor Deployment

param location string = resourceGroup().location
param subnetId string
@secure()
param apiKey string

resource sensorNic 'Microsoft.Network/networkInterfaces@2023-04-01' = {
  name: 'network-sensor-nic'
  location: location
  properties: {
    ipConfigurations: [
      {
        name: 'ipconfig1'
        properties: {
          subnet: { id: subnetId }
          privateIPAllocationMethod: 'Dynamic'
        }
      }
    ]
  }
}

resource sensorVm 'Microsoft.Compute/virtualMachines@2023-03-01' = {
  name: 'blackshield-network-sensor'
  location: location
  properties: {
    hardwareProfile: { vmSize: 'Standard_D2s_v5' }
    osProfile: {
      computerName: 'networksensor'
      adminUsername: 'azureuser'
      linuxConfiguration: { disablePasswordAuthentication: true }
    }
    storageProfile: {
      imageReference: {
        publisher: 'Canonical'
        offer: '0001-com-ubuntu-server-jammy'
        sku: '22_04-lts-gen2'
        version: 'latest'
      }
    }
    networkProfile: {
      networkInterfaces: [ { id: sensorNic.id } ]
    }
  }
}

// Extension to run the sensor container
resource vmExtension 'Microsoft.Compute/virtualMachines/extensions@2023-03-01' = {
  parent: sensorVm
  name: 'install-sensor'
  location: location
  properties: {
    publisher: 'Microsoft.Azure.Extensions'
    type: 'CustomScript'
    typeHandlerVersion: '2.1'
    autoUpgradeMinorVersion: true
    settings: {
      commandToExecute: 'apt-get update && apt-get install -y docker.io && docker run -d --net host -e BLACKSHIELD_API_KEY=${apiKey} -e BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com public.ecr.aws/blackshield-security/network-sensor:1.0.6'
    }
  }
}

Understand and customize

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

步骤 1

Deploy Sensor VM with Bicep

Use the provided Bicep template to deploy the sensor VM. This acts as the destination for your mirrored traffic. The template configures the required Network Security Group (NSG) rules for VXLAN.

  • Use the source bundle below to download the Azure network sensor Bicep project into `deploy/azure-network-sensor/`.
  • Identify your Target Subnet ID and Resource Group.
  • Run `az deployment group create` passing your subnet ID and the ingestion API key as parameters.
  • Note the generated VM's Network Interface (NIC) ID from the deployment output — you'll need this to set up the VNet TAP destination.

What success looks like

Note the generated VM's Network Interface (NIC) ID from the deployment output — you'll need this to set up the VNet TAP destination.

Download source bundle

步骤 2

Configure Virtual Network TAP

Set up an Azure VNet TAP to duplicate traffic from your production VMs and route it to the sensor instance.

  • Create a Network Tap resource pointing to the sensor VM's NIC IP Configuration.
  • Attach the TAP configuration to the source VM network interfaces (the production VMs you want to monitor).
  • Ensure the sensor's NSG allows inbound UDP on port 4789 for VXLAN traffic.
  • Verify the VNet TAP status is 'Connected' in the Azure portal or via CLI.

What success looks like

Verify the VNet TAP status is 'Connected' in the Azure portal or via CLI.

Azure Deployment Guide

Helpful context

Azure Virtual Network TAP Docs

步骤 3

Validate Findings Ingestion

Confirm the sensor container is running properly on your VM and receiving the mirrored VXLAN traffic.

  • Connect to the VM logs: `az vm run-command invoke --resource-group [rg] --name [vm-name] --command-id RunShellScript --scripts 'docker logs $(docker ps -q) -f'`.
  • Look for 'capture interface ready' or 'findings sent' in the output logs.
  • Check the platform Findings view to see network-based alerts within 5 minutes of traffic flowing on the mirrored interfaces.

What success looks like

Check the platform Findings view to see network-based alerts within 5 minutes of traffic flowing on the mirrored interfaces.

View Findings · Sign-in required

What success looks like

  • Findings appear in the platform Findings view with scanner=network (Azure).
  • VNet TAP status shows as 'Connected' for all monitored source interfaces.
  • No authentication or connectivity errors are present in the sensor logs.
Deploy Network Sensor on Azure | BlackShield Docs