Deploy ASMS on the cloud
This topic describes how you can deploy ASMS on Amazon AWS or Microsoft Azure to manage your devices from the cloud.
Note: Each installation package includes software for the full AlgoSec Security Management Suite. Functionality for each ASMS product is enabled via license, and not by installation.
Deploy ASMS on AWS
Deploy ASMS on an AWS instance using an ASMS AMI available from the AlgoSec Portal.
Refer to Hardware minimum requirements.
For AWS deployments, we also recommend:
-
Using machines from the Amazon EC2 General Purpose M5 family, compatible with CentOS 7.
-
Ensuring that your AWS instance includes high-performance storage. Use Amazon gp3 volumes (SSD-based).
-
When deploying your first AWS AMI, you need to accept the CentOS 7 image (CentOS 7 (x86_64) with updates HVM by CentOS org) in your AWS console. You only need to do this once and not for every VM.
-
Note: AWS recommends using the CentOS image available on the AWS Marketplace (free of charge).
For more details, see the AWS Documentation.
Do the following:
-
Deploy your AWS AMI.
-
On the Download AlgoSec Security Management Suite > AMI page, select an AWS Region and enter your AWS Account ID. The AlgoSec AMI is shared with your account. For details, see Download ASMS software packages.
- During the Add Storage phase of the setup process, increase disk space on your AWS instance. See Increase disk space of a new AWS instance.
- When the setup process is complete, you are notified and provided with the details required to access your new instance with ASMS.
-
-
After launching your instance from AMI, run the following command in order to get better disk performance:
sudo dd if=/dev/nvme0n1 of=/dev/null bs=1M
Note: this step may take several minutes up to several hours, depending on your EC2 instance bandwidth, the IOPS provisioned for the volume and the size of the volume.
-
If you are deploying clusters or distributed architectures, continue with Deploy clusters and distributed architectures.
Otherwise, continue with deploying ASMS products, including populating your environment with devices and users. For details, see ASMS deployment checklist.
Deploy ASMS on Microsoft Azure
The following instructions explain how to deploy ASMS over an Azure VM.
Note: Currently, the following Microsoft Azure regions are supported:
-
North Europe
-
West Europe
-
East US
-
South Central US
-
Central US
-
US West 3
-
Australia East
-
UAE North
If your region is not currently supported, contact your AlgoSec Account Manager.
Deploy ASMS on Microsoft Azure by converting a VHD file available from the AlgoSec portal to an Azure image.
Refer to Hardware minimum requirements.
For Azure deployments:
-
Ensure that your machine is compatible with CentOS 7. We recommend machines from D-series.
-
Ensure that your Azure instance includes high performance storage, specifically Premium SSD P-20 and above.
-
It is highly advised that you disable hyper-threading on Azure VMs running ASMS prior to deploying the machine. AlgoSec has observed improved performance under heavy workloads. See Disable Hyper-threading on Azure Instance.
Note: ASMS supports deployment of the AlgoSec VHD into Azure on any General Purpose VM-Type. Many customers choose the VM-Type to deploy based on the resource requirements set forth for ideal performance & scalability in their specific AlgoSec Architecture Recommendation, received from AlgoSec. Since ASMS does not make use of Hyper-threading at this time, ensure that the VM-Type selected for an Azure based deployment provides sufficient logical CPU cores, as outlined in your AlgoSec Architecture Recommendation.
For more details, see the Azure Documentation.
Do the following:
-
Download the ASMS Azure files.
Click Download on the Download AlgoSecSecurity Management Suite > New Installation page. A VHD file is downloaded to your local machine.
For more details, see Download ASMS software packages.
-
Convert the VHD file to an Azure image.
The following steps describe how to convert your ASMS VHD file to an Azure image, and refer to areas of the Azure portal. For more details, see the Microsoft Azure documentation.
Note: Converting a VHD file to an Azure image has a variety of options and methods.
Use the steps described below when deploying your ASMS installation to prevent unexpected errors.
Do the following:
-
Create a new Azure storage account.
Define your settings as follows:
Resource Group Under the Resource Group field, click Create new to create a new resource group.
Enter a meaningful name for your new resource group, such as ASMS-Deployment.
Storage account name Enter a meaningful name for your storage account, such as asmsdeployment. Account kind Select Storage (general purpose v1). Replication Select LRS (Locally-redundant storage). For example:
Continue in the wizard to create the new storage account and wait while it's deployed.
-
Once the new storage account is deployed, navigate to the Storage accounts area, and click the new storage account to view details.
-
In your new storage account, click Containers, and then to add a new container.
Define your new container with a meaningful name and a Public access level of Private (no anonymous access).
For example:
-
Switch to the Azure CLI on the local desktop.
To install the Azure CLI on the local desktop download the installation file from HERE.
-
Run local Power Shell as Administrator.
-
Ensure that the PowerShell Az module is installed. If it's not installed, run the following:
Install-Module -Name Az -AllowClobber -Scope AllUsers
-
To configure the Set-ExecutionPolicy cmdlet, run the following:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
then run:
Import-Module Az.Accounts
For more details, see Set-ExecutionPolicy and Install the Azure PowerShell module in the Microsoft documentation.
-
Connect to the Azure subscription from the CLI on the local desktop. Run:
Connect-AzAccount
When prompted, enter your credentials to log in.
-
Copy the VHD file downloaded from the AlgoSec portal to your Azure resource group.
From the CLI on the local desktop, run:
Add-AzVhd -ResourceGroupName "ASMS-Deployment" -Destination "https://asmsdeployment.blob.core.windows.net/asmsvhd/<VHD_NAME>.vhd" -LocalFilePath "<VHD_NAME>.vhd"
In this command, replace <VHD_NAME>.vhd with the exact name of the file you downloaded.
For example: AlgoSec-app-3000.10.100-asms-75-co6.vhd
Note: While the VHD that AlgoSec provides is dynamic, and the Azure requires a fixed hard disk, the upload process converts the dynamic file to a fixed file format.
Additionally, while you can convert this dynamic file to a fixed file manually, this requires a very large upload, and also runs the risk of errors. We recommend using the commands provided here to perform this upload.
-
Return to the Azure portal to create your image. Navigate to Images, and click .
In the Create image pane, enter the following details:
Name Enter a meaningful name. For example, ASMS_image. Resource group Select the new resource group you created for ASMS. OS type Select Linux. VM generation Select Gen1 Storage blob Click Browse, and navigate to the VHD you uploaded via the CLI. Account type Select Premium SSD. For example:
-
Navigate to the Azure Virtual machines area, and click to create a new virtual machine.
On the Create a virtual machine page, enter the following details:
Resource group Select the resource group you created earlier. Virtual machine name Enter a meaningful name for your virtual machine. Image Navigate to and select the image you created earlier. Size Click Change size, and select a minimum of B4ms. Authentication type Select Password. Username / Password Enter credentials to access the new virtual machine.
Note: Although you must set these credentials now, you'll need to log in to the machine as user root in order to deploy ASMS.
Select inbound ports Select HTTPS (443) and SSH (22). For example:
-
Click Next: Disks > to continue, and then select Standard SSD.
-
Continue through the wizard to create your virtual machine with ASMS installed.
-
-
When the Azure VM is available, unlock the root user as follows:
-
Log in to the virtual machine via CLI using the Azure VM user credentials.
-
Run the command:
echo "<Azure VM user password>" | sudo -S echo;echo "<new root password>" | sudo passwd --stdin root
The root user is now unlocked and you can log into it using the password you gave in the command.
-
-
Disable hyper-threading (best practice). See Disable Hyper-threading on Azure Instance.
If you are deploying clusters or distributed architectures, continue with Deploy clusters and distributed architectures.
Otherwise, continue with deploying ASMS products, including populating your environment with devices and users. For details, see ASMS deployment checklist.
â See also: