Get Started With Hyperglance & The Azure Marketplace

Find out the optimal way to set up Hyperglance, when deploying via the Azure Marketplace

About The Hyperglance VM

Deploying to an Azure virtual network (vNet) can be implemented with or without a public IP address assigned to the VM. For security, the recommended deployment option is to deploy without a public IP. In these instructions, only a private IP address is used, and connection to the VM is possible only with a point-to-site VPN, site-to-site VPN, ExpressRoute or a jump box virtual machine which has a public IP address.

 

This hyperglance virtual machine needs to be able to access various public Azure API endpoints such as https://azure.management.com. Because of that, you should allow outbound traffic from the virtual machine to those addresses. We will achieve this below using azure service tags.

 

There is a service tag called AzureCloud that allows access to Public Azure IP addresses. You need to add a line in your NSG to allow these IP addresses:

 

You could also use the 'Internet' service tag:

In this example, the private IP assigned to the Hyperglance VM is 10.0.0.5. You'll need to change this to reflect your deployment.

You'll see some examples above of a network security group in restricted Azure environments. The network security group is associated with a vNet IP subnet and the outbound traffic to the Internet (service tag) is blocked overriding the default AllowInternetOutBound rule.

 

The Hyperglance virtual machine must be able to connect to https://azure.management.com and other public Azure API service points. The network security group rule AllowHyperglanceOutBound has been created for this connection in the example picture above. Destination is a service tag Internet, the destination could still be several public Azure API service points IP addresses.

Internet traffic can also be routed via on-premises, an Azure Firewall or a virtual appliance firewall on Azure. By default, the Internet outbound traffic is routed via a public Azure IP address space or via a public IP address if this exists in a virtual machine.

 

If a third-party firewall is used (virtual appliances on Azure, on-premises firewalls, etc.), Azure API endpoints URLs can be whitelisted in advanced firewalls which have URL or FQDN filtering.

Note that blocking the Internet outbound traffic in a network security group does not block UDP port 53 traffic to the Azure DNS resolver IP address 168.63.129.16 (this is good to know if custom DNS servers are not used). This address 168.63.129.16 is used also for some other purposes in Azure.


 

Get Started in Azure Marketplace

1. Go to the Azure Marketplace go to the Azure portal, select ‘Create a resource’ and search for 'hyperglance'

 

2. You will be presented with the initial Hyperglance overview. Select 'Plans + Pricing'

 

3. Choose the resource limit that best fits your environment. Any nodes over the limit will not be shown in Hyperglance and you will be shown a message telling you how many resources Hyperglance has found. If you find you have underestimated the number of resources, you just need to delete the Virtual Machine and provision a higher resource count Virtual Machine.

Once you've chosen your plan, select 'Create'.

 

 

5. Go to 'Basics'. A minimum of 2x vCPU and 4GB RAM is recommended.



6. Go to 'Disks'. We recommend leaving the default values.

 

7. Go to 'Networking'. In this case, a public IP address is not created. Select an existing VNet and subnet or create new ones if needed.

 

8. Go to 'Management' and choose your options.

 

9. Go to 'Advanced'. Extensions can be installed later if needed.

 

10. Go to 'Tags' and any that you are using.

 

11. Go to 'Review + create', selecting to 'Create'.

12. We recommend changing to a static IP, then saving this setting.

 

13. This deployment has now associated a new network security group with a network interface with two custom inbound security rules (allow TCP ports 22 and 443 from any). When using a public IP address in a virtual machine, these two custom security rules should be re-configured (source IP restrictions and/or custom ports). When not using a public IP address or not wanting to keep a network security group in a network interface, this new network security group can be dissociated from the network interface and deleted.





 14. Make sure you use these instructions to update Hyperglance to the latest version. All user data is retained through an update, including authentication credentials, rules, and tag-view keys.

 

15. Once the VM has finished deploying, open a browser and enter a URL of https://[ReplaceWithHyperglanceVMIP], e.g. https://10.0.0.5

Depending on your network setup, you may need to configure Hyperglance to use a proxy

 

16. Accept your browser's security warning, so you can continue to the Hyperglance console.

 

17. Log in with a username of ‘admin‘. The password will be the computer name of the VM.

The first time you log in you will be asked to enter some Azure account credentials for Hyperglance. Use these instructions if you'd like to change the Hyperglance password.

 

18. Hyperglance will automatically update to the latest version, assuming you are connected to the internet. If you weren't connected during your setup, make sure you use these instructions to update Hyperglance to the latest version. All user data is retained through an update, including authentication credentials, rules, and tag-view keys.


Azure Collection Setup

In order for Hyperglance to be able to authenticate to the Azure APIs to collect the data it requires. For that to happen, you need to follow some steps that will first create an app, then will assign that app ‘Reader’ access for each subscription you want to bring into Hyperglance.

In this guide, we will walk you through the setup process which consists of the following steps:

  • Step 1: Register the Hyperglance app with Azure Active Directory
  • Step 2: Find the Application ID
  • Step 3: Create a Secret
  • Step 4: Find your Subscription ID
  • Step 5: Grant roles
  • Step 6: Configure Hyperglance

    You will need to have a role Global Administrator, Application Administrator or Application Developer in your Azure Active Directory in order to complete these steps if 'Users can register applications' is set to 'No'

    You also must be a Service Administrator, Co-Administrator, Owner or User Access Administrator in your subscription in order to complete these steps (in the grant roles step, the minimum role is User Access Administrator).

    Step 1: Register the Hyperglance app with Azure Active Directory

    a) Log in to your Azure Account through the Azure portal

    b) Select 'Azure Active Directory' from the left-hand panel

    c) Select 'App registrations'

    d) Select 'New registration'

    e) Give the application a name, e.g. Hyperglance, then select 'Register'

    Step 2: Find the Application ID

    a) Select 'App registrations' and you'll be shown the application ID. The same ID can be found also under Enterprise applications.

    b) Make a note of the Application ID - you'll need it later

    Step 3: Create a Secret

    a) Select 'Certificates & secrets'

     

    b) Select 'New client secret'

     

    c) Add a description (optional), select an expiration, then 'Add'

     

    d) Make a note of the new secret value - you'll need it later, and can't go back and retrieve it after

    Step 4: Find your Subscription ID

    a) In your Azure portal dashboard, select 'All Services' then 'Subscriptions'

     

    b) Make a note of the subscription ID - you'll need this later, too

    Step 5: Grant roles

    Here we grant the Hyperglance application access to monitor your Azure environment.

    To complete these steps, you need to be a Service Administrator, Co-Administrator, Owner, or User Access Administrator


    a) To assign a role at the subscription scope, select All Services and Subscriptions again.
    And there select your subscription, Access control and click Add (Add a role assignment).

     

    b) Select the role. You should grant either 'Reader' or 'Contributor' role.

    • Reader is read-only so you will not be able to use Hyperglance’s management actions such as "Add Tag". 
    • Contributor allows Hyperglance Actions to work.

    c) Click Save to finish assigning the role.

    d) If you granted Reader (rather than Contributor), and want Hyperglance to ingest your billing data, then there are additional read-only roles you should add: "Billing Reader" and "Reader and Data Access".  [Learn more about required roles for billing ingestion].

    Step 6: Configure Hyperglance

    Depending on your network setup, you may need to configure Hyperglance to use a proxy

    a) In your browser, visit the Hyperglance Settings https://[ReplaceWithHyperglanceIP]

    b) Select the 'Azure collector' and click on the 'Add Record' button (if this window below did not automatically appear).

    c) Enter these details:

    i. Account Alias: This can be anything you want but must be unique and should be informative.

    ii. Subscription ID: Enter the 'Subscription ID' you made a note of in step 4

    iii. Application ID: Enter the 'Application ID' you made a note of in step 2

    iv. Key: Enter the 'Secret' you made a note of in step 3

     

    d) Select 'Submit'

     

    Deploy Hyperglance Automations for Azure

    Enable Hyperglance to automate, fix and optimize your cloud.

    This repository contains terraform configurations, that deploy a Azure Storage Account and Azure Function that you connect with your Hyperglance VM. Giving you the power to automate your cloud and fix configuration issues quickly & easily.

    Pre-Requisites

    Before you can deploy automations you will need:

    1. Terraform CLI - Install instructions
    2. Azure CLI - Install instructions
    3. Func CLI - Install instructions

    Azure role assignments

    This deployment utilizes system assigned managed identities to limit the scope of the Azure function to the subscription it is deployed in.

    To assign Azure roles to a managed identity, you must have:

    • Microsoft.Authorization/roleAssignments/write permissions

    Storage account permissions

    The account under which Hyperglance run needs to be able to write to the Storage Account used by the automations. This may be achieved by granting Hyperglance the Storage Account Contributor built-in role.

    Quick Start

    If you are deploying to Azure Government, a couple of extra steps must be taken.

    Before login issue azure the following command

    az cloud set --name AzureUSGovernment
    Then set an appropriate Government region location in:
    <azure-automations-dir>/deployment/terraform/automations/main.tf

    for example, the contents of the file may look like this:

    module "hyperglance-automations" {
    region = "usgovvirginia"
    source = "../modules/hyperglance-automations"
    utilised-subscriptions-script = "../../metadata/parse_subscriptions.py"
    }
    1. Follow the pre-requisite steps above.

    2. Connect the Azure CLI to the Azure account that you wish to deploy the function in and set the subscription to use: az login

      Note: Guidance on authenticating to Azure can be found here

      Example:

       az login
      az account set --subscription <subscription name>
    3. Clone our repo or download the zip

       git clone https://github.com/hyperglance/azure-rule-automations.git
    4. Navigate to the terraform deployment directory

      cd azure-rule-automations/deployment/terraform/automations

      Create a a file subscriptions.csv with the subscriptions you want to act on separated by a comma.

      MySubscription, AnotherSubscriptionOfMine, ...
    5. Deploy the stack:

      Terraform will prompt for the region you wish to deploy to and for final confirmation.

       terraform init
      terraform apply
    6. Once complete, the storage account ID and will be returned:

      Apply complete! Resources: 11 added, 0 changed, 0 destroyed.

      Outputs:

      func_command = "func azure functionapp publish hyperglance-automations-legible-buffalo"
      storage_account_resource_id = "/subscriptions/<subscription ID>/resourceGroups/hyperglance-automations-legible-buffalo/providers/Microsoft.Storage/storageAccounts/rii5it09y343"

      The storage account ID is required to configure automations in Hyperglance The func command is required to deploy the function code to the Azure function

      Copy the storage account ID into the Hyperglance UI: Settings ➔ Automations ➔ Azure ➔ Storage Account Resource ID or visit this URL: https://your-hyperglance-ip/#/admin/automations

    7. Deploy the function code to the function

      Change directory to the root of the repo and execute the func command generated by Terraform:

       cd azure-rule-automations
      func azure functionapp publish <The unique name generated by terraform>
    8. That's it - Automations are now enabled against this subscription!

      • Within Hyperglance click on any rule or visit the Advanced Search page to start exploring automations features.

     

    Congratulations! You have successfully finished setting up Azure in Hyperglance!


    Having Problems?

    If you run into any issues setting up Hyperlglance, please log a support ticket and one of the team will be in touch to give you a hand.