Find out the optimal way to set up Hyperglance, when deploying via the Azure Marketplace
In this article, you'll learn:
About The Hyperglance VM
Deploying to an Azure virtual network (vNet) can be implemented with or without a public IP address assigned to the VM. For security, the recommended deployment option is to deploy without a public IP. In these instructions, only a private IP address is used, and connection to the VM is possible only with a point-to-site VPN, site-to-site VPN, ExpressRoute or a jump box virtual machine which has a public IP address.
This hyperglance virtual machine needs to be able to access various public Azure API endpoints such as https://azure.management.com. Because of that, you should allow outbound traffic from the virtual machine to those addresses. We will achieve this below using azure service tags.
There is a service tag called AzureCloud that allows access to Public Azure IP addresses. You need to add a line in your NSG to allow these IP addresses:
You could also use the 'Internet' service tag:
In this example, the private IP assigned to the Hyperglance VM is 10.0.0.5. You'll need to change this to reflect your deployment.
You'll see some examples above of a network security group in restricted Azure environments. The network security group is associated with a vNet IP subnet and the outbound traffic to the Internet (service tag) is blocked overriding the default AllowInternetOutBound rule.
The Hyperglance virtual machine must be able to connect to https://azure.management.com and other public Azure API service points. The network security group rule AllowHyperglanceOutBound has been created for this connection in the example picture above. Destination is a service tag Internet, the destination could still be several public Azure API service points IP addresses.
Internet traffic can also be routed via on-premises, an Azure Firewall or a virtual appliance firewall on Azure. By default, the Internet outbound traffic is routed via a public Azure IP address space or via a public IP address if this exists in a virtual machine.
If a third-party firewall is used (virtual appliances on Azure, on-premises firewalls, etc.), Azure API endpoints URLs can be whitelisted in advanced firewalls which have URL or FQDN filtering.
Note that blocking the Internet outbound traffic in a network security group does not block UDP port 53 traffic to the Azure DNS resolver IP address 220.127.116.11 (this is good to know if custom DNS servers are not used). This address 18.104.22.168 is used also for some other purposes in Azure.
Get Started in Azure Marketplace
1. Go to the Azure Marketplace go to the Azure portal, select ‘Create a resource’ and search for 'hyperglance'
2. You will be presented with the initial Hyperglance overview. Select 'Plans + Pricing'
3. Choose the resource limit that best fits your environment. Any nodes over the limit will not be shown in Hyperglance and you will be shown a message telling you how many resources Hyperglance has found. If you find you have underestimated the number of resources, you just need to delete the Virtual Machine and provision a higher resource count Virtual Machine.
Once you've chosen your plan, select 'Create'.
5. Go to 'Basics'. A minimum of 2x vCPU and 4GB RAM is recommended.
6. Go to 'Disks'. We recommend leaving the default values.
7. Go to 'Networking'. In this case, a public IP address is not created. Select an existing VNet and subnet or create new ones if needed.
8. Go to 'Management' and choose your options.
9. Go to 'Advanced'. Extensions can be installed later if needed.
10. Go to 'Tags' and any that you are using.
11. Go to 'Review + create', selecting to 'Create'.
12. We recommend changing to a static IP, then saving this setting.
13. This deployment has now associated a new network security group with a network interface with two custom inbound security rules (allow TCP ports 22 and 443 from any). When using a public IP address in a virtual machine, these two custom security rules should be re-configured (source IP restrictions and/or custom ports). When not using a public IP address or not wanting to keep a network security group in a network interface, this new network security group can be dissociated from the network interface and deleted.
14. Make sure you use these instructions to update Hyperglance to the latest version. All user data is retained through an update, including authentication credentials, rules, and tag-view keys.
15. Once the VM has finished deploying, open a browser and enter a URL of https://[ReplaceWithHyperglanceVMIP], e.g. https://10.0.0.5
Depending on your network setup, you may need to configure Hyperglance to use a proxy
16. Accept your browser's security warning, so you can continue to the Hyperglance console.
17. Log in with a username of ‘admin‘. The password will be the computer name of the VM.
The first time you log in you will be asked to enter some Azure account credentials for Hyperglance. Use these instructions if you'd like to change the Hyperglance password.
18. Hyperglance will automatically update to the latest version, assuming you are connected to the internet. If you weren't connected during your setup, make sure you use these instructions to update Hyperglance to the latest version. All user data is retained through an update, including authentication credentials, rules, and tag-view keys.
Azure Collection Setup
In order for Hyperglance to be able to authenticate to the Azure APIs to collect the data it requires. For that to happen, you need to follow some steps that will first create an app, then will assign that app ‘Reader’ access for each subscription you want to bring into Hyperglance.
In this guide, we will walk you through the setup process which consists of the following steps:
- Step 1: Register the Hyperglance app with Azure Active Directory
- Step 2: Find the Application ID
- Step 3: Create a Secret
- Step 4: Find your Subscription ID
- Step 5: Grant roles
- Step 6: Configure Hyperglance
You will need to have a role Global Administrator, Application Administrator or Application Developer in your Azure Active Directory in order to complete these steps if 'Users can register applications' is set to 'No'
You also must be a Service Administrator, Co-Administrator, Owner or User Access Administrator in your subscription in order to complete these steps (in the grant roles step, the minimum role is User Access Administrator).
Step 1: Register the Hyperglance app with Azure Active Directory
a) Log in to your Azure Account through the Azure portal
b) Select 'Azure Active Directory' from the left-hand panel
c) Select 'App registrations'
d) Select 'New registration'
e) Give the application a name, e.g. Hyperglance, then select 'Register'
Step 2: Find the Application ID
a) Select 'App registrations' and you'll be shown the application ID. The same ID can be found also under Enterprise applications.
b) Make a note of the Application ID - you'll need it later
Step 3: Create a Secret
a) Select 'Certificates & secrets'
b) Select 'New client secret'
c) Add a description (optional), select an expiration, then 'Add'
d) Make a note of the new secret value - you'll need it later, and can't go back and retrieve it after
Step 4: Find your Subscription ID
a) In your Azure portal dashboard, select 'All Services' then 'Subscriptions'
b) Make a note of the subscription ID - you'll need this later, too
Step 5: Grant roles
Here we grant the Hyperglance application access to monitor your Azure environment.
To complete these steps, you need to be a Service Administrator, Co-Administrator, Owner, or User Access Administrator
a) To assign a role at the subscription scope, select All Services and Subscriptions again.
And there select your subscription, Access control and click Add (Add a role assignment).
b) Select the role. You should grant either 'Reader' or 'Contributor' role.
- Reader is read-only so you will not be able to use Hyperglance’s management actions such as "Add Tag".
- Contributor allows Hyperglance Actions to work.
c) Click Save to finish assigning the role.
d) If you granted Reader (rather than Contributor), and want Hyperglance to ingest your billing data, then there are additional read-only roles you should add: "Billing Reader" and "Reader and Data Access". [Learn more about required roles for billing ingestion].
Step 6: Configure Hyperglance
Depending on your network setup, you may need to configure Hyperglance to use a proxy
a) In your browser, visit the Hyperglance Settings https://[ReplaceWithHyperglanceIP]
b) Select the 'Azure collector' and click on the 'Add Record' button (if this window below did not automatically appear).
c) Enter these details:
i. Account Alias: This can be anything you want but must be unique and should be informative.
ii. Subscription ID: Enter the 'Subscription ID' you made a note of in step 4
iii. Application ID: Enter the 'Application ID' you made a note of in step 2
iv. Key: Enter the 'Secret' you made a note of in step 3
d) Select 'Submit'
Congratulations! You have successfully finished setting up Azure in Hyperglance!