Hyperglance has options on the Azure Marketplace for 100, 250, 500, 1000, 2000 and 5000 resources. 


First some basics about the Hyperglance Virtual Machine. Deploying to an Azure virtual network (vNet) can be implemented with or without a public IP address assigned to the VM.  For security, the recommended deployment option is to deploy without a public IP. In these instructions only a private IP address is used and connection to the VM is possible only with a point-to-site VPN, site-to-site VPN, ExpressRoute or a jump box virtual machine which has a public IP address.


This hyperglance virtual machine needs to be able to access various public Azure API endpoints such as https://azure.management.com and because of that you should allow outbound traffic from the virtual machine to those addresses. We will achieve this below using azure service tags.


There is a service tag called AzureCloud that allows access to Public Azure IP addresses. You need to add a line in your NSG to allow these IP addresses:




You instead you could use the 'Internet' service tag also.


cid:image001.png@01D53D40.56EDBD40



See above for typical examples of a network security group in some restricted Azure environments. The network security group is associated with a vNet IP subnet and the outbound traffic to the Internet (service tag) is blocked overriding the default AllowInternetOutBound rule.


The Hyperglance virtual machine must be able to connect to https://azure.management.com and other public Azure API service points. The network security group rule AllowHyperglanceOutBound has been created for this connection in the example picture above. Destination is a service tag Internet, the destination could still be several public Azure API service points IP addresses.

Note: In this example the private IP assigned to the Hyperglane VM is 10.0.0.5, you need to change this to reflect your deployment.

Internet traffic can also be routed via on-premises, an Azure Firewall or a virtual appliance firewall on Azure. By default the Internet outbound traffic is routed via a public Azure IP address space or via a public IP address if this exists in a virtual machine.


If a third-party firewall is used (virtual appliances on Azure, on-premises firewalls, etc.), Azure API endpoints URLs can be whitelisted in advanced firewalls which have URL or FQDN filtering.

Note that blocking the Internet outbound traffic in a network security group does not block UDP port 53 traffic to the Azure DNS resolver IP address 168.63.129.16 (this is good to know if custom DNS servers are not used). This address 168.63.129.16 is used also for some other purposes in Azure.



To start go to the Azure Marketplace go to the Azure portal, select ‘Create a resource’ and search for 'hyperglance'




You will be presented with the initial Hyperglance overview. Select 'Plans + Pricing'



There are currently 6 Hyperglance software plan options, 100, 250, 500, 1000, 2000 and 5000 resources.  A list of what Hyperglance considers a resource can be found here.


Choose the option that best describes your environment. Any nodes over the limit will not be shown in Hyperglance and you will be shown a message telling you how many resources Hyperglance has found. If you find you have underestimated the number of resources, you just need to delete the Virtual Machine and provision a higher resource count Virtual Machine.


Select a software plan and click Create.






Next select the basics of the VM. A minimum of 2x vCPU and 4GB RAM is recommended.





Next Disks, defaults recommended.



Next Networking. In this case a public IP address is not created. Select an existing VNet and subnet or create new ones if needed.




Next Management. Select your options.





Next Advanced. Extensions can be installed later if needed.



Next Tags. Add tags if you are using them.



Next Review + Create. When validation has been passed click ‘Create‘.




It is recommended to change to a static IP and save this setting.



This deployment has now associated a new network security group with a network interface with two custom inbound security rules (allow TCP ports 22 and 443 from any). When using a public IP address in a virtual machine, these two custom security rules should be re-configured (source IP restrictions and/or custom ports). When not using a public IP address or not wanting to keep a network security group in a network interface, this new network security group can be dissociated from the network interface and deleted.






Once the VM has finished deploying, open a browser and enter a URL of https://ip_address_of_Hyperglance_VM. Make sure you use HTTPS as the protocol (not HTTP).


NOTE: Depending on your network setup you may need to configure Hyperglance to use a proxy. See here for instructions


Accept the security warning to go to Hyperglance.



Login using the username of ‘admin‘, the password will be the computer name of the VM.


The first time you login you will be asked to enter some Azure account credentials for Hyperglance.


Note: to change the login password use these instructions.


























Azure Collection Setup


In order for Hyperglance to be able to authenticate to the Azure APIs to collect the data needed you need to follow some steps that will first create an app, then will assign that app ‘Reader’ access for each subscription you want to bring into Hyperglance.


NOTE:  You will need to have a role Global Administrator, Application Administrator or Application Developer in your Azure Active Directory in order to complete these steps if "Users can register applications" setting is set to No. See below:




You also must be a Service Administrator, Co-Administrator, Owner or User Access Administrator in your subscription in order to complete these steps (in the grant roles step, the minimum role is User Access Administrator).


Once this is done you will have the required  identifiers needed for your Azure environment.

  i.  Account Alias (user-defined alias to the given combination of credentials)

  ii.  Subscription ID

  iii.  Application ID

  iv.  Client Secret


We will find these identifiers through the course of this tutorial which consists of the following steps:


Step 1: Register the Hyperglance app with Azure Active Directory

Step 2: Find the Application ID

Step 3: Create a Secret

Step 4: Find your Subscription ID

Step 5: Grant roles

Step 6: Configure Hyperglance


Step 1: Register the Hyperglance app with Azure Active Directory

a. Log in to your Azure Account through the Azure portal.
b. Select Azure Active Directory from the left panel.




c. Select App registrations.



d. Select New registration.





e. Give it a name and click Register.





Step 2: Find the Application ID


Click App registrations and you can then see the application ID.  The same ID can be found also under Enterprise applications.


Copy the Application ID, it will be needed later.


Step 3: Create a Secret


a. Select Certificates & secrets and click New client secret.



b. Add description (not mandatory), select the expiration and click add.



c. Copy the displayed client secret value, it will be needed later. You won't be able to retrieve it after you leave this page.


Step 4: Find your Subscription ID


a. In your Azure portal dashboard select All Services and Subscriptions.



b. Copy the relevant Subscription ID, it will be needed later.


Step 5: Grant roles


Here we grant the Hyperglance application access to monitor your Azure environment.


Note: You can only do this if you are a Service Administrator, Co-Administrator, Owner or User Access Administrator.


a. To assign a role at the subscription scope, select All Services and Subscriptions again.
And there select your subscription, Access control and click Add (Add a role assignment).





b. Select the role.  You should grant either 'Reader' or 'Contributor' role. 

  • Reader is read-only so you will not be able to use Hyperglance’s management actions such as "Add Tag". 
  • Contributor allows Hyperglance Actions to work.


                   



c. Click Save to finish assigning the role.



Step 6: Configure Hyperglance


a. In your browser visit the Hyperglance Admin Panel  https://IP_address. Make sure you use https as the protocol (not http).


b. Select the Azure collector and click on the Add Record button (if this window below did not automatically appear).


c. Fill in the following details:

i. Account Alias – This can be anything you want but must be unique and should be informative.

ii. Subscription ID – See “Step 4: Find Your Subscription ID”

iii. Application ID – See “Step 2: Find the Application ID”

iv. Key – See Step 3: “Create a Secret”


d. Click submit.


NOTE: Depending on your network setup you may need to configure Hyperglance to use a proxy. See here for instructions



Congratulations! You have successfully finished setting up Azure in Hyperglance.