Views:
High availability (HA) prevents network service disruption after a failure stops your virtual appliance from inspecting traffic.
To configure fail-open HA through Azure Marketplace, you must first manually configure the appropriate permissions and roles, and then configure the Azure Function Application.
Azure uses role-based access control/identity access management (RBAC/IAM) to authorize the users and groups who access Azure services and resources. The RBAC/IAM required for HA functionality includes two sets of permissions: one set for deployment and one set for operations.

HA deployment permissions Parent topic

Before you configure operational HA permissions, you must first configure the correct permissions and roles for an HA deployment. Each role you assign to an Azure service or resource consists of three elements:
  • Security principal – user, group, service principal, or managed identity requesting access to Azure resources
  • Role or role definition – indicates which permissions, such as read and write, can be performed by the security principal. Use a Contributor role for any role that does not require permission configuration.
  • Scope – the set of resources being granted access. The levels of scope are management group, subscription, resource group, and resource. You assign roles to any of the scope levels you use.
Learn more about RBAC and Azure roles.
Use the guidelines in the following table to set up your roles and permissions for an HA deployment:
Components / Actions
Security principal
Role
Scope
Required for
Register an App
User
Application Developer
Azure Active Directory subscription
Step 1
Step 2
Add role and assign to App
User
User Access Administrator
Resource Group of Function App
Step 3
Step 4
Step 5
Managed Identity
User
Contributor
Resource Group of Function App
Step 6
Assign role to Identity
User
Contributor
Resource Group of Function App
Step 7
Storage account
User
Contributor
Resource Group of Function App
App service plan
User
Contributor
Resource Group of Function App
Function App
User
Contributor
Resource Group of Function App
App insights
User
Contributor
Resource Group of Function App

HA operational permissions Parent topic

Manually complete the following steps to configure the permissions and roles:

Procedure

  1. Register a new application.
  2. Create a new secret.
  3. Create new custom roles.
  4. Assign the custom roles to the new application account.
  5. Assign a monitoring role to the new application account
  6. Create a Managed Identity.
  7. Assign the Contributor role to the new managed identity.

What to do next

The application registration step and the create a new secret step authorize the HA function to perform its daily operation.

Step 1. Register a new application for the service principal Parent topic

Procedure

  1. From you Microsoft Azure portal, type Azure Active Directory in the search field to navigate to the Azure Active Directory.
  2. In the Azure Active Directory, click App Registrations from the left navigation panel.
  3. On the App Registrations page, click the New Registrations tab.
  4. In the Name field, type a name for the application, which you can change at any time.
  5. Click Register. Your application will now be listed on the App Registrations page.

Step 2. Create a new secret Parent topic

Procedure

  1. From you Microsoft Azure portal, type Azure Active Directory in the search field to navigate to the Azure Active Directory.
  2. Click App Registrations from the left navigation panel.
  3. From the list of applications, click your application.
  4. From the left navigation panel, click Certificates & secrets.
  5. Click New client secret.
  6. In the Add a client secret popup, add a description for the secret (for example, MySecret), select an expiration time that best fits your environment, and click Add.
  7. Under the Client secrets panel, you can verify the secret that you just generated. Click the copy icon to the right of the secret to copy the secret to your clipboard for pasting.

Step 3. Create new custom roles Parent topic

Procedure

  1. From you Microsoft Azure portal, type Resource groups in the search field to navigate to the Resource groups page.
  2. In the Filter by name field, enter the name of your resource group, and then select that group.
  3. Click Access Control (IAM).
  4. Click Add Add Custom Role.
  5. On the Create a Custom Role page, enter a name for the role and an optional description under the Basics tab.
  6. Under the Permissions tab, click Add Permissions to add the following permissions for scale set deployments.
    For Scale Set deployments without Gateway Load Balancer:
    • For an appliance resource group, search for these operational permissions:
      • Microsoft.Network/loadBalancers/read
      • Microsoft.Insights/Metrics/Read
      • Microsoft.Compute/virtualMachineScaleSets/read
      • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
      • Microsoft.Compute/virtualMachineScaleSets/virtualmachines/restart/action
    • For a connected VNet resource group, add these operational permissions:
      • Microsoft.Network/virtualNetworks/subnets/read
      • Microsoft.Network/virtualNetworks/subnets/write
      • Microsoft.Network/routeTables/read
      • Microsoft.Network/routeTables/write
      • Microsoft.Network/routeTables/routes/write
      • Microsoft.Network/routeTables/join/action
    For Gateway Load Balancer deployments:
    • For an appliance resource group, search for these operational permissions:
      • Microsoft.Network/loadBalancers/read
      • Microsoft.Insights/Metrics/Read
      • Microsoft.Compute/virtualMachineScaleSets/read
      • Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
      • Microsoft.Compute/virtualMachineScaleSets/virtualmachines/restart/action
      • Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action
    For a connected public load balancer group, add these operational permissions:
    • Microsoft.Network/loadBalancers/read
    • Microsoft.Network/loadBalancers/write
    • Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action
    • Microsoft.Network/publicIPAddresses/join/action
  7. Click Next. Under the Assignable scopes tab, click Add assignable scopes.
  8. From the Add assignable scopes page, search on and click the resource groups you want to add as assignable scopes. Click Add.
  9. Click Next. Under the Review + create tab, click Create.

Step 4. Assign the custom roles to the new application account Parent topic

Procedure

  1. From the **Resource Groups ** page, select your resource group name, and click Access Control (IAM).
  2. Under the Roles tab, enter a name in the Name field and select CustomRole from the Type field.
  3. For each resource group, click Access Control (IAM), click Add, and then select Add role assignment.
  4. Select your role name and your APP name that you created in step 1.
  5. In the Assign access to field, select the user, group, or service principal, and then click Save.

Step 5. Assign a monitoring role to the new application account Parent topic

Procedure

  1. From the Resource Groups page, select your resource group name, and click Access Control (IAM).
  2. For each resource group, click Access Control (IAM), click Add, and then select Add role assignment.
  3. Select the Monitoring Metric Publisher role and your APP name that you created in step 1.
  4. In the Assign access to field, select the user, group, or service principal, and then click Save.

Step 6. Create a managed identity Parent topic

Procedure

  1. From you Microsoft Azure portal, type Managed Identities in the search field to navigate to the Azure Active Directory.
  2. Click Add.
  3. Select an existing resource group or click Create new under Subscription Resource Group.
  4. Specify a name in the Name field and click Create.

Step 7. Assign a role to the new identity Parent topic

Procedure

  1. From the Microsoft Azure portal, type Resource groups in the search field to navigate to the Resource groups page.
  2. Select the resource group from which you want to deploy your Function App.
  3. Click Access Control (IAM).
  4. Click Add Add role assignment.
  5. Select Contributor from the dropdown menu and then select your managed identity to which the role will be applied.
  6. Click Save.

Launch HA from Azure Marketplace Parent topic

Note
Note
If you launched the HA function before September 5th, 2023, we recommend that you delete your previously deployed function and relaunch a new HA function to update your Python runtime to version 3.10. Use the following steps to make this update:
To manually update Python runtime to 3.10 in Azure Marketplace:

Procedure

  1. From the Microsoft Azure portal, type Resource groups in the search field to navigate to the Resource groups page.
  2. Select the resource group from which you want to deploy your Function App.
  3. From the list of resouces for this function, delete the following resource types:
    • Application Insights
    • App Service plan
    • Function App
  4. Follow the steps below to launch the new HA function that includes the latest Python runtime version.

Launch HA Parent topic

To complete HA configuration, use the steps below to deploy an ARM template with all the compiled parameters, and then combine this template with Azure UI components to launch it as a product.

Procedure

  1. Open your account on Microsoft Azure Marketplace.
  2. Search for Trend Micro Cloud One – Network Security.
  3. Next to Select a plan, choose Network Security High Availability, and then click Create.
  4. Under the Basics tab:
    1. Select the resource group from which you want to deploy your Function App (the same group you specified in Assign the Contributor role to the new managed identity).
    2. Under Instance details, select a region, provide a name for the Function App, specify the URL for the App source code (or use the default), and select the identity you created in Create a Managed Identity.
  5. Under the Hosting and Monitoring tab:
    1. Specify an existing storage account, or create a new one. Only general purpose accounts are supported. Zone-redundant replication is not supported. For more information, refer to Storage account requirements.
    2. Specify an existing Consumption plan, or create a new one. This is useful if you have no other hosting plan deployed that can be shared. For more information, refer to Azure Function scale and hosting and Estimating Consumption plan costs.
    3. Specify an existing Application Insights, or create a new one.
  6. Under the App parameters tab:
    1. Specify the same application you created in Register a new application. If you decide to create a new application instead, you must again complete the other manual steps for configuring the permissions and roles.
    2. You must specify a load balancer. If you are using an Azure Application Gateway for your deployment, you must specify an application gateway.
      Note
      Note
      If you select a Gateway Load Balancer, you do not need to select an Application Gateway or Firewall.
    3. If you are using a firewall for your deployment, you must specify the firewall type. Select Azure Firewall, or select Third-party firewall if your deployment uses a third-party firewall instead of an Azure firewall.
  7. Under the Associate resources tab:
    • For Scale Set deployments without Gateway Load Balancer:
      • Enter the resource ID of the route tables. Click on the Properties of the associated route table to find the route table resource ID.
      • Enter the resource ID of the subnets associated with that route table. Click on the Properties of the associated subnet to find the subnet resource ID.
        Note
        Note
        Resource IDs must be provided for all connected subnets, including Application Gateway and firewall subnets.
    • For Gateway Load Balancer deployments:
      • Enter the resource ID for the public load balancer.
      • Enter the resource ID for the public load balancer frontends that are associated with the gateway load balancer. Steps to find the public load balancer fronted resource ID can be found here.
  8. Under the Review + create tab, verify that all the information you have configures is correct and click Create.

Manual Fallback Parent topic

Manually place your virtual appliances in fallback mode by enabling this setting.

Verifying HA in Azure Parent topic

Use these steps to verify that HA is functioning in Azure. These steps are optional during deployment but should be used to verify that HA is enabled and working before you upgrade any of your virtual appliances.

Scale Set Appliances Parent topic

It is important to upgrade your appliances one at a time if you have Azure scale sets enabled in your environment. Follow the steps below to verify if your Azure deployment includes HA Fail Over functionality:

Verify the Resource Group, VM Name and Scale Set: Parent topic

Procedure

  1. Log in to Network Security.
  2. Navigate to ApplianceAll Appliances[Appliance name].
  3. In the General tab, check the Version in the Appliance section**.**
  4. On the same page, check the Resource Group, VM Name in the Instance section.

Verify the Load Balancer name: Parent topic

Procedure

  1. In the management console, navigate to Resource Groups page, and click the resource group that the VM Scale Set or the VM Scale Set with Gateway Load Balancer created during deployment.
  2. Under Resources, enter Virtual Machine Scale Set for type to filter your search results and find your scale set.
  3. Click Instances on the left panel. Select the instance being used to locate the load balancer name.
  4. On the Scale Set instance page, click Networking on the left panel.
  5. Using the tabs at the top, navigate to dataport > Load Balancing to check the name of the Load Balancer.

Check the HA Function App: Parent topic

Procedure

  1. Navigate to the Resource Groups page on the management console, and click the Resource Group that needs HA verification.
  2. In this Resource Group, select type as Function App, find your HA function, and click the Azure function.
  3. Click Configuration from the Settings section on the left panel.
  4. Under Application settings, click LOAD_BALANCER_ID.
  5. Check the value. The end of the value should be .undefined.Network/loadBalancers/[Load Balancer Name]. If the [Load Balancer Name] is the same as your appliance load balancer name, then HA is enabled.