Requirements for Managed Detection and Response for Microsoft Azure
Virtual IDS appliance requirements
The following information provides requirement information to install an Alert Logic IDS virtual appliance in an Azure environment.
Virtual IDS appliance
Use the following information to determine your virtual machine size requirements.
Throughput calculation
Use the following calculation to get the virtual appliance throughput requirements. The result of this calculation will provide you with the information you need to determine the correct instance type size to select during the installation procedure.
To calculate throughput requirements:
- Identify each virtual server that Alert Logic will protect.
- For the first virtual server to protect:
- Log in to the Azure portal.
- Select Virtual Machines from the left navigation panel.
- Click the virtual server name in the list.
- Click Monitor.
- Identify the Total utilization for Network In and Network Out.
- Add these numbers together. This is the networking utilization for the first virtual server.
- Complete these steps for each virtual server you want Alert Logic to protect.
- When you have the total networking utilization calculated for each virtual server, add these numbers together. This is the estimated throughput requirement for your virtual appliance. Select your instance type size based on this calculation.
Instance type sizes
The following table shows the select compute instance types that Alert Logic runs in Azure.
| Instance type | Cores | Memory (GB) |
IDS Performance |
|---|---|---|---|
| Small (A1) | 1 | 1.75 | ~ 22 Mbps |
| Medium (A2) | 2 | 3.5 | ~ 47 Mbps |
| Large (A3) | 4 | 7 | ~ 94 Mbps |
| Extra Large (A4) | 8 | 14 | ~172 Mbps |
The actual performance for your deployment depends on factors such as request size, complexity, and the ratio of inbound to outbound traffic. The Small (A1) instance type provides about 22 Mbps and is primarily used for test deployments and low-traffic web applications.
Microsoft Azure endpoints
All virtual machines you create in Azure use a private network channel to automatically communicate with other virtual machines in the same cloud service or virtual network. However, to allow inbound network traffic from Alert Logic, you must add endpoints and Access Control List (ACL) entries to your virtual machine.
For more information, see Microsoft's documentation about endpoints.
Alert Logic supports HTTP and HTTPS traffic on alternate ports. For simplicity, these instructions assume the default ports 80 and 443 for HTTP and HTTPS traffic.
Create the following endpoints and ACL entries for Alert Logic in Azure.
| Endpoint | ACL entry | Protocol | Description |
|---|---|---|---|
| 22 | 204.110.219.96/27 | SSH | Secure shell (Alert Logic primary data center) |
| 22 | 204.110.218.96/27 | SSH | Secure shell (Alert Logic DR data center) |
| 4849 | 204.110.219.96/27 | HTTPS | Appliance management (Alert Logic primary data center) |
| 4849 | 204.110.218.96/27 | HTTPS | Appliance management (Alert Logic DR data center) |
| 443 | 0.0.0.0/0 | HTTPS | HTTPS traffic |
| 80 | 0.0.0.0/0 | HTTP | HTTP traffic |
Azure virtual networks
Alert Logic appliances and Azure web servers must be located in the same virtual network. Since each virtual network is run as an overlay, only virtual machines and services that are part of the same network can access each other. Services outside the virtual network have no way to identify or connect to services hosted within virtual networks, unless specific ACL entries are added for external Internet sources.
Geo-redundant replication
Enable Geo-redundant replication when you set up your Azure environment. With this option enabled, Azure replicates your data to a secondary location within the same region. When you create, update, or delete data in your storage account, the transaction is fully replicated to the secondary location. In the event of a major disaster that affects the primary storage account location, Azure first attempts to restore the primary location. If this is not possible, Azure updates the storage account DNS name to point to the secondary location.
Traffic encryption (Managed WAF)
Alert Logic supports Secure Sockets Layer (SSL) end-to-end encryption (required for HIPAA compliance). If SSL encryption is required all the way to the backend server, configure the appliance to re-encrypt traffic before forwarding it to the server. This is easily done by selecting SSL both for inbound and outbound traffic when configuring the website in the Alert Logic console.
HTTPS support (Managed WAF)
To support multiple HTTPS websites on one instance, the Server Name Indication (SNI) option must be used, or you must use a wild-card certificate that covers all websites. Some older unsupported browsers such as Internet Explorer on Windows XP do not support SNI.