Installing DSG on Azure
This section provides information on launching a Data Security Gateway (DSG) virtual machine (VM) on the Microsoft Azure platform.
The Microsoft Azure platform is a set of cloud-based computing services, which include computing services, virtual machines, data storage, analytics, networking services, and so on.
Prerequisites
This section describes the prerequisites for launching the DSG on Azure. It also includes the details for the network prerequisites and hardware requirements for the DSG.
Ensure that the following prerequisites are met before launching the DSG on Azure:
Ensure that an ESA 10.1.0 is installed.
For more information about installing the ESA 10.1.0, refer to the sections Installing Appliance On-Premise and Installing Appliances on Cloud Platforms.
Ensure that Policy Management (PIM) has been initialized on the ESA. The initialization of PIM ensures that cryptographic keys for protecting data and the policy repository have been created.
For more information about initializing the PIM, refer to section Initializing the Policy Management.Ensure that the FIPS mode is disabled on the ESA.
Ensure that Analytics component is initialized on the ESA. The initialization of Analytics component is required for displaying the Audit Store information on Audit Store Dashboards.
For more information about initializing Analytics, refer Initializing Analytics on the ESA.An Azure account is available with the following information:
- Sign in URL for the Azure account
- Authentication credentials for the Azure account
Ensure that the DSG BLOB is available in the storage account that will be selected to create the disk and the VM.
Audience
This section contains information for stakeholders who are interested in understanding how to create, launch, and install a DSG instance on Azure.
It is recommended that you possess working knowledge of the Azure Platform and knowledge of related concepts.
For more information about Azure concepts, refer to the Azure documentation at: https://docs.microsoft.com/en-us/azure/
Hardware Requirements
This section describes the hardware and software requirements for the DSG.
As the DSG is hosted and run on Azure, the hardware requirements are dependent on the configurations provided by Azure.
For reference, the following list describes the minimum hardware requirements for the DSG:
- CPU: 4 Cores
- RAM: 16 GB
- Disk Size: 64 GB
- Network Interfaces: 2
The hardware configuration required might vary based on the actual usage or amount of data and logs expected.
Network Requirements
This section explains the network requirements for the DSG in Azure.
It is recommended that the DSG on Azure is provided with the Azure Virtual Network environment.
For more information about the Azure Virtual Network, refer to the Azure documentation at https://docs.microsoft.com/en-us/azure.
Ensure that two Network Interface Cards (NICs) are added during the DSG instance creation on Azure.
For more information about the network interface requirements, refer to the section Network Planning.
The Data Security Gateway must be configured with the following two network interfaces:
- Management Interface - This interface is used for communication between the ESA and the DSG, and accessing the DSG Web UI.
- Service Interface - This interface is used for handling the network traffic traversing through the DSG.
Backing Up and Restoring the DSG Instance Snapshot on AWS
This section provides information on backing up the DSG instance on Azure. It is recommended that a snapshot of the DSG instance is taken such that it can be restored in the event of a failure.
You can create a backup for a virtual machine by using either of the following two Linux VM Agent methods:
- Creating snapshots of the disk
- Using Recovery Services Vaults
For more information about enabling backup using the Linux VM Agent methods, refer to the section Working with Linux VM Agent.
For more information about creating a backup for a virtual machine, refer to the Azure documentation at https://docs.microsoft.com/en-us/azure.
Note: If you are using the Create a new VM restore option provided by Microsoft Azure to restore a DSG VM instance, then the Service IP of the restored DSG VM instance must be updated. The Service IP of the DSG VM can be updated by using the steps provided in the section Configuring the Second Network Interface.
Installing the DSG on Azure
This section provides information for the steps required to launch and install the Data Security Gateway (DSG) instance from a BLOB provided by Protegrity.
Ensure that the installation order provided in the table is followed.
| Order of installation | Description | Affected Appliance | Reference |
|---|---|---|---|
| 1 | Create a Disk from a BLOB. | DSG | Creating Image from the DSG BLOB |
| 2 | Create a VM from a Disk. | DSG | Create a VM from the Image |
| 3 | Adding the Second Network Interface. | DSG | Adding the Second Network Interface |
| 4 | Finalize the DSG Installation. | DSG | Finalize the DSG Installation |
| 5 | Configuring the Second Network Interface. | DSG | Configuring the Second Network Interface |
| 6 | Configure the Default Gateway for the Management NIC using the DSG CLI Manager. | DSG | Configuring Default Gateway for Management NIC (ethMNG) using the DSG CLI Manager |
| 7 | Configure the Default Gateway for the Service NIC using the DSG CLI Manager. | DSG | Configuring Default Gateway for Service NIC (ethSRV0) using the DSG CLI Manager |
| 8 | Create a Trusted Appliance Cluster (TAC) on the DSG | DSG | Create a TAC on DSG |
| 9 | Update the host details of ESA on DSG. If the DNS and name server is properply configured then this step is optional. | DSG | Updating the host details |
| 10 | Create a Trusted Appliance Cluster (TAC) on the ESA | ESA | Create a TAC on ESA |
| 11 | Update the host details of DSG on ESA. If the DNS and name server is properply configured then this step is optional. | ESA | Updating the host details |
| 12 | Note the FQDN or the IP address of the ESA node. | ESA | Ascertaining the host address in the ESA server certificate |
| 13 | Set ESA communication between the DSGs and ESA. | DSG | Set communication |
| 14 | Note the FQDN or the IP address of the DSG node. | DSG | Ascertaining the host address in the DSG server certificate |
| 15 | Apply the DSG v3.3.0.0 patch (ESA_PAP-ALL-64_x86-64_10.1.0.xxxx-DSGUP.pty) on the ESA v10.1.0. Before applying a patch on the ESA, it is recommended to take a full OS backup from the ESA Web UI. For more information about taking a full OS backup from the ESA Web UI, refer Backing up the Appliance OS. | ESA | Extending ESA with DSG Web UI |
| 16 | Optional: Add the other DSG nodes to the existing Trusted Appliance Cluster from the Cluster tab. | DSG | Adding a DSG node |
| 17 | Optional: Add the other ESA nodes to the existing Trusted Appliance Cluster from the TAC screen. | ESA | Adding a ESA node |
| 18 | Perform the post-installation steps. | ESA | Post Installation Steps |
| 19 | Enable Scheduled Tasks on Insight | ESA | Enabling Scheduled Tasks on Insight |
| 20 | Configure the DSG to forward the logs to Insight on the ESA. | DSG | Forwarding Logs to Insight |