Two virtual appliances (VAs) are required per Umbrella site. It is critical that these VAs are not cloned or copied in any way. Each VA must be set up and configured manually.
- If you are using the VA on Azure as a DNS server for your on-premise endpoints, then DNS traffic from these endpoints should not traverse through a Network Address Translation (NAT) device en route to the VA. The VA should receive DNS packets with the source IP as the internal IP of the endpoints. An ExpressRoute or dedicated MPLS or site-to-site VPN connection from your on-premise environment to Azure will meet this requirement.
- A system running Windows 10 with the Hyper-V role enabled to convert VHD images to an Azure-acceptable format.
- Only VAs running version 2.4 or above can be deployed in Microsoft Azure.
- Prepare the virtual appliance image on Azure. This is a one time task.
- Launch the virtual appliance on Azure. Perform this task for each VA after you have performed the one-time task of preparing the VA image.
This is a one-time task to create an image in Azure that can be used to launch multiple VAs.
Note: Generation 2 VMs are not supported for VA deployments.
Before you begin, perform the following:
- Add internal.cloudapp.net to their internal domains list for VAs.
- Unless you are using your own DNS server in Azure, you should configure 184.108.40.206 as the local DNS server in the VA settings. This is the virtual IP used by Azure for recursive and local DNS queries.
a. Navigate to Deployments > Configuration > Sites and Active Directory and click Download.
b. Click Download for VA for Hyper-V.
Umbrella generates and downloads to your computer a .tar file unique to your deployment.
This tar file includes:
- a .zip file containing the virtual hard disks that need to be deployed on Azure
- a signature file
- a Cisco public certificate to validate the signature
- a readme file
c. Extract the contents of the tar file using the command
tar –xvf <tar filename> -C <Destination folder>.
To verify the integrity of the downloaded file, validate the signature by following the instructions provided in the readme file. On successful signature validation, you should see a message saying “Verified OK."
d. Extract the downloaded zip file. You'll find two folders—Virtual Hard Disks and Virtual Machines—and a config file.
e. Open Windows PowerShell as Administrator, navigate to the Virtual Hard Disks folder and convert the vhd files in this folder to a fixed type format acceptable by Azure:
- Convert-VHD -Path .\forwarder-va.vhd -DestinationPath forwarder-fixed.vhd -VHDType fixed
- Resize-VHD .\forwarder-fixed.vhd -SizeBytes 8GB
Conversion free disk space requirements
Conversion requires at least 9GB of free disk space to create the modified disks. The new forwarder-fixed.vhd will consume approximately 8GB of space. Machines with less than 9GB of space will fail to convert with a red error message.
f. Upload the forwarder-fixed.vhd and dynamic.vhd to a blob in your Azure storage account using the Azure portal or the AZ CLI.
Note: This is a one-time upload.
g. Create an image in Azure from these virtual hard disks using the Azure portal.
Use the forwarder-fixed.vhd as the OS disk (OS type: Linux) and the dynamic.vhd as the data disk.
Note: Ensure that Host caching for both the OS disk and data disk is set to ‘Read/write’. Generation 2 VMs are not supported for VA deployments, so ensure that the VM Generation is set to ‘Gen 1’.
h. Once the VA image is created in Azure, use this image to launch multiple VAs. For more information, see Step 2. Launch the Virtual Appliance on Azure.
Note: Before performing this task, you must complete the one-time task of preparing the VA image on Azure.
a. Use the Azure portal to launch Umbrella VAs in Azure using the VA image you created in Step 1. Prepare the Virtual Appliance Image on Azure:
- Choose a VM size with at least one VCPU and 1024 MB RAM.
Note: VM sizes above eight VCPUs are not supported.
- For the Administrator account, set the Authentication type to Password.
Note: It is a security risk to specify a public IP address for the VA, and is not recommended except in case of SNAT port exhaustion issues. If you need to configure a public IP for the VA on Azure for these issues, ensure that inbound access from the Internet is not permitted. For more information, see Troubleshoot Intermittent DNS Resolution Failures on a VA Deployed in Azure.
- Provide the username as vmadmin and enter a password that meets complexity requirements.
Note: The admin-password you create here is not actually set on the VA.
b. You may also use the Azure Cloud Shell to launch VAs in Azure using the VA images you created in Step 1. Prepare the Virtual Appliance Image on Azure. Note that VM sizes above eight VCPUs are not supported.
You may specify the static IP as part of the command. For example:
az vm create --resource-group MyResourceGroup --size Standard_B2s --name UmbrellaVA
--image VAImage --authentication-type password --admin-username vmadmin
--admin-password <password> --vnet-name MyVnet --subnet MySubnet
c. In Umbrella, navigate to Deployments > Configuration > Sites and Active Directory.
You should see the VA listed here.
d. Use the same image to launch multiple VAs as required. Provide a different name and different static IP for each VA.
Note: If you do not specify the private IP address, the VA will automatically pull a DHCP IP and register to Umbrella with this IP address. This IP address will be listed as the VA name on Umbrella's Sites and Active Directory page.
It is not recommended to turn on Diagnostic Settings (Guest-level monitoring) or install any extension for a VA on Azure. Enabling diagnostics results in huge log files being generated on the VA, which causes the VA to run out of disk space.
If your VA on Azure is reporting disk space issues, navigate to the Settings > Extensions page against your VA on the Azure portal and remove any extensions. Also, navigate to the Monitoring > Diagnostic Settings page against your VA on the Azure portal and verify that Guest-level monitoring is turned off.
Updated 4 months ago