Whether you are new to both InsightVM and Azure or old-hat at both, this post will walk you through everything needed to scan your assets in Microsoft's cloud.
Keeping up with changes in your environment is hard. Getting visibility into risk in your modern infrastructure should be easier. Recently, we gave InsightVM the ability to discover assets, import Azure tags, and automatically clean up decommissioned assets with Azure Asset Discovery. You might have also considered deploying Insight Agents as part of VMs in Azure for effortless visibility. And, if you’ve been scanning in Azure for some time, you are likely familiar with the pre-built Scan Engine in the Azure Marketplace.
We’re pleased to share the availability of a Security Console image in the Azure Marketplace, ready-to-deploy to make it easier to keep up with your dynamic environment.
If you are new to Azure, we recommend starting with Part 0 below, which includes resources to get started. Otherwise, skip to Part 1 for product-specific instructions.
Part 0: Introduction to Azure
If you need a refresher on some aspects of Azure management, these links should provide a bit of extra context:
Additionally, we recently added easy Azure asset discovery to InsightVM, detailed here.
Part 1: Provisioning an InsightVM Console
To begin, you will need a license for InsightVM or Nexpose to be able to fully deploy the Console. While you can create your own Linux machine and manually install InsightVM, we recommend deploying from the Marketplace, found here (link coming soon). To configure the Console, you must:
- Create a new InsightVM Console, either manually installed or provisioned from the Marketplace.
- Apply your license to the Console before attempting to pair a Scan Engine.
- Find the resource group into which you deployed the Console, and then select the network security group.
- Lock down the network security group to allow inbound traffic to ports 22 and 3780 only for IPs that may be accessing the Console, otherwise it will be open to the world.
- If pairing from Engine to Console, open inbound port 40814 as well.
Part 2: Provisioning an InsightVM Scan Engine
As mentioned in Part 1, we recommend using the Marketplace listing for the Scan Engine. When creating a Scan Engine instance, you will want to ensure that it is in the same virtual network as the assets you wish to scan, or that the network security groups allow the Engine to scan into that network. Additionally, be sure that:
- Port 40814 is open in the direction of pairing, either Console to Scan Engine or vice versa.
- You have SSH access to the Scan Engine (port 22 is open inbound to the Scan Engine network security group).
Part 3: Pairing the Scan Engine with the Console
Now that you've opened the ports mentioned above, you should be able to follow the steps here to pair the Scan Engine to the Console.
Part 4: Setting up an Azure Discovery Connection
Asset discovery and inventory management is easy with the Azure Discovery Connection. This automatically discovers Azure instances and keeps them in sync between Azure and the Security Console. You can also keep Azure tags in sync.
Have questions? Feel free to comment here or reach out to support! Want to give InsightVM a test run? Take advantage of our free trial here.