Deploy a VHD on Azure

You can deploy a PAM instance in the cloud on Azure. 
capam33
You can deploy a
Privileged Access Manager
instance in the cloud on Azure. 
2
Prerequisites
  • Procure a subscription to Azure.
  • Download the
    Privileged Access Manager
    Azure VHD from the
    Broadcom Support
    site to your local environment. If The VHD is compressed, such as a
    .gz
    file, uncompress it to VHD before you upload it.
  • Before you can configure Azure settings in
    PAM
    , a
    Privileged Access Manager
    license file is required.
    CA Technologies
    provides customers with instructions for obtaining license files with the VHD download. You have to deploy the Azure virtual machine to get the Hardware ID necessary to create the license file. After you access the VM, you can request the license.
Create a Resource Group
In Azure, a Resource Group is a logical folder for all the resources you create, including Disks, Storage Accounts, VMs, and Network Security Groups. If your organization limits the ability to manage Resource Groups, reach out to your Azure Administration Team for assistance.
To create a Resource Group, follow these steps:
  1. Log into Azure with an account with permission to create a Resource Group.
  2. In the Azure UI, select
    Resource Groups
    from the
    Azure services
    menu at the top of the screen (as shown highlighted in the following screen capture):
  3. Select the
    + Add
    button in the top left of the
    Resource Groups
    screen.
  4. Complete the fields on the
    Create a resource group
    screen that opens.
  5. Select
    Review and create
    .
  6. Verify that the resource group information is correct and select
    Create
    .
Create a Storage Account
To create a Storage Account, follow these steps:
  1. Return to the Azure home screen and select
    Storage Accounts
    from the
    Azure services
    menu at the top of the screen.
  2. Select the
    + Add
    button in the top left of the
    Storage accounts
    screen that opens.
  3. On the
    Create Storage Account
    screen, provide the following information:
    • For
      Resource group
      , select the drop-down menu and select the resource group that you created in the previous procedure.
      If you do not see your resource group, you can search for it by typing in the
      Select existing
      field at the top of the list of existing resource groups.
    • The
      Storage account name
      , which must be 3 to 24 characters long and contain only lowercase letters and numbers.
    • {Optional) Specify the
      Location
      of the storage account, which can be different from the location of the resource group.
  4. Select
    Review and create
    .
  5. Verify that the storage information is correct and select
    Create
    .
  6. The storage account is deployed and added to the list on the
    Home
    ,
    Storage Accounts
    screen.
  7. Select your new storage account from the list. You must select the
    Refresh
    button.
  8. Select
    Containers
    from the
    Blobs
    section in the left rail. The
    Containers
    pane opens.
  9. Select
    + Container
    to create a storage container in the storage account. A
    New Container
    panel opens on the right of the screen.
  10. In the
    New Container
    panel, enter a
    Name
    for the new container and select
    Create
    The container name can only contain lowercase letters, numbers, and hyphens, and must begin with a letter or a number. Each hyphen must be preceded and followed by a non-hyphen character. The name must also be from 3 through 63 characters long.
  11. On the
    Containers
    screen, select the name of your new container (not the checkbox to its left). A screen showing the container properties opens.
  12. Select
    Upload
    and select the
    Privileged Access Manager
    VHD image and upload it to Azure.
Create a Network Security Group
Next, create a Network Security Group in Azure.
Follow these steps:
  1. Enter “Network Security Group” in the search field at the top of the Azure portal.
  2. Select
    Network Security Group
    .
  3. On the
    Network Security Group
    page that opens, select the
    +Add
    button to add a new Network Security Group.
  4. For
    Resource Group
    , select a Resource Group.
  5. Provide a
    Name
    for the Network Security Group.
  6. For
    Region
    , select the same location as your storage account.
  7. Select
    Review + create
    .
  8. Select
    Create
    .
  9. Once the deployment is complete, select
    Go to resource
    .
  10. Select
    Inbound security rules
     on the left panel.
  11. Select the
    +Add
    button.
  12. On the
    Add inbound security rule
    page that opens, add rules for ports that you want to open. See Default Ports for Credential Manager for more information about which ports to open.
  13. Select the
    Add
    button to commit the changes and create the Network Security Group.
Create a Virtual Network
Next, create a virtual network in Azure.
Follow these steps:
  1. Enter
    Virtual Network
    in the search field at the top of the Azure portal.
  2. Select
    Virtual Network
    .
  3. On the
    Virtual Network
    page that opens, select the
    +New
    button to add a new Virtual Network.
  4. For
    Resource Group
    , select a Resource Group.
  5. Provide a
    Name
    for the Virtual Network.
  6. For
    Region
    , select the same location as your Storage Account.
  7. Select
    Review + create
    .
  8. Select
    Create
    .
  9. Once the deployment is complete, Select
    Go to resource
    .
  10. Select
    Subnets
    on the left panel.
  11. Select the subnet "default" to show its properties
  12. In the
    Network security group drop
    down, find and select the new Network Security Group that you just created.
    Do
    not
    use the default value "None."
  13. Select
    Save
    to commit the change.
Create a Managed Disk
Next, create a disk in Azure.
Follow these steps:
  1. Enter “disks” in the search field at the top of the Azure portal.
  2. Select
    Disks
    from the search results.
  3. On the
    Disks
    page, select the
    + Add
    button to add a new Disk.
  4. Under
    Project Details
    , select an existing
    Resource Group
    from the drop-down menu.
  5. Under
    Disk Details
    , provide the following information:
    • The
      Disk
      Name
      .
    • For
      Region
      , select the same location as your
      Storage Account
      . You must create a disk in the same location as the storage account where you uploaded your VHD.
    • To specify the disk source type and properties, follow these steps:
      1. Select "Storage blob" from the
        Source Type
        drop-down menu. More context-sensitive controls appear.
      2. In the
        Storage Blob
        field, use the
        Browse
        button to select the VHD. Select the Storage Account, then the Container, then the VHD, and finally select
        Select
        .
      3. For
        OS type
        , select "Linux."
      4. Verify that the value of the
        VM generation
        control (which appeared when you select Linux in the previous step) is "Gen 1."
    • To change the default
      Size
      (1024 GiB) of the disk, do the following steps:
      1. Select the
        Change Size
        link. The
        Select a disk size
        page opens.
      2. Verify that the value that is specified in the
        Disk SKU
        drop-down menu is "Premium SSD".
      3. Select a listed disk size or specify a
        Custom disk size
        of at least 80 GiB.
      4. Select
        OK
  6. Select
    Review and Create
    .
  7. Verify that your settings are correct and, if so, select
    Create
    . Otherwise, select the
    Previous
    button to go back and make any necessary changes.
Create the Virtual Machine
To create a
Privileged Access Manager
VM in Azure, follow these steps:
  1. Return to the
    Disks
    page and select your disk. A new pane appears with
    +Create VM
    .
  2. Select
    +Create VM
    . The
    Create Virtual Machine
    panel appears.
  3. In the
    Basics
    tab, enter a
    Name
    for your VM.
  4. For
    Resource Group
    , select "Use Existing" and select your Resource Group.
  5. Location
    is disabled because it is determined by the disk Storage Account location.
  6. Select
    OK
    . The
    Size
    tab activates.
  7. Select a size. See Installation Requirements for more information. Select the size and then the
    Select
    button at the bottom.
    The
    Settings
    tab activates.
  8. Select the
    Networking
    setting and do the following steps:
    1. Select the Virtual Network that was created earlier. The "default" subnet is selected.
    2. On the
      Public IP
      drop-down list, select
      Create New
      .
    3. On the
      Create public IP address
      page that opens, set the
      SKU
      option to "Standard."
    4. On the
      NIC network security group
      , select
      Advanced
      .
    5. On the
      Configure network security group
      , select the name of the Network Security Group that you created earlier.
  9. Select
    Review + create
    .
  10. Verify the settings on the
    Summary
    page, then select
    Create
    to commit your changes.
    Deployment begins. To monitor its progress, select the
    Notifications
     bell icon in the upper right.
Access the Azure Instance
To access the Azure
Privileged Access Manager
instance, follow these steps:
  1. Once the VM deployment is complete, select
    Virtual Machines
    on the left menu.
  2. Select the VM you created. The
    Public IP Address
    is listed in the right column of the
    Overview
    tab.
    Use this IP to access
    Privileged Access Manager
    .
  3. Before you can configure Azure settings, a
    Privileged Access Manager
    license file is required.
    CA Technologies
    provides customers instructions for obtaining license files with the VHD download. Now that you have deployed the Azure VM, you can get the Hardware ID necessary to request the license file. For more information, see Licensing and Product Usage.
The Azure LinuxDiagnostic extension is not available for
Privileged Access Manager
.
Set up CIFS Storage in Azure
You can set up Azure to store your session recordings and database backups on an Azure CIFS share. Alternately, you can use an on-premises CIFS or NFS share, or create a separate Linux device with an NFS share in Azure. Azure does not support mounting an Azure file share in a different region than your Azure
Privileged Access Manager
VM. Once you have a share, follow the instructions in Schedule a Backup of the Database.
To create a CIFS share in Azure, follow these steps:
  1. In Azure, select the
    Storage Accounts
    menu on the left.
  2. Select your Storage Account.
  3. Under
    Services
    in the right pane, select
    Files
    .
    The File Service window appears.
  4. Select the
    +File Share
    button on the top left of the File Service panel.
  5. Enter a Name in lowercase characters and numbers. Hyphens are allowed.
  6. Enter a
    Quota
    (size limit) in
    GB
    .
  7. Select the new File Share. In the resulting right pane, select
    Connect
    from the top menu.
  8. Scroll down to the
    Connecting from Linux
    section.
  9. Copy the command from the text box. We are only interested in the share path, user name, and password. The following example highlights those three elements:
    sudo mount -t cifs
    //mystorage.file.core.windows.net/myshare
    [mount point] -o vers=3.0, username=
    mystorage
    , password=
    7QX+bNjogEd7wvvJERIKzcqVVqzOV3CLuqqNE6FacZCtiK1F7ZAA4BT1lI48EfbBmaMnNWQCz8XYizuNvjtRIQ4=
    , dir_mode=0777,file_mode=0777,sec=ntlmssp
    This share uses the CIFS Protocol, and SMB version 3.0.
  10. Use this information to set up:
    1. Session Recording: See Set up Session Recording.