Learn how to create a Microsoft Azure image file of your Cortex XDR Broker virtual machine (VM).
After you download your Cortex XDR Broker VHD (Azure) image, you need to upload it to Azure as a storage blob.
Danger
Download a Cortex XDR Broker VM VHD (Azure) image. For more information, see the virtual machine compatability requirements in Configure the Broker VM.
Perform the following procedures in the order listed below.
Make sure you extract the zipped hard disk file on a server that has more then 512 GB of free space.
Note
Extraction can take up to a few hours.
Upload from Microsoft Windows or Ubuntu.
Verify you have:
Windows PowerShell version 5.1 or later.
.NET Framework 4.7.2 or later.
Open PowerShell and run
Set-ExecutionPolicy unrestricted
.[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201-Force
Install
azure cmdlets
.Install-Module -Name Az -AllowClobber
Connect to your Azure account.
Connect-AzAccount
Start the upload.
az storage blob upload -f <vhd to upload> -n <vhd name> -c <container name> --account-name <account name>
.Note
Upload can take up to a few hours.
Install Azure util.
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
Connect to Azure.
az login
Start the upload.
az storage blob upload -f <vhd to upload> -n <vhd name> -c <container name> --account-name <account name>
In the Azure home page, navigate to Azure services → Disks and Add a new disk.
Navigate to the Create a managed disk → Basics page, and define the following information:
Heading
Parameter
Project details
Resource group: Select your resource group.
Disk details
Disk name: Enter a name for the disk object.
Region: Select your preferred region.
Source type: Select
Storage Blob
.Additional fields are displayed, which you can define as follows:
Source blob:
Select Browse. You are directed to the Storage accounts page.
From the navigation panel, select the bucket and then container to which you uploaded the Cortex XDR VHD image.
In the Container page, Select your VHD image.
OS type: Select Linux
VM generation: Select Gen 1
Check you settings by clicking Review + create.
Create your Broker VM disk, and after deployment is complete, click Go to resource.
In your created Disks page, click Create VM.
In the Create a virtual machine page, define the following:
Heading
Parameter
Instance details
(Optional) Virtual machine name: Enter the same name as the disk name you defined.
Size: Select the size according to your company guidelines.
Select Next to navigate to the Networking tab.
Network interface
NIC network security group—Select Advanced.
Configure network security group: Select HTTPS to be able to access the Broker VM Web UI, and SSH to allow for remote access when troubleshooting. Make sure to allow these connection to the Broker VM from secure networks only.
To check your settings, click Review + create.
Create your VM.
After deployment is complete, click Go to resource. You are directed to your VM page.
Note
Creating the VM can take up to 15 minutes. The Broker VM Web UI is not accessible during this time.
Ensure that the VM you created contains an Outbound port rule that allows the broker to reach the Azure Instance Metadata Service using the IP address
169.254.169.254
and port80
. For more information about the Azure Instance Metadata Service, see the Azure Documentation.To configure an outbound rule on your VM, select Networking → Network settings, and under the Rules → Outbound port rules section, you can either:
Note
For more information on creating a rule in an Azure VM, see Create a Security Rule in the Azure Documentation.
Configure a new outbound port rule by selecting Create port rule → Outbound port rule and setting the following settings in the Add outbound security rule dialog box:
Destination: Select IP Addresses.
Destination IP addresses/CIDR ranges: Enter the IP address as
169.254.169.254
.Destination port ranges: Enter the port as
80
.Protocol: Select TCP.
Name: Enter a unique name for this new outbound port rule, such as AzureInstanceMetadataService.
Click Add to create the new outbound port rule.
Edit an existing outbound port rule and ensure that the settings provided above for creating a new outbound port rule match what is already configured in the rule.