Deploying a Cryptographic Security Platform Compliance Manager Node in Azure
To deploy a Cryptographic Security Platform Compliance Manager node in Microsoft Azure, you need to create a virtual machine (VM) resource that has a Public IP address and SSH access. After Azure has started the new VM, you can configure it to either become the first node in a Cryptographic Security Platform Compliance Manager cluster or you can join the new node with an existing cluster.
The following procedure describes how to create the VM resource. For configuration details, see Configuring Additional Cryptographic Security Platform Compliance Manager Nodes.
Note: If your version of ARM is different from what is described below, please see your Azure documentation.
Before You Begin
Make sure you have access to a public SSH key pair that you can use for this instance. You will be required to paste the public portion of the key pair into the Create Virtual Machine wizard and you will need the private portion of the key pair when you configure the new VM.
Important: The private part of the SSH key file cannot be reset or recovered once the VM is configured, even if you use the Azure "Reset Password" method. Please ensure that you keep it in a safe place.
Procedure
- Log into your Microsoft Azure account.
- In the left-hand pane, click Create a resource.
- In the Search bar, enter "Entrust".
- Select .
- On the page, click Create.
-
On the Basics page, specify the options you want to use:
Field
Description
Project Details Section
Subscription
Select the Azure subscription that you want to use.
Resource group
If this is the first Cryptographic Security Platform Compliance Manager node you are deploying, you can create a new resource group or use an existing group as desired.
If you want to connect this Cryptographic Security Platform Compliance Manager node with an existing node, make sure you select the same resource group as the existing Cryptographic Security Platform Compliance Manager node.
Instance Details
Virtual machine name
The name of the VM that will host the Cryptographic Security Platform Compliance Manager node.
Region
Select the region in which this Cryptographic Security Platform Compliance Manager node should be deployed.
If you want to connect this node to an existing Azure Cryptographic Security Platform Compliance Manager node, select the same region as the existing node or make sure a communication channel exists between the two regions.
Availability options
Select the desired availability option. Cryptographic Security Platform Compliance Manager does not require any special infrastructure redundancy.
Image
Make sure this is set to .
Size
Select the size of the VM that you want to use for Cryptographic Security Platform Compliance Manager. Entrust recommends the following for standard and large deployments:
- vCPUs: 4 for standard, 8 for large.
- RAM: 16 GB for standard, 32-64 GB for large.
Important: You must select an instance that meets that matches the recommended configuration. For example, the D-Series v3 (D4s_v3) has 4 vCPU and 16 GB memory, and would work for the standard size. The D8s_v3 or D16s_v3 would work for the large size.
Administrator Account
Authentication type
Select SSH public key.
Username
Enter
htadminas the username. The username must be in lower case.SSH public key
Paste in the public portion of the SSH key pair you want to use for this node.
- When you are done, click Next: Disks.
-
On the Disks tab, specify the options you want to use. For optimum performance, we recommend you select an SSD disk type. Cryptographic Security Platform Vault does not require additional data disks.
- When you are done, click Next: Networking.
-
On the Networking page, specify the options you want to use based on your corporate standards. Cryptographic Security Platform Compliance Manager only requires the following:
- The Public IP address must be static, which it is not by default. To use a static IP address, click Create New under the Public IP field. On the Create public IP address page, enter a name for the IP address and select the Static radio button under Assignment. When you are done, click OK.
-
If you create a new Network Security Group in this step (which is the Azure default action), Cryptographic Security Platform Compliance Manager automatically creates the correct port settings. If you select an existing Network Security Group, you need to make sure the security group allows network communication with Cryptographic Security Platform Compliance Manager over the following ports and protocols:
Type
Protocol
Port Range
SSH TCP
22
HTTPS
TCP
443
Custom
TCP
5432
Custom TCP
8443
Custom
UDP
123
If you plan to connect this node with an existing Cryptographic Security Platform Compliance Manager cluster, you may need to open additional ports if the nodes are running in different Azure regions or in different environments.
- If you want to set any other options for the VM, do so. When you are done, click Review + Create.
-
Review the settings for the resource and click Create. Wait for the success message from Azure confirming that the new resource is running and ready to use.
-
After Azure has created the virtual machine, determine the public IP address. To do so:
- In the left-hand pane, select Resource groups.
- Click the name of the resource group you specified on the Basics page.
-
Click the virtual machine name in the table.
Tip: If you do this before Azure has deployed the new VM, it may take a few minutes for the VM name to appear in this table.
Azure displays the public IP address in the Public IP address field in the VM Details area.
-
Configure the node as the first Cryptographic Security Platform Vault node in the cluster or add it to an existing Cryptographic Security Platform Compliance Manager cluster. For details, see:
