Deploying a KeyControl Vault Node in Azure

To deploy a KeyControl Vault node in Microsoft Azure, you need to create a virtual machine (VM) resource that has a Public IP address and SSH access. After Azure has started the new VM, you can configure it to either become the first node in a KeyControl Vault cluster or you can join the new node with an existing cluster.

The following procedure describes how to create the VM resource. Configuration details, see Configuring Additional KeyControl Vault Nodes.

Note: The following procedure is based on the November 2018 Microsoft Azure Resource Manager (ARM) interface. If your version of ARM is different from what is described below, please see your Azure documentation.

Before You Begin 

Make sure you have access to a public SSH key pair that you can use for this instance. You will be required to paste the public portion of the key pair into the Create Virtual Machine wizard and you will need the private portion of the key pair when you configure the new VM.

Procedure 

  1. Log into your Microsoft Azure account.
  2. In the left-hand pane, click Create a resource.
  3. In the Search bar, enter "HyTrust".
  4. Select Entrust KeyControl for Azure BYOK.
  5. Review the information and then click Create at the bottom of the right-hand pane.

  6. On the Basics page, specify the options you want to use:

    Field

    Description

    Project Details Section

    Subscription

    Select the Azure subscription that you want to use.

    Resource group

    If this is the first KeyControl Vault node you are deploying, you can create a new resource group or use an existing group as desired.

    If you want to connect this KeyControl Vault node with an existing node, make sure you select the same resource group as the existing KeyControl Vault node.

    Instance Details

    Virtual machine name

    The name of the VM that will host the KeyControl Vault node.

    Region

    Select the region in which this KeyControl Vault node should be deployed.

    If you want to connect this node to an existing Azure KeyControl Vault node, select the same region as the existing node or make sure a communication channel exists between the two regions.

    Availability options

    Select the desired availability option. KeyControl Vault does not require any special infrastructure redundancy.

    Image

    Make sure this is set to Entrust KeyControl for Azure BYOK.

    Size

    Select the size of the VM that you want to use for KeyControl Vault. Entrust recommends the following for standard and large deployments:

    • VCPUs: 2 for standard, 4 for large.
    • RAM: 8 GB for standard, 16 GB for large.

    Administrator Account

    Authentication type

    Select SSH public key.

    Username

    Enter htadmin as the username. The username must be in lower case.

    SSH public key

    Paste in the public portion of the SSH key pair you want to use for this node.
  7. When you are done, click Next: Disks.

  8. On the Disks tab, specify the options you want to use. For optimum performance, we recommend you select an SSD disk type. KeyControl Vault does not require additional data disks.

  9. When you are done, click Next: Networking.

  10. On the Networking page, specify the options you want to use based on your corporate standards. KeyControl Vault only requires the following:

    • The Public IP address must be static, which it is not by default. To use a static IP address, click Create New under the Public IP field. On the Create public IP address page, enter a name for the IP address and select the Static radio button under Assignment. When you are done, click OK.

    • If you create a new Network Security Group in this step (which is the Azure default action), KeyControl Vault automatically creates the correct port settings. If you select an existing Network Security Group, you need to make sure the security group allows network communication with KeyControl Vault over the following ports and protocols:

      Type

      Protocol

      Port Range
      SSH

      TCP

      22

      HTTPS

      TCP

      443

      Custom

      TCP

      5432
      Custom

      TCP

      8443

      Custom

      UDP

      123

      If you plan to connect this node with an existing KeyControl Vault cluster, you may need to open additional ports if the nodes are running in different Azure regions or in different environments.

  11. If you want to set any other options for the VM, do so. When you are done, click Review + Create.

  12. Review the settings for the resource and click Create. Wait for the success message from Azure confirming that the new resource is running and ready to use.

  13. After Azure has created the virtual machine, determine the public IP address. To do so:

    1. In the left-hand pane, select Resource groups.
    2. Click the name of the resource group you specified on the Basics page.

    3. Click the virtual machine name in the table.

      Tip: If you do this before Azure has deployed the new VM, it may take a few minutes for the VM name to appear in this table.

    Azure displays the public IP address in the Public IP address field in the VM Details area.

  14. Configure the node as the first KeyControl Vault node in the cluster or add it to an existing KeyControl Vault cluster. For details, see: