Installing an All-In-One Data Processor in Azure

You can deploy an all-in-one (AIO) Stellar Cyber Platform as a Virtual-50 on Azure.

To install a cluster, contact Stellar Cyber technical support.

To install you must:

Complete the prerequisites.
Install and configure the software image.
Configure a modular sensor VM.
Configure the DP.
Tune the MTU of the DP.

Prerequisites

Stellar Cyber recommends the following minimum configuration for an AIO deployment in Azure:

Instance: Standard_E16s_v3
CPUs: 16
Memory: 128 GB
Disks: Disks must all be SSD

Stellar Cyber only supports full-SSD deployments. Spinning-disk-based storage (HDD) and hybrid drives (SSHD) are not supported. All deployments must adhere to this SSD-only policy in order to qualify for performance guarantees and technical support.
Refer to Stellar Cyber Requires Full SSD Disks for further details.

To install on Azure you must:

Open ports on your firewall
Get login credentials and One Time Password (OTP) from Stellar Cyber

The internal network of the DP uses the 172.17.0.0/16 and 10.244.x.0/24 subnets. If you use these subnets elsewhere in your network, change them to avoid conflicts. If you cannot change them, contact Stellar Cyber technical support.

Firewall Ports to Open

You must open ports on your firewall for communication.

One Time Password

Contact Stellar Cyber support (support@stellarcyber.ai) for login credentials and a one-time password (also known as a License Key).

You will need to provide:

The Azure region for the DP and sensors

Do this at least a day before installing, so we have enough time to deploy the images to your region.

After license activation, you can find the OTP for your installation in the Licensing page.

Installing and Configuring the Software Image

To install and configure the software image:

Install the Stellar Cyber Software Packages.
Create a resource group for the VM.
Add a Microsoft.Network subscription.
Create the VM.

Use our example as a guideline, as you might be using a different software version.

Installing the Stellar Cyber Software Packages

To install the Stellar Cyber Software Packages:

Log in to portal.azure.com .
Click the hamburger menu at the upper left and select the entry for Microsoft Entra ID.

Your Microsoft Entra Overview page appears.
Scroll down and click Properties.

The Properties page appears.
Copy the value shown for Tenant ID. You need this for the next step and also when creating the VM, so keep it handy.

Copy this URL, replacing <TenantID> with yours:

Copy

https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=58238038-43b4-4446-8260-0fa97ace1085&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F

Paste that URL in a new browser tab (or window). Log in if necessary. A Permissions requested message appears.
Click the Consent on behalf of your organization check-box.
Click Accept. The Stellar Cyber Software Packages are released to your Azure account.
To verify, go back to the Azure portal home page.
In the search bar, type enterprise. Azure suggests several choices as you type.
Choose Enterprise applications. A list of enterprise applications appears.
Find Stellar Cyber Software Packages.

If you don't see Stellar Cyber Software Packages, contact Stellar Cyber technical support.

Creating a Resource Group for the VM

To create a new resource group for the VM:

Go back to the Azure portal home page.
Click Resource groups. The Resource groups page appears.
Click Create resource group to create a new group.
Name the resource group Stellar.
Choose the region.
Click Next : Tags.
Add optional tags.
Click Next : Review + create.
Review your selections.
Click Create. The Resource groups page appears, with your new Stellar group displayed.
Select the Stellar resource group. The details appear.
Click Access control (IAM). The Access control (IAM) page appears.
Click Add role assignments to display the Add role assignment controls.
Click on Privileged administrator roles and choose the Contributor option, as illustrated below:
Leave the default selection of User, group, or service principal in the Assign access to drop-down.
In the Members section, click + Select members to display the Select members panel.
Start typing Stellar in the Select field of the Select members panel.
When the Stellar Cyber Software Packages entry appears, click its entry and then the Select button.
Click Review + Assign in the Add role assignment panel.

Adding a Microsoft.Network Subscription

To add a Microsoft.Network subscription:

Go back to the Azure portal home page.
Click Subscriptions.

The Subscriptions page appears.
Choose your subscription.
Click Resource Providers.
In the search bar, start typing microsoft.network. Azure suggests auto-completions.
Choose Microsoft.Network.
Click Register. The registration process begins, which can take several minutes.

The VM is now running in the Azure cloud.

Creating the VM

You use PowerShell to create the VMs:

Click the Cloud Shell button to bring up a PowerShell window.
You use a customized version of the script shown in Azure Installation Script to install both the Modular Sensor and the DP in Azure. Before you use the script, you must customize it with variable definitions that match your Azure subscription and networking environment, as well as the Stellar Cyber component you are installing
1. Start by pasting the contents of the Azure Installation Script into a text editor.
2. Customize the script with variable definitions that match your Azure subscription and networking environment for the items listed in Variables for the Azure Installation Script .
3. Use the $stellarInstanceType variable to specify whether you are installing a Modular Sensor or a DP:
  - Modular Sensor – Uncomment the line with $stellarInstanceType set to "Stellar-ModularSensor" and comment out the line with $stellarInstanceType set to "Stellar-DataProcessor". For example:
    Copy
    $stellarInstanceType = "Stellar-ModularSensor" #$stellarInstanceType = "Stellar-DataProcessor"
  - DP – Uncomment the line with $stellarInstanceType set to "Stellar-DataProcessor" and comment out the line with $stellarInstanceType set to "Stellar-ModularSensor". For example:
    Copy
    #$stellarInstanceType = "Stellar-ModularSensor" $stellarInstanceType = "Stellar-DataProcessor"
4. Copy and paste the customized script into the Azure Cloud Shell with $stellarInstanceType set to "Stellar-ModularSensor" to create the Modular Sensor.
5. Copy and paste the customized script into the Azure Cloud Shell with $stellarInstanceType set to "Stellar-DataProcessor" to create the Modular Sensor.
Refer to this article for more information on the New-AzVM cmdlet used by the script to install a Modular Sensor VM.

Azure Installation Script

Paste the contents of this script into a text editor and supply your own values for the variables shown in angle brackets ("<variable>"). The necessary variables are listed and described in Variables for the Azure Installation Script.

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Clear-AzContext -Force
#Supply your own values for the variables below:
$resourceGroup = "<resource group name>"
$location = "<Azure region>"
$vmNamePrefix = "StellarVM-Sensor"
$vnetName = "<virtual network name>"
$subnetName = "<subnet name>"
$nsg_name = "<network security group name>"
$tenant_customer = "<Azure tenant_id>"
$subscription_customer = "<Azure subscription_id>"
#change stellarInstanceType to install Modular Sensor or DP
$stellarInstanceType = "Stellar-ModularSensor"
#$stellarInstanceType = "Stellar-DataProcessor"
#install the specified version below
$imageVersion = "5.4.0"  
############################################################################
#Stellar Cyber parameters, do not change
$applicationId = '58238038-43b4-4446-8260-0fa97ace1085'
$secret = 'mdb8Q~2-lm0jpEF_lm24K52udUCKZDrD05e_wdmk' | ConvertTo-SecureString -AsPlainText -Force
$tenant_stellar = "2f580e30-1cc1-4c08-9e80-704999508e1a"
############################################################################

if ($stellarInstanceType -eq "Stellar-DataProcessor") {
    $osDiskSize = 512
    $osVMSize = "Standard_E16s_v3"
}else{
    $osDiskSize = 128
    $osVMSize = "Standard_B12ms"
}
$cred = New-Object -TypeName PSCredential -ArgumentList $applicationId, $secret
Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant $tenant_stellar
Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant $tenant_customer
az account set --subscription $subscription_customer

# Get the specific subnet object
$vnet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroup -Name $vnetName
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $vnet
# Get subnet ID
$subnetId = $subnet.Id

$randomString = [guid]::NewGuid().ToString("N").Substring(0, 8)
$vmName = "StellarVM-Sensor-$randomString"

$image = "/subscriptions/0e28f851-f477-4f2d-94bc-35c00d3d5fd8/resourceGroups/Stellar/providers/Microsoft.Compute/galleries/StellarCyberSoftwares/images/$stellarInstanceType/versions/$imageVersion"

#Networking pieces
$pip = New-AzPublicIpAddress -ResourceGroupName $resourceGroup -Location $location -Name "mypublicdns$(Get-Random)" -AllocationMethod Static -IdleTimeoutInMinutes 4
$nsg = Get-AzNetworkSecurityGroup -Name $nsg_name -ResourceGroupName $resourceGroup
$nic_name = "Stellar-nic-$randomString" 
$nic = New-AzNetworkInterface -Name $nic_name -ResourceGroupName $resourceGroup -Location $location -SubnetId $subnetId -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id

#Create a virtual machine configuration using the $image variable to specify the image
#$vmConfig = New-AzVMConfig -VMName $vmName -VMSize $osVMSize | Set-AzVMOperatingSystem -Linux -ComputerName $vmName -Credential $cred | Set-AzVMSourceImage -Id $image | Add-AzVMNetworkInterface -Id $nic.Id
$vmConfig = New-AzVMConfig -VMName $vmName -VMSize $osVMSize |
    Set-AzVMOperatingSystem -Linux -ComputerName $vmName -Credential $cred |
    Set-AzVMSourceImage -Id $image |
    Set-AzVMOSDisk -CreateOption FromImage `
                    -DiskSizeInGB $osDiskSize `
                    -Caching ReadWrite `
                    -Name "$vmName-OSDisk" `
                    -StorageAccountType "StandardSSD_LRS" |
    Add-AzVMNetworkInterface -Id $nic.Id

#Create a virtual machine
New-AzVM -ResourceGroupName $resourceGroup -Location $location -VM $vmConfig

Variables for the Azure Installation Script

You will need to supply values for the variables in the table below in the Azure Installation Script before you use it in the Azure Cloud Shell. Keep in mind the following rules for variables:

The specified resourceGroup must already exist.
The values you supply for the vnetName, subnetName, and nsg_name arguments must exist in the specified resource group.

Installation Script Variable	Definition
$resourceGroup	The name of the Azure Resource Group where the Stellar Cyber component will be installed.
$location	The Azure Region where theStellar Cyber component will be installed.
$vmNamePrefix	Optional. The Stellar Cyber VM is named with this prefix followed by a random string. You can rename the VM within Azure after it is deployed. However, if you would prefer a different default prefix, you can change it here.
$vnetName	The name of the virtual network for the Stellar Cyber component. You can use the `az network vnet list` command to see available virtual networks.
$subnetName	The name of the subnet for the Stellar Cyber component. You can use the `az network vnet subnet list` command to see the subnets in a virtual network.
$nsg_name	The name of the Network Security Group for the Stellar Cyber component. You can use the `az network nsg list` command to see available Network Security Groups.
$tenant_customer	The Azure tenant ID for the deployment. You can use the `az account list --output table` command to see the subscription and tenant IDs available for your account.
$subscription_customer	The Azure subscription for the deployment. You can use the `az account list --output table` command to see the subscription and tenant IDs available for your account.
$stellarInstanceType	Specifies the Stellar Cyber component you are installing. Can be either Stellar-ModularSensor or Stellar-DataProcessor. Comment out one line and leave the other intact, depending on which component you are installing.

Configuring the Sensor VM

To configure the sensor VM you created:

Access the console of the VM.
Log in. The default user/password is aella/changeme. You are immediately prompted to change the password.
Change the password.

Your sensor installation is complete.

Enabling SSSE3 for the Sensor VM

The host VM must have SSSE3 enabled for its processors in order for the Modular Sensor to operate correctly. In most cases, SSSE3 will already be enabled. However, if you encounter issues with packet collection or Interflow data generation, you can use the instructions below to ensure that SSSE3 is enabled.

Click here to see instruction on how to enable SSSE3.

Sensors installed on Linux hosts must have SSSE3 enabled for their processors in order to operate correctly. This is true for Modular Sensors and Linux Server Sensors, as well as legacy Network and Security Sensors.
SSSE3 is typically supported/enabled for most vCPUs, but may not be for certain legacy AMD vCPUs. See below for instructions on enabling SSSE3.

To enable SSSE3 for a virtual machine:

Start the virtual shell (virsh)
Type the following command to edit the virtual machine's settings:

edit <virtual_machine_name>

Locate the <cpu> section. It should appear similar to the following:

Copy

<cpu mode='custom' match='exact' check='partial'>

    <model fallback='allow'>SandyBridge</model>

......

 </cpu>

Add the following line to the <cpu> section:

<feature policy='require' name='ssse3'/>

When you are done, the <cpu> section should appear similar to the following:

Copy

<cpu mode='custom' match='exact' check='partial'>

    <model fallback='allow'>SandyBridge</model>

    <feature policy='require' name='ssse3'/>

...........

  </cpu>

Save changes to the virtual machine and exist virsh.
Run the following command:

virsh define /etc/libvirt/qemu/<virtual_machine_name>.xml

Each virtual machine has a configuration .xml file. Typically, these files are stored under /etc/libvirt/qemu, but the location may be different for your system.
Stop and start the virtual machine in virsh.

Configuring the DP as an AIO

When the VM is up and running you can configure the DP as an AIO:

Access the console of the VM.
Log in. The default user/password is aella/changeme. You are immediately prompted to change the password.
Change the password.

On the DP, enter these commands:

Note that in an AIO deployment, you specify the same IP address for the set interface management ip and set cm commands shown below.

Copy

1
2
3
4
5
6
7
8
9
10
11
set interface management ip [IP address/netmask for your DP; for example, 192.168.14.100/255.255.255.0]
set interface management gateway [IP address of your gateway]
set interface management dns [IP address of your DNS, or 8.8.8.8]

set role AIO
set cluster_name AIO
set cluster_size 1
set cm [IP address of DP Data Lake]
set otp [OTP/License Key you received from Stellar Cyber]
reset

Confirm the reset. The image is downloaded (which can take a while, depending on your network) and installed.
Verify that everything is installed, ready, and running with the show status command. A screen similar to the following appears as it is installing:

When it finishes the status is similar to the screen shown below. Make sure of the following in the show status output:
- 80-90 images are installed on the host
- All pods are running
- All status messages have changed from red to white

The installation is complete and the DP is now functional.

Tune the MTU of the DP

Azure does not support jumbo frames. If you installed an AIO, this is not an issue. Otherwise, contact Stellar Cyber technical support to have us tune the MTU of the DP.