Deploying PrivX to Azure: architecture blueprint
This document provides information how to deploy PrivX to Microsoft Azure cloud infrastructure.
Reference architecture components
- PrivX virtual machine is the host the PrivX service will be running on. A suitable starting point is an Azure B2s virtual machine (2 VCPUs, 4GB RAM) running Rocky Linux or RHEL. A minimum of 2 PrivX hosts are required for high availability, scalability achieved through deploying additional PrivX instances.
- PrivX virtual network is the virtual network PrivX hosts will run in.
- Azure Application Gateway distributes HTTP/HTTPS traffic to the PrivX virtual machines. Cookie based affinity must be enabled.
- Azure database for PostgreSQL is used for persistence. A suitable starting point is a General Purpose 4 VCPU database server with a 100 GB storage.
- Azure Files is used for audit trail storage - standard performance with zone redundancy recommended, size depends on usage.
- Azure API - if configured to do so, PrivX will index all computing resources from Azure and present them as connectable targets
- PrivX Extender can be deployed to a private network and establishes a secure websocket control connection back to PrivX. Routes traffic from PrivX to target hosts within the private network.
- Target virtual network contains target hosts which have no publicly accessible addresses.
- Publicly accessible target hosts can be connected directly via SSH/RDP in case they have an address the PrivX instance can connect to.
Connections
A. Administrators, end users and API clients will always access PrivX via HTTPS:443. HTTP:80 is required for Windows CRL checks and redirects to HTTPS
B. All PrivX internal communication, including connections from the Application Gateway to application nodes is over HTTPS:443
C. The PrivX Extenders establish secure websocket connections back to PrivX instances - subsequent connections from the Extender to target hosts are done
using SSH/RDP
D. PrivX can access target hosts directly via SSH/RDP
Disclaimers
This document includes instructions regarding third-party products by Microsoft. This blueprint is provided for general guidance only.
The architecture in this blueprint was verified against the Microsoft Azure products current in April 2019. These instructions will need to be adapted when using other versions of Microsoft Azure products.
SSH Communications Security Corporation does not make any warranties as to the accuracy, reliability, or usefulness of these instructions, or guarantee that the content related to third-party products is up to date.
SSH Communications Security Corporation does not provide any warranties regarding third-party products, such as Microsoft Azure, nor provide any support or other services for third- party products.
For instructions about setting up and operating Microsoft Azure products, we always recommend that you consult the official Microsoft Azure documentation intended for the specific version(s) of Microsoft Azure products in your use, and/or directly contact Microsoft Azure representatives or support.