Sizing for Azure Marketplace

Sizing guidelines for Deep Security in Azure Marketplace depend on the type of environment and other factors such as network, hardware, and software.

The recommendations have been classified into Small (1-10 000), Medium (10 000-20 000) and Large (20 000+) deployments.

Deep Security Manager

Number of agents Instance type Number of Deep Security Manager nodes
1 - 10 000 Standard D2 v2 1 - 2
10 000 - 20 000 Standard D3 v2 2
20 000 + Standard D12 v2 3

Database

The default Azure SQL database is Standard S3 with a storage size of 20 GB, but if you have more than 10 000 agents, to improve performance, we recommend that you change the database scale to Premium P1 with the following recommended sizes:

Number of agents Hard drive size
1 - 10 000 10 - 20 GB
10 000 - 20 000 20 - 30 GB
20 000 + 30 - 40 GB

The table above helps determine the initial database size to set for the Deep Security Database. These estimates are based on these assumptions:

  • Log inspection and web reputation service (WRS) are not enabled.
  • Intrusion prevention (IPS) is enabled efficiently with very few false positive events.
  • Anti-malware (AM) events are insignificant in terms of size and are not part of the calculation. Anti-malware only logs events occasionally, unless there is an outbreak occurring.
  • Log retention period is 30 days.
  • Firewall events are around 50 per day.
See Scale single database resources in Azure SQL Database for information about scaling the storage of an Azure SQL database.

Notes

  1. Other factors, such as the modules in use, items such as the number of security updates held, the number of policies will affect database size. In general, centrally collected firewall and intrusion prevention event logs form the bulk of the database volume. Event retention (Administration > System Settings > Storage) is relevant to maintain a reasonably sized database. Make sure to review these settings as this will help determine how much space is needed.
  2. For environments in which a significant number of firewall events are anticipated, consider disabling "Out of allowed policy" events. This can be configured for each agent or applied to at the Base policy level. (Open the Computer or Policy details page and go to Firewall > Advanced).
  3. Environments with large retention requirements should consider SIEM or Syslog server for log storage. When logs are stored in SIEM or Syslog, less storage is required in the Deep Security database (see Forward events to an external Syslog or SIEM server).
  4. Imported Deep Security software in the Deep Security Manager can affect database size. Always review the number of software versions you plan to keep in the database and remove unnecessary versions.