Add a Microsoft Azure cloud account to Deep Security

If you want to protect your Microsoft Azure Virtual Machines with Deep Security, you can connect your Microsoft Azure account to Deep Security. Once the connection is established, your Virtual Machines appear on the Computers page in Deep Security Manager, where you can manage them like any other computer.

(Optional) Configure proxy setting for cloud accounts

Does not apply to Deep Security as a Service

You can configure Deep Security Manager to use a proxy server specifically for connecting to instances being protected in cloud accounts. Go to Administration > System Settings > Proxies. In the Proxy Server Use section, select Deep Security Manager (Cloud Accounts - HTTP Protocol Only).

Add Virtual Machines from a Microsoft Azure cloud account to Deep Security

The procedure for adding your virtual machines to Deep Security depends on which version of Deep Security you are running. To figure out which procedure you should use, go to the Computers page in your Deep Security Manager. If you see an Add button, follow the instructions for recent versions, below. If you see a New button, follow the instructions for older versions.

If you are running a recent version of Deep Security (including Deep Security as a Service)

If you have already added Azure VMs that are part of this Azure account, they will be moved in the tree structure to appear under this account.

  1. On the Computers page, click Add > Add Azure Account.
  2. Enter the account credentials used to log into the Azure portal and click Sign in.

    The account must be the owner of the Azure subscription and must have the Global Admin role in your Azure Active Directory. These privileges are required so that Deep Security can automate the provisioning of a Service Principal object in your Azure Active Directory. Deep Security uses that Service Principal object to authenticate itself to your Azure subscription so that it can invoke the necessary Azure APIs to synchronize your Azure VMs in the Deep Security Manager console. For instructions on creating a user with global administrator rights, see Microsoft's Add new users or users with Microsoft accounts to Azure Active Directory article.

  3. Click Accept on the Deep Security Connector permissions page.
  4. Select the Azure Active Directory and Subscription Name and click Next.
  5. Review the summary information and click Finish.

The Azure virtual machines now appear in the Deep Security Manager under their own branch on the Computers page.

If you are running an older version of Deep Security

To import cloud resources into Deep Security Manager, Deep Security users must first have an account with which to access the cloud provider service resources. For each Deep Security user who will import a cloud account into the Deep Security Manager, Trend Micro recommends creating a dedicated account for that Deep Security Manager to access the cloud resources. That is, users should have one account to access and control the virtual machines themselves, and a separate account for their Deep Security Manager to connect to those resources.

Having a dedicated account for Deep Security ensures that you can refine the rights and revoke this account at any time. It is recommended to give Deep Security an Access/Secret key with read-only rights at all times.
The Deep Security Manager only requires read-only access to import the cloud resources and manage their security.

If you have already added Azure VMs that are part of this Azure account, they will be moved in the tree structure to appear under this account.

  1. On the Computers page, click New > Add Cloud Account.

    The cloud account wizard will start.

  2. Select Azure from the Provider Type list.
  3. Enter your Subscription ID, Key Pair and Key Pair Password, and click Next.

The Azure virtual machines now appear in the Deep Security Manager under their own branch on the Computers page.

Upgrade from the Azure classic connector to the Azure Resource Manager connector

If Deep Security Manager currently manages virtual machines that used to be classic VMs but were later migrated to the Azure Resource Manager, you can also upgrade them to the Azure Resource Manager interface in Deep Security Manager.

For more information, see Why should I upgrade to the new Azure Resource Manager connection functionality?

  1. On the Computers page, in the Computers tree, right-click the Azure classic portal and click Properties.
  2. Click Enable Resource Manager connection.
  3. Sign in to your Azure account.

    The account must be the global administrator of the default Azure Active Directory. For instructions on creating a user with global administrator rights, see Microsoft's Add new users or users with Microsoft accounts to Azure Active Directory article.

  4. Click Accept on the Deep Security Azure Connector permissions page.
  5. You will see a message saying that the connection to Resource Manager was enabled successfully. Click Close.

Remove a Microsoft Azure account

Removing a Microsoft Azure account from Deep Security Manager permanently removes the account from the Deep Security database. Your account with your cloud provider is unaffected and any Deep Security agents that were installed on the instances will still be installed, running, and providing protection (although they will no longer receive security updates.) If you decide to re-import computers from the Microsoft Azure account, the Deep Security Agents will download the latest Security Updates at the next scheduled opportunity.

  1. Go to the Computers page, right-click on the Microsoft Azure account in the navigation panel, and select Remove Cloud Account.
  2. Confirm that you want to remove the account.
  3. The account is removed from the Deep Security Manager.