Buy Deep Security as a Service from the Microsoft Azure Marketplace
This article provides step-by step directions for purchasing Deep Security on the Microsoft Azure marketplace. It also illustrates how to log into your Deep Security as a Service account and start protecting your Azure Virtual Machines using the Deep Security VM Extension.
Purchase Deep Security on the Azure marketplace
- Log in to your Azure portal.
- On the Azure Startboard, click the Marketplace tile.
- In the Marketplace blade, click Security + Identity
- In the Security + Identity blade, search for "Trend Micro Deep Security" and click Trend Micro Deep Security.
- In the Trend Micro Deep Security blade, click Create at the bottom of the blade.
- In the Trend Micro Deep Security Create blade, type a name that you will use to invoke the Deep Security blade after it is created.
- Click Pricing Tier, browse the available price plans, and select the one that best suits your Azure workloads. For details, see About the plans, below.
- Review the plan details and click OK.
- Click Select to finalized the price plan selection.
- Back in the Trend Micro Deep Security Create blade, click Legal Terms and accept the terms.
- Pick a Resource Group and Subscription that are appropriate for your environment.
- Select the Pin to Startboard checkbox so that it will be easy to locate the Deep Security blade after purchase.
- Click Create to start the purchasing and provisioning process of your Deep Security as a Service account.
On successful creation, the Deep Security blade will launch automatically.
At this point, you have only provisioned your Deep Security as a Service account and attached it to your Azure subscription, but you have not yet enabled Deep Security protection for any of your VMs in Azure. You will not incur any charges for Deep Security on your Azure bill unless you deploy Deep Security protection using the Deep Security VM Extension for one or more VMs in your Azure subscription. The steps for deploying the VM Extension are described in the sections below.
The “0.00” prices on the “Choose your pricing tier” blade can be confusing. The 0.00 reflects the fact that Deep Security price plans do not have any flat monthly fee for use. Our price plans are entirely consumption-based and you only pay for what you use. We are looking to improve this part of the user interface so that the presentation is more intuitive.
Deep Security is only available in the U.S. region as of this writing. If your Azure subscription is attached to a non-U.S. billing address, then you will not see the price plans described here. Stay tuned since we will soon be launching Deep Security in other geographies.
Click a plan to display details in the Plan details blade. For example, when you click the Starter plan, it displays a full description of the Starter plan, which highlights that our consumption-based pricing model is based on a pricing meter named “Hours of VM Protection” and you only pay $0.01 for each hour of Deep Security protection for your Azure VMs (as of this writing). Note that the sizes of the VMs matter – the Starter plan is a great way to get started with protection for your 1 core VMs including the A0, A1 and D1 sizes of Azure VMs. We also offer a free 30-day trial period for all our price plans.
Here is an example: Assume your Azure subscription has seven small-sized VMs, and Deep Security is protecting three of them in your Azure subscription. Also assume that each of the three VMs with Deep Security is active for only 5 days in a particular month. The total protection hours for the three VMs would be 360 hours (3 * 5 * 24) for that month, and your total cost of Deep Security protection for these three small-sized VMs would be $3.60 (0.01 * 360) for that month. Note that the Deep Security charges are over and above your Azure consumption charges for the seven VMs in your subscription, which will be calculated and billed separately by Azure.
You are encouraged to review the Standard and Performance price plans if your Azure subscription contains VMs of different sizes. Choose the Standard plan if you use Deep Security to protect 1 and 2-core VMs that include the A0, A1, A2, D1, D2, D11 and G1 sizes of VMs in Azure. The Standard plan costs $0.03 per hour of protection (as of this writing) and is calculated in the same way as explained in the previous example.
If you use high performance VMs (4 or more cores) in your Azure subscription and decide to use Deep Security to protect them, then the Performance plan would be appropriate for you. This plan covers the full range of VM sizes available in Azure, and the cost of using Deep Security is $0.06 per hour of protection as of this writing. The consumption-based pricing is calculated the same way as shown above by multiplying the hourly cost with the total number of hours of Deep Security protection, and the Performance plan covers VMs of all sizes under your Azure subscription.
- Locate the Deep Security tile on your Azure Startboard and click it to launch the Deep Security blade.
- Click the “Key” icon to launch the Key Management blade for Deep Security (item 1 in the screenshot below).
- The Key Management blade displays the parameters that are required to manage protection for your Azure virtual machines. This information is unique to your Deep Security account and represents shared secrets and sensitive data, so please exercise discretion when sharing these details with others.
The blue "Regenerate" buttons shown in the screenshot below cannot be used and will be removed in a future release.
- Copy the URL of the Deep Security management console (item 2 in the screenshot below) to the clipboard.
- Open a new tab on your web browser and navigate to the URL that you copied. This displays the login page for the Deep Security as a Service management console. Enter the Account Name, Username, and Password that match those in the Key Management blade (A, B, and C in the screenshot above). and click Sign In.
- Create a security policy that you can use to protect your Azure virtual machines. Note that it is recommended you define a policy (and not leave that field blank) when adding Deep Security protection to your virtual machines since no protection is enabled by default. For details, see Create a policy or change settings for a specific computer.
We highly recommend you configure the Deep Security connector for Azure for your Azure subscription. This will allow Deep Security as a Service to query and maintain an up-to-date list of all the virtual machines in your Azure subscription so that you get a complete view of the security posture of your Azure virtual machines. The steps for configuring the Azure connector are available in Add a Microsoft Azure cloud account to Deep Security.
Protect your Virtual Machines using the Deep Security VM Extension
This section guides you through the steps to enable protection by deploying the Deep Security VM Extension for new virtual machines that you spin up in Azure, and uses the policy you created as the default policy for the new virtual machine. This ensures the new virtual machine is protected from malware immediately from the time it starts its life in Microsoft Azure.
All VMs in Azure that require Deep Security protection need to have the Deep Security VM Extension (or the Deep Security Agent) installed in each VM. The Deep Security VM Extension (or Agent) needs to be wired up to your Deep Security as a Service account for the protection to become active. Installing the VM Extension (or Agent) is a one-time activity for each VM that you need to protect using Deep Security in Azure, after which all security controls are controlled via the Deep Security as a Service management console.
Refer to the screenshot below, which illustrates the steps in the Microsoft Azure portal that are required to launch the Deep Security VM Extension blade for protecting a new virtual machine being created in Azure. Follow the steps labeled “1” through “10” in the green circles, which will result in the “Add Extension” blade being displayed on the right side.
Open a second tab on your web browser and navigate to the Startboard of the Azure management portal. Locate the Deep Security tile on your Startboard and click it to invoke the Deep Security blade. When the Deep Security blade launches, click the “Key” icon (the number “1” in the green circle in Figure 12) to launch the Key Management blade for Deep Security.
The screenshot above shows the two shared secrets, your Deep Security Tenant ID and the Tenant Password, that are unique to your Deep Security as a Service account and will be required to enable Deep Security protection for any virtual machine in your Azure subscription. The Tenant ID is called out by the letter “A” in orange and the Tenant Password is shown using the letter “B” in orange in the screenshot above.
Switch back to the browser tab that has the blades open for creating a new virtual machine. Now copy and paste the Tenant ID and Tenant Password strings from the fields labeled “A” and “B” in the screenshot above to the corresponding fields “A” and “B” in the “Add Extension” blade shown in the screenshot below.
The last step is to select an appropriate security policy for the virtual machine being protected by Deep Security. The Security Policy field, labeled with the letter “C” in orange in the screenshot above, accepts a string or a numeric ID that identifies the security policy used to protect this virtual machine. Finally, click OK (letter “D” in orange in the screenshot above) and you’re now done configuring Deep Security protection for the new virtual machine. Provide any other inputs for the other blades and kick off the creation of your new virtual machine in Azure.
Upon successful creation of your new virtual machine in Azure, you will have Deep Security protecting it from the instant your VM starts providing service. The screenshot below shows the Deep Security VM Extension successfully installed and configured using the above mentioned steps. The numbers in the green circles in the screenshot correspond to the numbered list below it.
- Click the All settings link on the blade of the VM containing the Deep Security VM Extension.
- Click the Extensions menu item.
- The Extensions blade lists all the VM Extensions installed for this VM. Click the TrendMicroDSA item that represents the Deep Security VM Extension.
- The TrendMicroDSA blade will launch. The Message area should indicate “Deep Security Agent is installed and activated successfully”.
You can view additional details about the protection status of this virtual machine by logging into your Deep Security as a Service account (see Log in to your new Deep Security as a Service account, above).
To see the virtual machine you created using the policy above, log in to the Deep Security as a Service console and go to the Computers page. Locate and click the VM that has Deep Security protection enabled. Deep Security displays the protection status for that VM.