Microsoft Azure

This article describes how to import an Airlock Gateway cloud image and deploy it as a VM on Microsoft Azure.

Cloud image import

Before starting, download the Airlock Gateway cloud image in VHD format from the Airlock Gateway download page on Techzone. This image file will be uploaded to Azure Storage and then registered as a VM image.

Preparing the required Azure resources

If not already available, create a resource group and an Azure Storage account:

 
Terminal box
RESOURCE_GROUP="myResourceGroup"
AZURE_STORAGE_ACCOUNT="mystorage"

# create resource group if it does not exist yet
az group create -l westeurope -n "${RESOURCE_GROUP}"

# create storage account inside resource group if it does not exist
yet
az storage account create --resource-group "${RESOURCE_GROUP}" \
    --name "${AZURE_STORAGE_ACCOUNT}"

Uploading and creating an Azure VM image

Upload the Airlock Gateway cloud image to an Azure Storage container, from where the VM image can be created:

 
Terminal box
RESOURCE_GROUP="myResourceGroup"
export AZURE_STORAGE_ACCOUNT="mystorage"
export AZURE_STORAGE_KEY=`az storage account keys list \
    -g ${RESOURCE_GROUP} -n ${AZURE_STORAGE_ACCOUNT} \
    --query [0].value -o tsv`

FILE="airlock_IMG_x64_<version>.vhd"
FILE_NAME="$(basename ${FILE})"
CONTAINER="airlock-waf-disk-images"

# create container if it does not exist
az storage container create --name "${CONTAINER}"

# upload disk image to Azure
az storage blob upload --container "${CONTAINER}" --name
"${FILE_NAME}" --file "${FILE}"

IMG_SRC="https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${CON
TAINER}/${FILE_NAME}"
IMG_NAME="${FILE_NAME%.*}"

# create the VM image
az image create --resource-group "${RESOURCE_GROUP}" \
    --name "${IMG_NAME}" --os-type Linux --source "${IMG_SRC}"

Instance creation

 
Functional limitation
  • Microsoft Azure does not provide hostnames via DHCP. Therefore, the hostname of Airlock Gateway instances is not set dynamically. Instead, Azure uses its Instance Metadata Service together with the Azure Linux Agent to configure hostnames. This mechanism is not supported by the current Airlock Gateway cloud image.
  • The Airlock Gateway cloud image does not support creating a VM with the authentication type password. Only the authentication type ssh is supported.

VM creation options

  • SSH key configuration

  • To connect via SSH to an Airlock Gateway instance, an SSH public key must be specified during instance creation by using the --ssh-key-value option.

  • Note: The provided SSH public key is always assigned to the root user, regardless of the value specified for the --admin-username option.

  • Cloud-init user-data usage

  • Cloud-init user-data can be used to customize an instance during provisioning. We recommend configuring at least the following options:

    • Swap space: The Airlock Gateway cloud image does not include preconfigured swap. Configure swap space via the user-data script as explained under Swap configuration.
    • Administrator user: Define a default administrator for the Airlock Gateway Configuration Center via the user-data script, as described under Administrative access configuration.

  • The user-data script can be provided with the --custom-data option.

  • Machine type specification

  • For instance sizing, refer to the Disk image properties table.

  • To select an appropriate Azure VM size, refer to the Azure documentation on VM sizes.

  • Serial console diagnostics enablement

  • The Airlock Gateway cloud image is configured to support the Azure serial console, which can be useful for debugging. To enable this feature, specify the --boot-diagnostics-storage option when creating the VM. Ensure that the required storage account exists beforehand. If necessary, create it with the following command:

  •  
    Terminal box
    RESOURCE_GROUP="myResourceGroup"
BOOT_DIAG_STORAGE="diagstorage"

# optional: create storage account inside resource group for

# diagnostics output if needed
az storage account create --resource-group "${RESOURCE_GROUP}" \
    --name "${BOOT_DIAG_STORAGE}"

Example of a full az vm create command

 
Terminal box
RRESOURCE_GROUP="myResourceGroup"
BOOT_DIAG_STORAGE="diagstorage"

VM="airlock-waf-instance"
IMG="airlock_IMG_x64_<version>"
CUSTOM_DATA="./cloud-init-user-data.txt"
ADMIN="airlock"
SSH_KEY=".ssh/id_rsa.pub"
VM_SIZE="Standard_B2ms"
OS_DISK_SIZE_GB=20

# create the vm and start it
az vm create --resource-group "${RESOURCE_GROUP}" --name "${VM}" \
    --image "${IMG}" --custom-data "${CUSTOM_DATA}" \
    --admin-username "${ADMIN}" --ssh-key-value "${SSH_KEY}" \
    --boot-diagnostics-storage "${BOOT_DIAG_STORAGE}" \
    --size "${VM_SIZE}" --os-disk-size-gb "${OS_DISK_SIZE_GB}"

To create an additional Airlock Gateway VM, reuse the command above with the same image but specify a different VM name.

Opening the required ports

In Azure, inbound and outbound traffic is controlled through network security groups (NSGs). By default, a newly created VM is only accessible via SSH on port 22. To make Airlock Gateway fully usable, additional inbound security rules covering the following ports must be added to the NSG assigned to the VM or its subnet:

  • 8443 for the Airlock Gateway Configuration Center
  • 80 and/or 443 for virtual hosts (HTTP/HTTPS)

  • Those required inbound ports correspond to the port assignment recommended for the Airlock network setup.

These inbound security rules can be added either to the VM’s existing NSG or to an NSG associated with the subnet. For step-by-step instructions, refer to the Azure NSG quickstart guide.