Before proceeding with deploying the Barracuda Web Application Firewall VMSS, do the following:
- Step 1. Create a Resource Group
- Step 2. Create a Storage Account
- Step 3. Create and upload license file
Step 1. Create a Resource Group
To create a resource group, perform the following steps:
- Log into the Microsoft Azure Portal.
- Click Resource groups in the left panel.
- In the Resource groups page, click Add and specify values for the following:
- Resource group name: Enter a name for the resource group.
- Subscription: Select the subscription in which you want to create the resource group.
- Resource group location: Select a location for the resource group.
- Click Create.
Step 2. Create a Storage Account
Perform the following steps to create a storage account:
- Log into the Microsoft Azure Portal.
- Click New in the left panel, and type Storage Account in the Search field.
- In the search results, select Microsoft Storage account.
- In the Storage account – blob, file, table, queue page, click Create.
- In the Create storage account page:
- Name: Enter a name for the storage account.
- Deployment model: Ensure the deployment model is set to Resource Manager.
- Account kind: Select the type of storage account that needs to be created. Default: General purpose
- Performance: Select the performance tier as required.
- Replication: Select the replication option for the storage account.
- Secure transfer required: Select Enabled if you want to transfer the data into or out of storage account. Default: Disabled.
- Subscription: Select the subscription in which you want to create the storage account. Note: Ensure that the subscription for the storage account and the resource group is same.
- Resource group: Select the resource group created in Step 1. Create a Resource Group.
- Location: Select the location for the storage account. Note: Ensure that the location for the storage account and the resource group is same.
- Click Create.
Step 3. Create and upload license file
Perform the following steps to create and upload a license file:
Create a container
- Click the storage account that you have created.
- Click Blobs.
- Click +Container under Blob service.
Name: Enter a name for the container.
- Public access level: Set the level of public access to the container. The default level is Private (no anonymous access) and it is recommended to use the default level.
- Click OK to create the container.
Create a License file
A license file contains licenses that can be used. This file should be created in the valid JSON format and should be saved in the name “barracuda-byol-license-list.json”.
Open notepad or any text editor. Type the licenses in the format illustrated below.
- Save the license file. Note that you save the file with the name "barracuda-byol-license-list.json" as mentioned earlier.
Upload the license file
- To upload a license file, select the container you created.
- Click Upload.
- In the right pane, click the browse button and then select the license file you created.
- Click Upload to upload the license file to the container.
Deploying the Barracuda Web Application Firewall VMSS
Perform the following steps to deploy the Barracuda Web Application Firewall VMSS instance:
- Log into the Microsoft Azure Portal.
- Click Marketplace at the bottom of the screen.
- In the Everything page, type Barracuda WAF VMSS Template in the Search text field.
- In the search results, select Barracuda WAF VMSS Template - BYOL.
- In the Barracuda WAF VMSS Template - BYOL page:
- Read the product overview.
- Click Create.
- In the Create Barracuda WAF VMSS Template - BYOL > 1 Basics page:
- Barracuda Web Application Firewall Virtual Machine Scale Set Name: Enter a name for the Barracuda Web Application Firewall VMSS.
- Password: Enter a password for authentication. This will be your password to access the Barracuda Web Application Firewall web interface.
- Confirm Password: Re-enter the password for confirmation.
- Billing Method: Select Bring your own License (BYOL) form the drop-down list as your billing method.
- Firmware Version: From the drop-down list, select the firmware version on which your instance is deployed.
- Subscription: Select the subscription from the drop-down list.
- Resource group: Create a new resource group or select a resource group that is empty from the existing Resource group list.
- Location: Select a location for the Barracuda Web Application Firewall VMSS.
- Click OK.
- In the Create Barracuda WAF VMSS Template - BYOL > 2 Deployment Options page:
- Barracuda Web Application Firewall Instance Size: Select a size for the instance.
Storage Account: Create a new storage account or select a storage account from the existing Storage account list.
- Virtual network: Create a new virtual network, or select a virtual network from the existing Virtual network list in which you want to deploy the Barracuda Web Application Firewall VMSS.
- Subnets: Review the subnet configuration and modify if required.
- New Public IP address name: Enter a name for the public IP address associated with the Barracuda Web Application Firewall Firewall VMSS.
- Domain name for accessing the Barracuda Web Application Firewall: Enter the domain for the Barracuda Web Application Firewall VMSS.
- Boot diagnostics: When Enabled, the boot up debug logs gets saved in the specified storage account.
Specify storage account where license file is stored : Enter the name of the storage account where your license file is stored.
- License Storage Account Key : Enter the account key for your storage account. The key is available in the path - " Storage account" > Access keys > Key1, Key2 You are provided with two access keys so that you can maintain connections using one key while regenerating the other.
- License Storage Blob Name : Enter the path of the storage Blob where the license file is stored.
- Click OK.
- In the Create Barracuda WAF VMSS Template - BYOL > 3 Azure Auto Scaling Configuration page:
- Instance Count
- Initial Instances: Enter the number of instances to be deployed initially to serve the traffic. Default: 2
- Maximum Instances: Enter the maximum number of instances to be scaled up to handle the traffic when required. Default: 5
Minimum Instances: Enter the minimum number of instances to be scaled down when the traffic less. Default: 2
Overprovisioning: When set to Enable, the VMSS spins up more number of virtual machines than what is required to handle the traffic.
- Scale Up Thresholds
- CPU%: Enter the scale up threshold for CPU utilization. Default: 85%
- Network In: Enter the scale up threshold for NetworkIn throughput. Default: 9175040
- Network Out: Enter the scale up threshold for NetworkOut throughput. Default: 9175040
- Scale Down Thresholds
- CPU%: Enter the scale down threshold for SPU utilization. Default: 60%
- Network In: Enter the scale down threshold for NetworkIn throughput. Default: 5242880
- Network Out: Enter the scale down threshold for NetworkOut throughput. Default: 5242880
- Notification Email ID(s) in CSV Format: Enter the email address to which the auto scaling event notification emails needs to be sent.
- Click OK.
- Instance Count
- In the Create Barracuda WAF VMSS Template - BYOL > 4 Azure API Configuration page:
- Authentication Method: Select the authentication method to authenticate to Azure Active Directory (AAD).
- Azure AD Credentials
- Azure User ID: Enter the user name to authenticate to the AAD.
- Azure User Password: Enter the password associated with user.
- Confirm Password: Re-enter the password to confirm.
- Azure Service Principal
- Client ID: Enter the ID of the application in AAD.
- Tenant ID: Enter the ID of the Active Directory tenant.
- Azure Secret Key: Enter the secret key generated.
- Click OK.
- Azure AD Credentials
- In the Create Barracuda WAF VMSS Template - BYOL > 5 Barracuda Web Application Firewall Bootstrap Settings page.
- Cluster Shared Secret: Enter a password to be used by the Barracuda Web Application Firewall instances in the VMSS group.
- Confirm Shared Secret: Re-type the shared secret password.
- Bootstrap Method: Select the method (NONE, BASIC or BACKUP) for bootstrapping.
- Basic Bootstrap Configuration
- WAF Service Name: Enter a name for the service that needs to be created on the Barracuda Web Application Firewall instances.
- WAF Service Port: Enter the port number on which the service is listening to.
- Backend Servers (IP:PORT): Enter the IP address of the server followed by the port that needs to be protected by the Barracuda Web Application Firewall. Use comma (,) as a separator to specify multiple server IP addresses.
- Backup Bootstrap Configuration
- Azure Storage Account Name: Enter the name of the storage account.
- Azure Storage Account Key: Enter the key of the storage account.
- Azure Storage Blob Name: Enter the name of the blob configured in the storage account.
- Type of Backup file: Select the type of the backup file that you want to use for bootstrapping the instances.
- Barracuda Web Application Firewall Backup file Name: Enter the name of the backup file.
- OMS Workspace Details
- OMS Workspace Primary Key: Enter the primary key of the OMS server.
- OMS Workspace Primary Key: Enter the primary key of the OMS server.
- Click OK.
- In the Create Barracuda WAF VMSS Template - BYOL > 6 Azure Load Balancer Configuration page:
- Health Probe Settings
- Protocol: Select TCP or HTTP. It is recommended to use the TCP protocol.
- Port: Enter the port to be used when probing the instance.
- Interval: Enter the interval time to probe the instance.
- Unhealthy threshold: Enter how many attempts can fail before the backend instance is marked as unhealthy.
- Load Balancer Rule Settings
- Port: Enter the port on which the load balancer is listening.
- Backend Port: Enter the port on which the Barracuda Web Application Firewall is listening.
- Session Persistence: Select the persistence type.
- EULA Acceptance Details
- User Name: Enter your user name.
- Email ID: Enter your Email address.
- Company Name: Enter your company name.
- Domain Name: Enter the domain name.
- Click OK.
- Health Probe Settings
- In the Create Barracuda WAF VMSS Template - BYOL > 7 Summary page, verify the values you entered and click OK.
Recommendations
- If the license file "barracuda-byol-license-process.dat" which was generated by the previous stack is present in blob storage, then free licenses may not be available. This can lead to provisioning failures.
- It is advised not to delete or modify the "barracuda-byol-license-process.dat" license file when the VMSS stack is in Running state. It can lead to provisioning/clustering failures.
- In scenarios, when you deploy an additional VMSS stack, it is recommended to use a different blob path for storing the “barracuda-byol-license-list.json” license file.