Working in Microsoft Azure cloud environment

This section provides information about Kaspersky Security Center deployment and maintenance in a cloud environment provided by Microsoft Azure, as well as details of protection deployment on virtual machines in this cloud environment.

In a Kaspersky Security Center that has been deployed from a Usage-based monthly billed SKU, Vulnerability and Patch Management is automatically activated, and Mobile Device Management cannot be activated.

About work in Microsoft Azure

To work with the Microsoft Azure platform and, in particular, to purchase apps at the Azure Marketplace and create virtual machines, you will need an Azure subscription. Before you deploy the Administration Server, create an Azure Application ID with permissions required for installation of applications on virtual machines.

If you purchase a Kaspersky Security Center image at the Azure Marketplace, you can deploy a virtual machine with your ready-to-use Kaspersky Security Center Administration Server. You must select settings of the virtual machine, but you do not have to install the application yourself. After deployment, you can start Administration Console and connect to the Administration Server to begin working with Kaspersky Security Center.

You can also use an Azure virtual machine with Kaspersky Security Center Administration Server deployed on it to protect on-premises devices (for example, if a cloud server turns out to be easier to service and maintain than a physical one). If this is the case, you work with the Administration Server the same as you would if the Administration Server were installed on a physical device. If you do not plan to use Azure API tools, you do not need an Azure Application ID. In this case, an Azure subscription is enough.

Creating a subscription, Application ID, and password

To work with Kaspersky Security Center in the Microsoft Azure environment, you need an Azure subscription, Azure Application ID, and Azure Application password. You can use an existing subscription, if you already have one.

An Azure subscription grants its owner access to the Microsoft Azure Platform Management Portal and to Microsoft Azure services. The owner can use the Microsoft Azure Platform to manage services such as Azure SQL and Azure Storage.

To create a Microsoft Azure subscription,

Go to https://account.windowsazure.com/Subscriptions and follow the instructions there.

More information about creating a subscription is available on the Microsoft website. You will get a subscription ID, which you will later provide to Kaspersky Security Center together with Application ID and password.

To create and save Azure Application ID and password:

1. Go to https://portal.azure.com and make sure that you are logged in.
2. Following the instructions on the reference page, create your Application ID.
3. Go to the Keys section of the application settings.
4. In the Keys section, fill in the Description and Expires fields and leave the Value field empty.
5. Click Save.

   When you click Save, the system automatically fills the Value field with a long sequence of characters. This sequence is your Azure Application password (for example, yXyPOy6Tre9PYgP/j4XVyJCvepPHk2M/UYJ+QlfFvdU=). The description is displayed as you entered it.

6. Copy the password and save it, so that you can later provide the Application ID and password to Kaspersky Security Center.

   You can copy the password only when it has been created. Later, the password will no longer be displayed and you cannot restore it.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center release date.

Assigning a role to the Azure Application ID

If you only want to detect virtual machines using device discovery, your Azure Application ID must have the Reader role. If you want not only to detect virtual machines, but also to deploy protection on the virtual machines, your Azure Application ID must have the Virtual Machine Contributor role.

Follow the instructions on the Microsoft website to assign a role to your Azure Application ID.

Deploying Administration Server in Microsoft Azure and selecting database

To deploy Administration Server in the Microsoft Azure environment:

1. Sign in to Microsoft Azure using your account.
2. Go to the Azure portal.
3. In the left pane, click the green plus sign.
4. Type "Kaspersky Hybrid Cloud Security" in the search field in the menu.

   Kaspersky Hybrid Cloud Security is a combination of Kaspersky Security Center and two security applications for protection of instances: Kaspersky Endpoint Security for Linux and Kaspersky Security for Windows Server.

5. In the list of results, select Kaspersky Hybrid Cloud Security or Kaspersky Hybrid Cloud Security (BYOL).

   In the right part of the screen, an information window appears.

6. Read information and click the Create button in the end of the information window.
7. Fill all the necessary fields. Use the tooltips to get information and assistance.
8. When selecting the size, select one of the three starred options.

   In most cases, 8 gigabytes (GB) of RAM is enough. However, in Azure, you can increase the size of RAM and other resources of the virtual machine at any time.

9. When selecting a database, select one of the following, according to your plan:
   • Local—If you want a database on the same virtual machine where the Administration Server will be deployed. Kaspersky Security Center comes with an SQL Server Express database. Choose this option if SQL Server Express is enough for your needs.
   • New—If you want a new RDS database in the Azure environment. Choose this option if you want a DBMS other than SQL Server Express. Your data will be transferred to the cloud environment, where it will remain, and you will not have any extra expenses.
   • Existing—If you want to use an existing database server. In this case, you will have to specify its location. If this server is outside the Azure environment, your data will be transferred over the internet, which might result in extra expenses.
10. When entering the subscription ID, use the subscription that you created earlier.

After deployment, you can connect to the Administration Server using RDP. You can use the Administration Console to work with the Administration Server.

Working with Azure SQL

This section describes which actions must be taken to prepare a Microsoft Azure database for Kaspersky Security Center, prepare an Azure storage account, and migrate an existing database to Azure SQL.

SQL Database is a general-purpose relational database managed service in Microsoft Azure.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center release date.

Creating Azure storage account

You have to create a storage account in Microsoft Azure for working with Azure SQL database and for deployment scripts.

To create a storage account:

1. Sign in to the Azure portal.
2. In the left pane, select Storage accounts to proceed to the Storage accounts window.
3. In the Storage accounts window, click the Add button to proceed to the Create storage account window.
4. Fill in all the necessary fields to create a storage account:
   • Location: must be the same as the location of the Administration Server.
   • Other fields: you may leave the default values.

   Use the tooltips to get information about each field.

   After the storage account is created, the list of your storage accounts is displayed.

5. In the list of your storage accounts, click the name of the newly created account to see information about this account.
6. Make sure you know the account name, the resource group, and access keys for this storage account. You will need this information for working with Kaspersky Security Center.

You can refer to Azure website for help.

If you already have a storage account, you can use it for working with Kaspersky Security Center.

Creating Azure SQL database and SQL Server

You need an SQL database and SQL Server in the Azure environment.

To create an Azure SQL database and SQL Server:

1. Follow the instructions on the Azure website.

   You can create a new server when Microsoft Azure prompts you to do so; if you already have an Azure SQL Server, you can use it for Kaspersky Security Center rather than creating a new one.

2. After creating the SQL database and SQL Server, make sure that you know its resource name and resource group:
   1. Go to https://portal.azure.com and make sure that you are logged in.
   2. In the left pane, select SQL databases.
   3. Click the name of a database from the list of your databases.

      The properties window opens.

   4. The name of the database is the resource name. The name of the resource group is displayed in the Overview section of the properties window.

You need the resource name and resource group of the database for migrating the database to Azure SQL.

Migrating the database to Azure SQL

Expand all | Collapse all

After Administration Server is deployed in the Azure environment, you can migrate your Kaspersky Security Center database from an on-premises device to Azure SQL. You need an Azure storage account for an Azure SQL database. You also must have Microsoft SQL Server Data-Tier Application Framework (DacFx) and SQLSysCLRTypes on your Administration Server.

To perform the migration of the database:

1. Make sure that you have created an Azure storage account.
2. Make sure that you have SQLSysCLRTypes and DacFx on your Administration Server.

   You can download Microsoft SQL Server Data-Tier Application Framework (17.0.1 DacFx) and SQLSysCLRTypes (choose the version corresponding to the version of your SQL Server) from the official Microsoft website.

3. On your physical Administration Server (on-premises), run the Kaspersky Backup utility to back up Administration Server data with the Migrate to Azure format option enabled.
4. Copy the backup file to the Azure Administration Server.

   Make sure that you have enough disk space on the Azure virtual machine where the Administration Server is installed. In the Azure environment, you can add disk space to your virtual machines to accommodate the process of database migration.

5. On the Administration Server located in the Microsoft Azure environment, start the Kaspersky Backup utility again in interactive mode.

   The Backup and Restore Wizard starts.

6. At the Select action step, select Restore Administration Server data and click Next.
7. At the Restore settings step, click the Browse button next to the Folder for storage of backup copies.
8. In the Sign In to Online Storage window that opens, fill in the following fields and then click OK:
   • Azure storage account name

     You created the name of the Azure storage account for working with Kaspersky Security Center.

   • Backup folder

     Specify the location of the storage folder that is meant for backup.

   • Azure Subscription ID

     You created the subscription on the Azure portal.

   • Azure Application password

     You received the password of the Application ID when you created the Application ID.

     The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

   • Azure storage access key

     Available in the properties of your storage account, in the Access Keys section. You can use any of the keys (key1 or key2).

   • Azure SQL server name

     Available in the properties of your Azure SQL Server.

   • Azure SQL server resource group

     Available in the properties of your Azure SQL Server.

   • Azure Application ID

     You created this application ID on the Azure portal.

     You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

9. Select the Migrate from local backup option.

   The Browse button becomes available.

10. Click the Browse button to choose the folder on the Azure Administration Server where you copied the backup file.
11. Click Next and complete the procedure.

Your data will be restored to the Azure SQL database by using your Azure storage. You can use this database for further work with Kaspersky Security Center in the Azure environment.

The addresses of web pages cited in this document are correct as of the Kaspersky Security Center release date.