Requirements for Alert Logic Threat Manager for Microsoft Azure

United States firewall rules

Use the following rules to communicate with the US Data Center.

 

Appliance inbound

Source	Destination	Protocol	Port	Description
0.0.0.0/0	Appliance	TCP	80	Appliance claim
Agent(s) CIDR- network subnet range for the agent(s)	Appliance	TCP	443	Agent updates, agent routing, log collection
Agent(s) CIDR- network subnet range for the agent(s)	Appliance	TCP	7777	Agent data transport (between agent and appliance on local network)
208.71.209.32/27	Appliance	TCP	22	Optional and temporary- required for troubleshooting during provisioning only
204.110.218.96/27	Appliance	TCP	22	Optional and temporary- required for troubleshooting during provisioning only
204.110.219.96/27	Appliance	TCP	22	Optional and temporary- required for troubleshooting during provisioning only

Appliance outbound

Source	Destination	Protocol	Port	Description
Appliance	8.8.4.4	TCP/UDP	53	DNS
Appliance	8.8.8.8	TCP/UDP	53	DNS
Appliance	0.0.0.0/0	TCP	80	Appliance updates
Appliance	204.110.218.96/27	TCP	443	Updates
Appliance	204.110.219.96/27	TCP	443	Updates
Appliance	208.71.209.32/27	TCP	443	Updates
Appliance	208.71.209.32/27	TCP	4138	Event transport
Appliance	204.110.218.96/27	TCP	4138	Event transport
Appliance	204.110.219.96/27	TCP	4138	Event transport
Appliance	204.110.219.96/27	UDP	123	NTP, time sync
Appliance	208.71.209.32/27	UDP	123	NTP, time sync

Agent outbound

Source	Destination	Protocol	Port	Description
Protected host	208.71.209.32/27	TCP	443	Agent updates (direct)
Protected host	204.110.218.96/27	TCP	443	Agent updates (direct)
Protected host	204.110.219.96/27	TCP	443	Agent updates (direct)
Protected host	Appliance	TCP	443	Agent updates (single point egress)
Protected host	Appliance	TCP	7777	Agent data transport (between agent and appliance on local network)

European Union firewall rules

Use the following rules to communicate with the EU Data Center.

Appliance inbound

Source	Destination	Protocol	Port	Description
Agent(s) CIDR- network subnet range for the agent(s)	Appliance	TCP	443	Agent updates
Agent(s) CIDR- network subnet range for the agent(s)	Appliance	TCP	7777	Agent data transport (between agent and appliance on local network)
0.0.0.0/0	Appliance	TCP	80	Appliance claim
185.54.124.0/24	Appliance	TCP	22	Optional and temporary- required for troubleshooting during provisioning only

Appliance outbound

Source	Destination	Protocol	Port	Description
Appliance	185.54.124.0/24	TCP	443	Updates
Appliance	185.54.124.0/24	TCP	4138	Event transport
Appliance	8.8.8.8	TCP/UDP	53	DNS
Appliance	8.8.4.4	TCP/UDP	53	DNS
Appliance	0.0.0.0/0	TCP	80	Appliance updates
Appliance	185.54.124.0/24	UDP	123	NTP, time sync

Agent outbound

Source	Destination	Protocol	Port	Description
Protected host	Appliance	TCP	7777	Agent data transport (between agent and appliance on local network)
Protected host	185.54.124.0/24	TCP	443	Agent updates (direct)
Protected host	Appliance	TCP	443	Agent updates (single point egress)

Virtual appliance requirements

Virtual appliance sizing

Use the following information to determine your virtual machine size requirements.

Throughput calculation

Use the following calculation to get the Threat Manager virtual appliance throughput requirements. The result of this calculation will provide you with the information you need to determine the correct instance type size to select during the installation procedure.

To calculate throughput requirements:

1. Identify each virtual server that Threat Manager will protect.
2. For the first virtual server to protect:
   1. Log in to the Microsoft Azure portal.
   2. Select Virtual Machines from the left navigation area.
   3. Click the virtual server name in the list.
   4. Click Monitor.
3. Identify the Total utilization for Network In and Network Out.
4. Add these numbers together. This is the networking utilization for the first virtual server.
5. Complete these steps for each virtual server you want protected by Threat Manager.
6. Once you have the total networking utilization calculated for each virtual server, add these numbers together. This is the estimated throughput requirement for your Threat Manager virtual appliance. Select your instance type size based on this calculation.

Instance type sizes

Threat Manager runs on select compute instance types in the Microsoft Azure environment ranging from A1 (1 core, 1.75 GB memory) to A4 (8 cores, 14 GB memory).

Instance type	Cores	Memory (GB)	Throughput without scanning	Throughput with scanning
A1	1	1.75	30 Mbps	This instance type does not support scanning.
A2	2	3.5	150 Mbps	This instance type does not support scanning.
A3	4	7	300 Mbps	150 Mbps
A4	8	14	1 Gbps	825 Mbps

Microsoft Azure endpoints

All virtual machines you create in Microsoft Azure use a private network channel to automatically communicate with other virtual machines in the same virtual network. However, to allow inbound network traffic from Alert Logic, you must add endpoints and Access Control List (ACL) entries to your virtual machine.

For more information, see Microsoft's documentation about endpoints.

Create the following endpoints and ACL entries for Threat Manager in Microsoft Azure.

Endpoint	ACL entry	Protocol	Description
22	204.110.219.96/27	SSH	Secure shell (Alert Logic primary data center)
22	204.110.218.96/27	SSH	Secure shell (Alert Logic DR data center)
80	n/a	HTTP	Appliance claim (temporary)

Microsoft Azure virtual networks

Threat Manager appliances and agents must be located in the same virtual network. Since each virtual network is run as an overlay, only virtual machines and services that are part of the same network can access each other. Services outside the virtual network have no way to identify or connect to services hosted within virtual networks, unless specific endpoints are added for external Internet sources.

Virtual appliance

The following table describes the basic system requirements to install a Threat Manager virtual appliance:

Components	System Requirements
CPU	4 virtual CPUs
RAM	8 GB
Disk space	40 GB minimum
Supported virtual environment	VMware only
Log collection support	N/A
Encryption	TLS Standard (SSL): 1024–2048bit key encryption, 256bit AES bulk encryption

Alert Logic agent

The following table describes the basic requirements to install the agent:

Components	System requirements
Operating systems	For Windows users: Windows Server 2016 Windows 10 Windows Server 2003, SP1 Windows Server 2008 Windows Server 2012 Windows Vista Windows 7 Windows 8 Windows XP SP1 For Linux users: Debian (.deb) 5.x (lenny) 6.x (squeeze) 7.x (wheezy) 8.x (jessie) Ubuntu (.deb) 10.x 12.x 14.x 16.x CentOS (.rpm) 5.x 6.x 7.x Red Hat Enterprise Linux (.rpm) 5.x 6.x 7.x SUSE 12.1 12.0 11.4 11.3 Amazon Linux The Alert Logic agent can be used in AWS Workspaces in conjunction with a supported operating system.
Memory	96 MB of available memory
Disk space for agent	30 MB of available disk space
Disk space for local cache	500 MB of available disk space
Packet access	WinPcap 4.1.2
CPU Utilization	1-10% depending on log volume
RAM	15 MB minimum
Disk space	30 MB minimum
Log collection support	Windows, Flat File
Supported environments	Agent-only deployments with virtual and physical appliances, VPC, and Public Clouds
Encryption	TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption
Log collection frequency	At minimum, every five minutes logs are collected and sent to Alert Logic Cloud
Host permissions	LocalSystem account has all the necessary permissions by default

Operating systems and browser support

The Alert Logic console supports the current version and the previous major version of the following operating systems and browsers: 

Operating system support	Browser support
Mac, Linux, and Windows	Chrome, Safari, Firefox, Opera, and Internet Explorer

Related topics