Deploy G4 Appliances on Azure

Download a PDF of this guide.

The sections below describe how to deploy Imprivata G4 (fourth generation) virtual appliances on Microsoft Azure infrastructure services through the Azure Marketplace.

The release introduction history and supported migration path history of G4 and G3 (third generation) virtual appliances and enterprises on Azure is:

  • Imprivata OneSign 23.2 supported larger scale and higher performance deployments of G4 on Azure by adding service appliances and the new migrations described in the next bullet

  • Imprivata OneSign 23.2 added support for the following enterprise migrations involving Azure:

    • G3 on premises to G4 on Azure

    • G3 on Azure to G4 on Azure

    • G4 on premises to G4 on Azure

    • Hybrid G3 to hybrid G4. A hybrid G3 enterprise has some G3 appliances on premises and some on Azure, and usually supports a Disaster Recovery configuration. A hybrid G3 enterprise can be migrated to a hybrid G4 enterprise with G4 appliances on premises and on Azure.

    NOTE:

    For the procedure for all migrations to a G4 enterprise, see "Migrating to a G4 Enterprise" in the Imprivata Upgrade Portal. This topic you are reading becomes part of that G4 migration procedure when you are migrating to G4 on Azure or doing a hybrid G3 to G4 migration, in which case this topic occurs at section “Stage a G4 Appliance on Microsoft Azure” in the G4 migration topic.

  • Beginning with 23.2, Imprivata adopted a new numbering scheme for Imprivata Confirm ID intended to reflect the yearly release cadence. The final release in the 7.x numbering scheme was Imprivata Confirm ID 7.12.

  • OneSign 7.10 through 7.12 supported G4 enterprises on Azure only for new enterprises of two database appliances, although new enterprises of one database appliance can be used only for testing including Proof of Concept testing. Scaling G4 appliances on Azure beyond two appliances by adding service appliances is only supported starting with OneSign 23.2 and later.

  • OneSign 7.10 supported either G3 or G4 appliances on Azure, but not both G3 and G4 appliances in the same enterprise.

  • OneSign 7.4 through 7.10 supported G3 appliances on Azure.

NOTE:

You establish a G4 or G3 enterprise on Azure using different private products in the Azure Marketplace, so be sure to select the private product for the enterprise that you want.

Both G4 and G3 products were moved in the Azure Marketplace from their previous location in "Private offers" to a new location in a "Private product" category.

This documentation was written applying the following assumptions:

  • You are familiar with Microsoft Azure Portal and Marketplace use and terminology.

  • You are familiar with Microsoft Azure IaaS (Infrastructure as a Service) services.

  • You have an active Azure tenant and subscription.

    NOTE:

    The Imprivata appliance on Azure is available as a private product in the Azure Marketplace. Microsoft blocks access to private products for Azure subscriptions owned by Azure Cloud Solutions Providers (CSPs). Therefore, customers using a CSP subscription must get their own Azure pay as you go tenant and subscription to access and use the Imprivata appliance on Azure.

  • You adopt Microsoft's networking best practices.

  • You are actively engaging with Imprivata service engineers (or other appropriate Imprivata personnel or partners) to ensure deployed resources are successfully connected to existing infrastructure.

Before deploying an appliance on Azure, familiarize yourself with information associated with Microsoft Azure and the Imprivata G4 appliance. Review the following documentation:

You can deploy Imprivata appliances into a variety of Azure hub-and-spoke network topologies. Your Azure network topology may depend on how much of your organization's infrastructure has been migrated from being solely on-premises to being a hybrid mix of on-premises and in-cloud. Four common Azure network topologies into which you can deploy appliances are:

  • Deploy appliances into one spoke virtual network in a single region. The Microsoft Active Directory (AD) is on premises.

  • Deploy appliances into one spoke virtual network in a single region. The AD is in the hub virtual network in Azure.

  • Deploy appliances into more than one spoke virtual network in different regions for enhanced local service, geographic redundancy, or due to latency or volume. The AD is in the hub virtual network.

  • Deploy appliances into the hub virtual network to provide shared services to multiple spoke networks. The AD is in the hub virtual network.

For more information on the hub-and-spoke architecture, see Azure documentation on Hub-and-Spoke.

An Active Directory Domain Controller can be located on-premises or on Azure IaaS. If a Domain Controller is located on-premises, then before deploying an appliance on Azure, consider the following information:

  • An Active Directory Domain Controller should be deployed into the Shared Services subnet in the hub virtual network. This reduces network traffic from the Azure data center to your on-premises network and associated network latency and data egress costs.

  • The appliances are deployed as a spoke off of this central hub network and will depend on the gateway solution for any communication to on-premises resources.

  • The appliance deployment should be targeted to the same geographic region as the hub virtual network to reduce inter-regional latency and data egress costs.

Imprivata G4 appliances deployed on Azure are based on the same software stack as Imprivata G4 appliances on premises. The appliance is deployed on your choice of the following two options available:

  • Azure F4s_v2 virtual machine (VM) having four vCPUs, 8 GB RAM, and 300 GB of storage.

  • Azure F8s_v2 virtual machine having eight vCPUs, 16 GB RAM, and 300 GB of storage.

For both options, the Azure VM manages swap space in an external resource disk.

Imprivata supports automated deployment of G4 appliances on Azure, including both database appliances and service appliances. The database appliances and service appliances can be various mixes of Azure F4s_v2 VMs and/or F8s_v2 VMs, with one important recommendation: database appliances should have the same or greater processing power and capacity than service appliances in an enterprise. You must specify appliances with enough RAM and disk resources to handle the load expected for them as database or service appliances.

For an enterprise of only two database appliances, the Azure F4s_v2s may be sufficient. For higher performance needs, you can optionally scale up to using two F8s_v2s. For a larger enterprise of four or more appliances, the database appliances must be F8s_v2s to provide sufficient performance.

The number and type of appliances appropriate for an enterprise depends on numerous factors, including user counts, authentication methods, network topology, site configuration, and failover requirements. The table below shows baseline combinations of database appliances and service appliances in an Azure G4 enterprise for best performance and cost, assuming all appliances in the enterprise are active servicing endpoint requests. Alternatively, you can deploy enterprises with an odd number of appliances, but performance will vary. Larger enterprises on Azure are supported, but may yield only marginal performance improvements.

Recommended Options 2 Appliance Enterprise 2 Appliance Enterprise 4 Appliance Enterprise 6 Appliance Enterprise 6 Appliance Enterprise

Database Appliance
Azure VM Type

F4s_v2
(4 VCPUs, 8 GB)

 F8s_v2
(8 VCPUs, 16 GB)		 F8s_v2
(8 VCPUs, 16 GB)		 F8s_v2
(8 VCPUs, 16 GB)		 F8s_v2
(8 VCPUs, 16 GB)
Number 2 2 2 2 2
Service Appliance
Azure VM Type 		None None F4s_v2
(4 VCPUs, 8 GB		 F4s_v2
(4 VCPUs, 8 GB		 F8s_v2
(8 VCPUs, 16 GB)
Number 0 0 2 4 4
Max Performance in Authentications per Minute 7,250 11,200 13,000 14,700 16,000

Estimate the maximum number of user authentications per minute needed for your enterprise at peak usage. You can then use the last row in the table above to determine the baseline enterprise that best matches your organization's needs.

To estimate the maximum number of user authentications per minute needed for your enterprise at peak usage, use the sample information in the graphic below as a general guide. Peak usage typically occurs at or near the start of a major work shift. Your Imprivata sales engineer or support person can help you with this estimation.

IMPORTANT:

Imprivata's G4 private product in the Azure Marketplace allows you to deploy up to 10 G4 appliances on 10 virtual machines (one appliance per VM) in one Azure resource group. This allows you to deploy some G4 appliances for a production enterprise, some for a staging enterprise, and some for a testing enterprise, all in the same Azure resource group. If you add more G4 appliances at a later time, you must add them to a different Azure resource group, and you cannot move them into the first Azure resource group. Therefore, if possible, deploy extra appliances, and if you don't need them, remove them later.

So, you should plan how many enterprises you will create, how many database and service appliances you will create in each enterprise, and which appliances will be Azure F4s_v2s or F8s_v2s. You can deploy up to 10 G4 appliances in one deployment process, including specifying F4s_v2 or F8s_v2 per appliance, and then during the wizarded configuration process for each appliance, you assign that appliance to an enterprise. The first two appliances assigned to an enterprise are always database appliances, and any more appliances assigned to that enterprise are always service appliances. Therefore, the order in which you assign appliances to an enterprise determines their type.

Also consider Imprivata G4 site recommendations, including “active/active” setups and using no more than two sites per G4 enterprise, as described in Imprivata Sites for G4 Enterprises.

NOTE:

For specific questions about enterprise configuration or additional guidance, contact Imprivata Services or Support.

When you deploy an appliance to Microsoft Azure, the Azure DHCP service assigns a networking configuration to the appliance.

CAUTION:

Do not change the networking configuration for the appliance (except as specified in the Note below if it applies). If you change network configuration values for the appliance, it may affect your ability to contact and control the virtual machine upon which the appliance runs.

Azure DHCP sets the following networking configuration values for the appliance that you should not change:

  • Host name

  • Domain name

  • IP address

  • Subnet mask

  • Default gateway

  • DNS servers

  • NTP servers

NOTE:

If your Azure subscription uses a “Custom DNS,” meaning it uses your existing DNS infrastructure instead of the Azure DNS, then you must replace the domain name for the appliance after deployment and initialization and during configuration with a setup wizard, as mentioned in Appliance Initialization and Setup.

Gather the required data, consider the additional issues, and perform the tasks described in sections below to locate the Imprivata G4 appliance solution in the Azure Marketplace and perform the deployments.

Collect and record the following Azure and G4 appliance resource data to use in the steps in Deploying the G4 Appliances from the Azure Marketplace:

  • Your Azure subscription ID.

  • An Azure resource group where the Imprivata appliance resources will live. You can use an existing resource group only if it is empty, such that no Azure resources are defined in it. Otherwise, you must create a resource group during the deployment.

  • The Azure region (effectively the Azure Data Center) to which the appliance(s) will be deployed, such as East US, Central US, North Central US, or West Coast US. Appliance region placement is important because it impacts the performance of access to the Imprivata Appliance Console. Please follow Microsoft's recommendations regarding region selection in regard to proximity to your end users and latencies.

  • The virtual network for the appliance(s), including whether you want to use an existing virtual network or create a new one.

  • The subnet for the appliance(s) on that virtual network, including whether you want to use an existing subnet or manage your existing subnet configuration.

  • The diagnostic storage account for the appliance(s). You can choose an existing account (if one exists) or create a new one. If you will create a new diagnostic storage account, decide on a name for it. The name must be between 3 and 24 characters long, inclusive, and include only lower-case letters and numbers with no spaces.

  • Decide how many G4 database and service appliances you will create for production, test, and staging enterprises, and in total. Also decide which appliances will be F4s_v2s and which F8s_v2s. For guidance, see Number of G4 Appliances to Deploy on Azure above. For an individual enterprise, most customers deploy two database appliances for redundancy, plus optional service appliances if needed for performance. For a Proof of Concept (POC) deployment, deploy one database appliance. (You can also add an appliance later to a virtual network and subnet in which an existing appliance resides, but the new appliance must be placed in a different Azure resource group.)

  • One or more virtual machine (VM) names, one for each VM that will host an appliance. Each name can be at most 28 characters long. The default values are imp-vm-01, imp-vm-02, and so on, which you can change. Consider creating a naming convention for your VM names. The VM name is applied as a prefix to the other resources deployed, for example, the NIC, private IP address, Network Services Group (NSG), and so on.

    NOTE:

    If you are deploying G4 appliances on Azure as part of migrating an enterprise to G4 on Azure, or as part of migrating a hybrid G3 enterprise to G4, then host names for appliances change during the migration. However, the host names of your original appliances must match the VM names you specify when creating the new G4 appliances on Azure, because an appliance’s host name must always match its VM name. Therefore, note the original appliances' host names, or copy those host names from your enterprise export file, so you can specify them as the VM names for the new G4 appliances on Azure. In the export file, a host name appears as the first part of the FQDN (Fully Qualified Domain Name) for an appliance.

Consider these additional issues before you begin deploying the appliance(s):

  • Establish required predefined resources for backups and archiving, such as file shares and file transfer systems (FTS).

  • Assess Disaster Recovery (DR) region requirements and related network connectivity.

  • An Azure availability set is automatically created for an appliance during the deployment. The availability set effectively splits a hosting virtual machine across server racks for increased reliability. If you plan to deploy multiple appliances, a different availability set is created for each appliance.

  • Consider deploying your appliance(s) in an Azure availability zone in the Azure region where you will deploy the appliances.

  • You can apply a network security group for an appliance on the hosting virtual machine NIC or subgroup.

To locate and deploy the Imprivata G4 appliances from the Azure Marketplace:

  1. In the Azure Portal, search for and select Marketplace.

  2. Select View Private Products.

  3. Select the Imprivata G4 product.

    NOTE:

    If you do not see this product, either contact your Imprivata representative or enter your contact information in the Contact Me for Product window and submit that request so that Imprivata can contact you. Imprivata must make the private product visible to you before you can proceed.

    Do not select the Imprivata OneSign/Confirm ID Solution (Preview) product. That is the G3 appliance on Azure product.

    A page displays describing the product.

  4. Select Create. The Create page for the Imprivata G4 product opens to the Basics tab.

    NOTE:

    Moving quickly through the screens of the Azure deployment wizard may result in a verification error. To resolve the error, return to the previous screen and wait a short time before proceeding.

  5. Under Project details, specify or select values for these fields:

    1. Subscription: Select your Azure subscription type, such as Pay-As-You-Go.

    2. Resource group: Either specify an existing, empty resource group that has no Azure resources defined in it, or select Create new and in the pop-up, specify a new resource group.

  6. Under Instance details:

    Region: Select the Azure region for your appliances, which is often the region in which you are located.

  7. Under Configure virtual networks:

    1. Virtual network: Select an existing virtual network or click Create new to create a new one.

    2. Subnet: Select an existing subnet or click Manage subnet configuration to manage your existing subnet configuration.

      For instructions on creating a new virtual network on Azure or managing your existing subnet configuration on Azure, see Microsoft's Azure documentation.

    NOTE:

    If you are deploying G4 appliances on Azure as part of any enterprise migration to G4 on Azure (or to a hybrid G4 enterprise on Azure and on premises), then you must specify virtual network and subnet values here, because any network values that you later import from your original enterprise export file will not be used.

  8. Under Storage account configuration:

    Diagnostic storage account: Either select a value offered, if any, or click Create New and a frame appears on the right side of the interface. In that frame, specify a storage account name between 3 and 24 characters long, inclusive, and use only lower-case letters and numbers with no spaces. For the other three fields in the Create storage frame: Account kind, Performance, and Replication, use the default values.

  9. Select Next: Virtual Machine Settings.

  10. On the Virtual Machine Settings tab, specify or select values for the fields listed below. For guidance, see Number of G4 Appliances to Deploy on Azure above. 

    NOTE:

    If you are deploying G4 appliances as part of migrating an enterprise to a new G4 enterprise on Azure, or as part of migrating a hybrid G3 enterprise to G4, then you must specify the host names of your original appliances in these fields as the virtual machine (VM) names for the new G4 appliances on Azure. This requirement is explained above in Gathering the Azure and G4 Appliance Data Needed for Deployment.

    1. First Virtual Machine name: Either leave the default value imp-vm-01 unchanged or optionally change it. Each VM name can have at most 28 characters.

    2. First Virtual Machine size: Specify whether to use a Standard_F4s_v2 Azure VM or a Standard_F8S_v2 Azure VM.

    3. Second Virtual Machine name: Either leave the default value imp-vm-02 unchanged or optionally change it.

    4. Second Virtual Machine size: Select an option to:

      • create an appliance using a Standard_F4s_v2 Azure VM

      • create an appliance using a Standard_F8S_v2

      • leave the default value selected to not deploy this appliance

    5. For each of the third through tenth VMs, either leave the default VM name unchanged or optionally change it.
      For each VM, select from among the same three options as was offered for the Second Virtual Machine size field.

  11. Click Next: Review + create. Azure reviews the configuration.

    If the validation passes, review your displayed selections and your displayed name, email address, and phone number. If any of your contact information is missing, enter it. Then click Create to deploy the solution.

    If the validation fails, view any error messages, resolve any issues, and click Create again.

The deployment starts and may take 5 to 10 minutes to complete.

As deployment progresses, the system displays status information. You can also confirm that deployment is in progress by clicking on the notification (bell) icon in the upper right corner of the Azure window. You can also select Resource groups in the Azure left frame and see your new Resource Group listed.

When the deployment is done, you can view the results in any of these ways:

  • Click on the notification icon in the Azure window to view the Deployment Succeeded notification.

  • From the Notifications drop-down, you can select Go to resource group and see your deployment with virtual machines, network interfaces (NICs), and disks, plus a network security group, a virtual network, a storage account, and an availability set.

  • From that Resource Group display, you can select the virtual network to see your network settings and IP addresses.

  • In the Resource Group left frame, you can select Diagram to see a diagram view of the network with a subnet, NICs, virtual machines, and a shared network security group.

  • In that network diagram, you can select the network security group to see inbound and outbound ports with allow/deny settings and so on.

After deployment, the appliance(s) power up automatically and initialization scripts run in the background and do not display progress. The time to complete is approximately 15 minutes for an appliance.

After that time, in a web browser, enter https://<appliance_IP_address>:81 to complete the setup of the first appliance using the appliance configuration wizard. During this configuration you specify the production, staging, or test enterprise to which to assign the appliance. Remember that the first two G4 appliances assigned to any G4 enterprise must be database appliances, and thereafter, all G4 appliances added to that same enterprise must be service appliances. Therefore, the order in which you assign appliances to an enterprise determines their type.

If your Azure subscription uses a "Custom DNS," meaning it uses your existing DNS infrastructure instead of the Azure DNS, then you must replace the domain name for the appliance during configuration with the wizard. In this case Azure DHCP supplies fake domain name reddog.microsoft.com during deployment and you must replace it with your existing domain name. You do this using the Imprivata Appliance Console during the networking step of the configuration setup.

If you deployed two or more G4 appliances, repeat the processes in this section for each additional G4 appliance.

If your G4 appliance deployments are part of an enterprise migration to G4 on Azure, or are part of a hybrid G3 enterprise migration to G4, then after you have completed setup of all the new G4 appliances on Azure, return to topic "Migrating to a G4 Enterprise", section "Export the Current Enterprise" on the Imprivata Upgrade Portal to continue your migration procedures.

To access the Imprivata appliance functions menu:

  1. In the Azure Portal, on the Virtual Machines window, in the Support + Troubleshooting section, access the Serial Console.

  2. Open the console for the virtual machine hosting the Imprivata appliance.

  3. At the system prompt, enter menu and press Enter. The Imprivata appliance functions menu opens.

The menu options are:

  • Configure Network — Lets you change the default gateway for the appliance. Do not change this value for an appliance on Azure (see the Caution and Note in Network Services Configuration.)

  • Reset SSL — Clears all SSL information.

  • Reset Administrator password for Imprivata Appliance Console — Resets the Administrator password to admin. You cannot reset the Super Administrator password.

  • Modify Password for this menu — Lets you set or clear the password for this menu.

  • Restage — Resets the appliance to factory settings. Contact Imprivata Customer Support for assistance with restaging an appliance.

  • Restart — Restarts the appliance. It is best to restart the appliance by using the Imprivata Appliance Console System page > Operations tab > Reboot/shutdown options > Reboot this appliance, unless the Imprivata Appliance Console is unreachable.

  • Shutdown — Shuts down the appliance. The virtual machine is still deployed on the Azure host.

  • Quit