Scanning in Microsoft Azure using Resource Manager (ARM)

Document created by George Akimov Employee on Jul 1, 2016Last modified by Qualys Documentation on May 29, 2020
Version 25Show Document
  • View in full screen mode

This document describes briefly how to deploy the Qualys Virtual Scanner Appliance using Microsoft Azure Resource Manager (ARM). This scanner, once deployed, will function as a standard Virtual Scanner and can scan based on IP address or CIDR block. Want to learn more about Microsoft Azure? Check out the Azure Support page.



About Managing Instances

Instance Snapshots/Cloning Not Allowed

Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly prohibited. The new instance will not function as a scanner. All configuration settings and platform registration information will be lost. This could also lead to scans failing and errors for the original scanner.

Moving/Exporting Instance Not Allowed

Moving or exporting a registered scanner instance from a virtualization platform (HyperV, VMware, XenServer) in any file format to Microsoft Azure cloud platform is strictly prohibited. This will break scanner functionality and the scanner will permanently lose all of its settings.

Some things to consider... 

The following features are not supported and are disabled in all cloud (private and public) platforms:

  • WAN/Split network SETTINGS - “WAN Interface” option for split network settings is not available from Scanner UI/console. Only LAN/single network settings from Cloud UI, used for both scanning and connecting to Qualys servers, are supported 
  • NATIVE VLAN - “VLAN on LAN” option for configuring Native VLAN is not available from scanner UI/console
  • STATIC VLAN (IPV4 AND IPV6) - "VLANs" option for configuring static VLANs is not available from Qualys UI
  • STATIC ROUTES (IPV4 AND IPV6) - Option to configure “Static Routes” is not available from Qualys UI
  • IPV6 ON LAN - Option to configure “IPv6 on LAN” is not available from Qualys UI



Create Resource Group

We recommend you create one resource group per location for your Qualys virtual scanners. Give your resource group a name that will be easy to recognize and represents the group location. Once created, the name cannot be changed.



Create Storage Account

If you don't already have a storage account for your Qualys virtual scanners you'll need to create one at this time. 1) Give the storage account a name following Microsoft Azure guidelines. The name cannot be changed later. 2) The default deployment model is Resource Manager. 3) Select the resource group created in the previous step. Other recommended settings are shown in the image below.



Create Virtual Network

You may already have a virtual network set up for your Qualys virtual scanners. If not, create a new virtual network. 1) Give your network a name. 2) Select the resource group created in the first step.



Create Your Qualys Virtual Scanner

Prior to deploying the Qualys Virtual Scanner in Azure, you must first create a virtual scanner in the Qualys Cloud Platform, assign it a distinct scanner name and record the exact personalization code.


Go to Virtual machines and Create a virtual machine.


Make these settings

1) Give the virtual machine a name. This is the name that will appear in the Virtual machines list in Microsoft Azure. Tip - Use the scanner name assigned to the virtual scanner in Qualys for easy identification.

2) Choose the "Qualys Virtual Scanner Appliance" image.

3) The Username is your personalization code, retrieved from the Qualys platform, with a 'u' prepended: “u2009XXXXXXXXXX”.

4) Choose a size for your virtual scanner - up to 16 cores and no more than 16 GB. We recommend a ratio of 3-4 GB of memory per core. Other storage settings like number of data disks, max IOPS, load balancing, etc can be ignored and should not factor into your decision. For instance, the disk options will not have a significant impact on the performance of your scanner.



Since Qualys Virtual Scanner is a locked-down Linux appliance, managed completely from the Qualys Cloud Platform, Azure username, password and SSH public key are not used for any kind of authentication but rather as a mechanism to pass configuration information from Azure Cloud to the appliance.


Proxy server configuration
You can configure the Qualys Scanner to use SSL proxy for all outbound communication with the Qualys Cloud Platform. We support both IP and FQDN for the proxy server configuration. You'll specify the proxy server URL in the Password field using this format: proxy://username:password@proxyhost:port


If you have a domain user, the format is proxy://domain\username:password@proxyhost:port
If authentication is not used, the format is proxy://proxyhost:port
where proxyhost is the IPv4 address or the FQDN of the proxy server, port is the port the proxy server is running on





Create a virtual machine > Basics



Create a virtual machine > Disks



Create a virtual machine > Networking

Be sure to choose the virtual network that you created in a previous step. 



Create a virtual machine > Management

Be sure to choose the storage account that you created in a previous step.



Create a virtual machine > Advanced

Note - we do not use Azure extensions or cloud init.



Create a virtual machine > Review + create

Review the Product Details and click Create. Your virtual scanner will appear on the Virtual machines list in Microsoft Azure.



Your Qualys Virtual Scanner Appliance appears on your Microsoft Azure Dashboard.



Your scanner will update and connect to the Qualys Cloud Platform.  This process may take some time, depending on location. Once connected, you'll be able to use your Azure scanner from the Qualys Cloud Platform as you would any virtual scanner appliance.


How do I know my scanner is ready to use?

Check your virtual scanner status in the Qualys UI. Go to Scans > Appliances, and find your scanner in the list. Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.




ico_connected.jpgtells you your virtual scanner is ready. Now you can start internal scans! (Next to this, you’ll see the busy icon is greyed out until you launch a scan using this scanner).



Enable boot diagnostics to troubleshoot issues with your scanner. Diagnostics will include log output from the scanner. It's easy to do. Set Status to On and select the storage account created for your Qualys scanners. Hit Save (appears above the settings).



Check out these sample diagnostics.



For Customers on Private Cloud Platforms

It could take hours to download the latest qVSA image from Qualys cloud storage account to your machine and then upload it to your Azure storage account using the Azure GUI. Save time by copying the image directly from Qualys cloud storage to your Azure account with Azure CLI tools.


Here are the steps: 1) Qualys Operations will provide you with a link to the qVSA image. 2) Set up Azure CLI tools and log in to your Azure subscription using the Azure CLI "azure login" command. 3) Copy the qVSA image from Qualys to your Azure subscription using this format:


azure storage blob copy start [sourceUri] [options] [destContainer]


[sourceUri] is the qVSA image link provided by Qualys Operations

[options] are:
-a, --account-name <accountName> the storage account name
-k, --account-key <accountKey> the storage account key

[destContainer] is the destination container in the "storage" specified with option "-a"


azure storage blob copy start "" -a "storagevirginia"  -k "AbcdEfgh9piNUT1ZtVg8qEGp7KTlrlht3syhO8FjCNcaoqWkAqlZ3Sp+YXrJ4rBAuJ6+QflCwfhzXsz0yNBr99==" images


Looking for more help?

Check out our Help Center

1 person found this helpful