This Wiz Security article will explain how to deploy a Wiz outpost to Microsoft Azure cloud infrastructure.
Before we discuss how to deploy an outpost, it is important to understand why many companies do so.
A Wiz outpost is the deployment of the Wiz security scanner \ infrastructure into a customer Azure tenant. By default, when you sign up for Wiz, Wiz scans your infrastructure from their datacenters.
A Wiz outpost runs the scanning and keeps the data from the scanning in the customer’s data centre (Azure). The only thing that is sent back to Wiz is metadata regarding the results, which is available from the Wiz management portal.
Some companies choose to use an outpost for regulatory and compliance reasons, as a third-party organisation like Wiz cannot handle the scanning data.
As we explained before, running a Wiz outpost in your Azure tenant is costly.
Requirements for a Wiz Outpost in Azure
To deploy and run a Wiz outpost in Azure, you must set up a new, paid (not free) and dedicated Azure subscription just for Wiz. The subscription must be empty from any resources besides the Wiz outpost resources.
In order to run the Wiz deployment, you will need to assign the Wiz account permissions sufficient to deploy resources; however, the Wiz account does not need Global Administrator permissions.
Outpost Architecture
A Wiz outpost is made of the following Azure resources:
- Azure Kubernetes Services (AKS) cluster in every region contains Azure VMs that must be scanned for vulnerabilities.
- Azure Key Vault to save security credentials
- Azure Service Bus
A very important detail is that the Wiz outpost will deploy an AKS cluster to every Azure region with virtual machines running. This is the part that makes an outpost a costly operation. If you have 5 regions with VMs, you must run 5 AKS clusters. The average cost of an AKS cluster is around $200 a month.
Wiz Outpost Deployment
Once you have all the requirements, you deploy an Azure outpost from the Wiz management portal by clicking Connect an Environment. When you start connecting an environment, Wiz will give you a choice to deploy the outpost using Bash commands (Azure CLI) or Terraform.
Once you make a selection, Wiz will generate the code for the commands you need to run. Then, you can connect to Azure Cloud Shell (or Terraform) and run the commands.
Summary
As a Wiz integrator, we help companies deploy and integrate Wiz into their environments. Using a Wiz outpost requires special consideration and understanding of the long-term requirements of managing and operating an outpost.
If you need assistance integrating Wiz security into your infrastructure, please contact us using the form below.
Trackbacks/Pingbacks