Azure VM Gateways

Last modified on October 4, 2023

This installation guide describes how to create and configure a Microsoft Azure virtual machine (VM) to host a StrongDM Gateway, as well as how to create and install the Gateway.

Prerequisites

Ensure that you are an account administrator in StrongDM.

Steps

Create an Azure VM

If you already have an Azure VM up and running, check that its properties match those described in this section and in Configure Networking settings. Then proceed to Add a Gateway in StrongDM.

  1. In Azure, go to Home > Virtual Machines, click Create, and then click Virtual Machine.
  2. On the Virtual Machine page, underneath Ubuntu Server, click Create.
  3. On the Create a virtual machine page that opens, set the following properties on the Basics tab:
    1. Subscription: Select your subscription type.
    2. Resource group: Select the appropriate resource group for your account.
    3. Virtual machine name: Give the VM a memorable name (e.g., “strongdm-gw01”).
    4. Region: Select the appropriate region for the VM.
    5. Availability options: Choose your availability.
    6. Security type: Set as per your organization standard.
    7. Image: Make sure the selected image is still Ubuntu and the latest Gen available (e.g., “Ubuntu Server 20.04 LTS”).
    8. Azure Spot instance: Optional
    9. Size: Choose the appropriate size for your needs.
    10. Authentication type:
    11. If you select Password, as we did for this example, also set the Username and Password for the VM.
    12. If you select SSH public key, also set the SSH public key source and Key pair name.
    13. Public inbound ports: Select Allow selected ports.
    14. Select inbound ports: Select SSH (22) to allow port 22.
  4. Click Next to set the remaining properties on the Disks tab, Networking tab, Management tab, Advanced tab, and Tags tab. You can set all the standard options or whatever works for your organization.
  5. On the Review + create tab, check that the VM’s properties are correct, take care of business, and click Create.

Configure Networking settings

  1. Once your VM is deployed, click into its resource name to view its Networking area.
  2. Go to Inbound Port Rules, click Add inbound port rule, and set the following:
    1. Source: Select Any.
    2. Source port ranges: Set *.
    3. Destination: Set IP Addresses.
    4. Destination IP addresses/CIDR ranges: Enter the public IP of the VM you just deployed with /32 to specify the specific machine (e.g., 10.0.0.021/32). You can find the public IP address under Networking, where it is displayed at the top of the page.
    5. Service: Set Custom.
    6. Destination port ranges: Set 5000.
    7. Protocol: Set TCP.
    8. Action: Set Allow.
    9. Priority: Enter 100 so it has the highest priority.
    10. Name: Change the name to StrongDM.
  3. Click Add to save your changes.

Connect to the VM

Once your Azure VM is up and running, you should be able to connect to it.

  1. Click into the name of your VM to get to its Overview blade.
  2. Click Connect and then select your connection method. In this example, we selected SSH and went through the setup process to connect via SSH with client.

Add a Gateway in StrongDM

The following instructions are for creating a Gateway and generating a token in the Admin UI. If you want to do the same via the CLI instead of the Admin UI, see sdm admin relay create-gateway.

  1. In the Admin UI, go to Network > Gateways and click add gateway.

  2. Set the following properties:

    1. Name: Enter a memorable name (e.g., “azure-vm”). This name will be displayed in the Admin UI. You can edit the name later.
    2. Advertised host: Enter the public IP address of your Azure VM (e.g., “10.0.0.021”). The Gateway will be listening on this address.
    3. Port: Set the TCP port for the service to listen on (default: 5000).
    Add Gateway
    Add Gateway
  3. Click create to generate a token that you’ll need later in the installation process. The token is only shown to you one time.

    Create Gateway Token
    Create Gateway Token
  4. Carefully copy the token and save it somewhere safe for later use.

Gateway Installation

  1. Log in to the Azure VM you created to host your Gateway.

  2. Download the StrongDM binary:

    curl -J -O -L https://app.strongdm.com/releases/cli/linux
    
  3. Unzip it (if this is a new server, you may need to install a package to unzip archives, such as with sudo apt-get install unzip on Ubuntu distributions):

    unzip sdmcli_VERSION_NUMBER_linux_amd64.zip
    
  4. Install the Gateway:

    sudo ./sdm install --relay
    

    You will be prompted for the token you generated when creating a Gateway; paste it in and hit Enter. Note that the token won’t show in the terminal for security purposes, similar to the masking of a password.

  5. Log in to the StrongDM Admin UI. In Infrastructure > Gateways, the Gateway you created should appear to be online and have a heartbeat. If it doesn’t appear online, perform a hard refresh of your browser. Within a couple of minutes, if it is still not online, verify that the StrongDM daemon is running by running ps aux|grep sdm on the server and looking for a line that says sdm relay.