Deploying PO Box in Azure

Zilla PO Box is a container that simplifies integration with on-prem applications by extending into customer environments and making outbound API calls to push user and account information to Zilla.

This playbook outlines instructions for setting up an Azure deployment for the PO Box. It includes creating an App Registration, setting up a storage account and file share, and deploying an Azure Container Instance (ACI) with necessary configurations.

This article covers the following topics:

1 Prerequisites
- 1.1 Azure Subscription
- 1.2 Azure Permisisons
- 1.3 Azure CLI
- 1.4 Zilla Support Ticket
2 Deployment Options
- 2.1 Option 1: Using Azure portal
  - 2.1.1 Create App Registration
  - 2.1.2 Add Client Secret
  - 2.1.3 Create Storage Account
  - 2.1.4 Create File Share
  - 2.1.5 Add Client Credentials or Zilla_API_Key
  - 2.1.6 Create Azure Container Instance
  - 2.1.7 Create Logic App to Restart the Container
- 2.2 Option 2: Execute CLI commands
  - 2.2.1 Create App Registration
  - 2.2.2 Add Client Secret
  - 2.2.3 Create Storage Account
  - 2.2.4 Create File Share
  - 2.2.5 Add Client Credentials or Zilla_API_Key
  - 2.2.6 Create Azure Container Instance
  - 2.2.7 Create a Logic App to Restart the Container
- 2.3 Option 3: Execute PowerShell Script
3 Attachments

Prerequisites

Azure Subscription

Azure subscription and resource group inside the subscription

Azure Permisisons

Necessary admin permissions in the Azure subscription to create resources (for example, an owner role)

Azure CLI

Azure CLI installed and configured on your machine
- How to install Azure CLI

Zilla Support Ticket

You need to submit a support ticket to request a Zilla token, Azure container registry login server, and image name
The ticket should contain:
- The request for the Zilla token
- The request for the Azure container registry login server and image name
- Your Zilla tenant name
Click Submit a request in the upper right corner of the Help Center to begin creating the ticket

Deployment Options

We provide the following mechanisms for you to deploy PO Box to your Azure environment.

Option 1: Using Azure portal

The steps below provide a guide for using the Azure Portal to set up the resources required to deploy PO Box to your environment.

Create App Registration

Login to the Azure portal as an admin user and click Create a resource. Search for App Registration and create a New registration.
Type a Name for the app registration, choose the Supported account types, add a Redirect URI (optional), and click Register.

Copy the Application (client) ID and store it for use in a later step. Securely share the Application (client) ID with the Support team. This allows the Support team to pull the image automatically in a later step.

Add Client Secret

Expand the Manage option on the left side of the page, click Certificates & secrets, and click + New client secret.
Add a Description, set a time when the secret Expires, and click Add.
Keep the clientSecret secret secure so that it can be used to authenticate the application in a future step. You will not be able to retrieve this secret again after this step.

Create Storage Account

Create an Azure Storage Account to store the Zilla token provided by the Support team in the prerequisite activities. Click Create a resource, search for Storage accounts and click + Create.

Fill in the required details including Subscription, Resource group, Storage account name, Region, Performance, and Redundancy. Click Review + create.

Once you have validated that the storage account details are correct, click Create. After the deployment is complete, click Go to resource.

Create File Share

Expand the Data storage option in the navigation menu, click File shares, and click + File share to add a new file share.

Fill in the required details including Name and Access tier and click Review + create.

Add Client Credentials or Zilla_API_Key

Client Credentials Flow (Preferred): Add ZILLA_CLIENT_ID and ZILLA_CLIENT_SECRET provided by Customer Success as environment variables when creating the container in next step.

Zilla_API_Key Flow: Store the Zilla_API_Key provided by Customer Success in the folder zilla → pobox-config.

Open the file shared that was just created and click Browse. Click Add directory and name the directory Zilla.

Create two directories named pobox-config and pobox-output under the Zilla directory and upload Zilla API key provided by Support team inside pobox-config folder.

Create Azure Container Instance

The previously created app registration should be authenticated and given AcrPull access to repository by the Support team.

Deploy an Azure Container Instance by executing the command below and mount the file share created earlier. The PO Box container needs a dedicated VNET, dedicated SUBNET, and networking rules which allow it to talk to the server VNETs.
For example, create the network and subnets with the variables listed below.

VNET_NAME=pobox-vnet
SUBNET_NAME=pobox-container-subnet
LOCATION=eastus             # or the region you're using
ADDRESS_PREFIX=10.0.0.0/16  # replace with the address you're using
SUBNET_PREFIX=10.0.0.0/24   # replace with the subnet you're using

Create the VNET and SUBNET with delegation to Microsoft.ContainerInstance.

az network vnet create \
  --resource-group pobox-rg \
  --name $VNET_NAME \
  --location $LOCATION \
  --address-prefix $ADDRESS_PREFIX \
  --subnet-name $SUBNET_NAME \
  --subnet-prefix $SUBNET_PREFIX
az network vnet subnet update \
  --resource-group pobox-rg \
  --vnet-name $VNET_NAME \
  --name $SUBNET_NAME \
  --delegations Microsoft.ContainerInstance/containerGroups

Then, run the main script.

az container create \
  --resource-group <resource group name> \
  --name <Azure container instance name> \
  --image 'zillapobox.azurecr.io/zinc:latest' \
  --os-type Linux \
  --restart-policy OnFailure \
  --cpu 1 \
  --memory 1.5 \
  --vnet pobox-vnet \
  --subnet pobox-container-subnet \
  --environment-variables ZILLA_URL='https://app.zillasecurity.com' \
                        TENANT_DOMAIN='<your Zilla tenant domain>' \
                        POLLING_INTERVAL='30' \
                        SEND_LOGS_TO_BACKEND='true' \
                        USE_FILE_SYSTEM='true' \
                        SECRETS_DIRECTORY_PATH='/mnt/Zilla/pobox-config' \
                        STORAGE_DIRECTORY_PATH='/mnt/Zilla/pobox-output' \
                        ZILLA_CLIENT_ID=<Client id provided by CS team> \
                        ZILLA_CLIENT_SECRET=<Client secret provided by CS team> \
  --registry-login-server <registry login server> \
  --registry-username <registry user name> \
  --registry-password '<registry password>' \
  --azure-file-volume-share-name zilla-pobox-volume \
  --azure-file-volume-account-name <Azure storage account name> \
  --azure-file-volume-account-key '<Azure storage account access key>' \
  --azure-file-volume-mount-path /mnt

Image: zillapobox.azurecr.io/zinc:latest

registry login server: zillapobox.azurecr.io

registry user name: Application (client) ID copied after registering the new app

registry password: Client secret created previously

Azure storage account name: Storage account name created previously

Azure storage account access key: Can be obtained from Storage Account | Security + Networking | Access Keys

Create Logic App to Restart the Container

Next, create a logic app to restart the container every 24 hours and pull latest ZINC image.

Click on Create a resource, search for Logic Apps, and click Add. Choose a hosting option and click Select.

Fill in the required details including Subscription, Resource Group, Logic App name, Region and Enable log analytics. Click Review + create.

Once deployed, click Go to resource. Expand the Development Tools option, click Logic app designer, and click Add a trigger.
Search for Recurrence and click Trigger.

Fill in the required details for the daily ACI restart time.

Click Add an action below the recurrence trigger.

Search for Container instance and select Start containers in a container group.

Sign in and fill the details of the container instance including Subscription Id, Resource Group, and Container Group Name.

Click Save to save the trigger and action. Run history can be monitored allowing you to check the logs.

Option 2: Execute CLI commands

This option requires you to execute the following commands in order which sets up the resources required to deploy PO BOX to your environment.

Create App Registration

Execute the command below replacing <tenant name> with your actual tenant name or domain to create a new App Registration in your Azure Active Directory. This will enable authentication for your application. This app will be given acrPull role to pull latest ZINC image.

az ad app create --display-name "zilla-pobox-<tenant name>" \
    --sign-in-audience "AzureADMultipleOrgs" \
    --web-redirect-uris "https://app.zillasecurity.com"
    --query "appId" --output tsv

Copy the Application (client) ID and store it for use in a later step. Securely share the Application (client) ID with the Support team. This allows the Support team to pull the image automatically in a later step.

Add Client Secret

Execute the command below to generate a client secret (password) for the app registration. This secret will be used for authentication.

clientSecret=$(az ad app credential reset --id "$appId" \
    --append --display-name "password" \
    --query "password" --output tsv)
echo "Client Secret: $clientSecret"

Keep the clientSecret secret secure so that it can be used to authenticate the application in a future step. You will not be able to retrieve this secret again after this step.

Create Storage Account

Execute the command below to create an Azure Storage Account to store the Zilla token provided by the Support team in the prerequisite activities. Replace <resource group name> with your resource group name. If necessary, create a resource group for this step.

az storage account create \--name zillapoboxstorage \--resource-group <resource group name> \--location eastus \--sku Standard_GRS \--kind StorageV2 \--default-action Allow

Create File Share

Execute the command below to create a file share within the storage account to store the Zilla token. The file share name will be used to mount the file share later.

az storage share create \
    --name zilla-pobox-volume \
    --account-name zillapoboxstorage

Add Client Credentials or Zilla_API_Key

Client Credentials Flow (Preferred): Add ZILLA_CLIENT_ID and ZILLA_CLIENT_SECRET provided by the Support team as environment variables when creating the container in the next step.

Zilla_API_Key Flow: Store the Zilla_API_Key provided by the Support team in the folder zilla → pobox-config.

Execute the commands below to create a directory in the file share and upload the Zilla token.

# Create the Zilla directory
az storage directory create \
    --name "Zilla" \
    --share-name "zilla-pobox-volume" \
    --account-name "zillapoboxstorage"

# Create the pobox-config directory inside Zilla
az storage directory create \
    --name "Zilla/pobox-config" \
    --share-name "zilla-pobox-volume" \
    --account-name "zillapoboxstorage"

# Create the pobox-output directory inside Zilla
az storage directory create \
    --name "Zilla/pobox-ouput" \
    --share-name "zilla-pobox-volume" \
    --account-name "zillapoboxstorage"

Create Azure Container Instance

The previously created app registration should be authenticated and given AcrPull access to repository by the Support team.
Execute the command below to deploy an Azure Container Instance and mount the file share created earlier. Use the App registration Id for the registry-username. Use the App registration password for the registry-password.
For example, create the network and subnets with the variables listed below.

VNET_NAME=pobox-vnet
SUBNET_NAME=pobox-container-subnet
LOCATION=eastus             # or the region you're using
ADDRESS_PREFIX=10.0.0.0/16  # replace with the address you're using
SUBNET_PREFIX=10.0.0.0/24   # replace with the subnet you're using

Create the VNET and SUBNET with delegation to Microsoft.ContainerInstance.

az network vnet create \
  --resource-group pobox-rg \
  --name $VNET_NAME \
  --location $LOCATION \
  --address-prefix $ADDRESS_PREFIX \
  --subnet-name $SUBNET_NAME \
  --subnet-prefix $SUBNET_PREFIX
az network vnet subnet update \
  --resource-group pobox-rg \
  --vnet-name $VNET_NAME \
  --name $SUBNET_NAME \
  --delegations Microsoft.ContainerInstance/containerGroups

Then, run the main script.

az container create \
  --resource-group <resource group name> \
  --name <Azure container instance name> \
  --image 'zillapobox.azurecr.io/zinc:latest' \
  --os-type Linux \
  --restart-policy OnFailure \
  --cpu 1 \
  --memory 1.5 \
  --vnet pobox-vnet \
  --subnet pobox-container-subnet \
  --environment-variables ZILLA_URL='https://app.zillasecurity.com' \
                        TENANT_DOMAIN='<your Zilla tenant domain>' \
                        POLLING_INTERVAL='30' \
                        SEND_LOGS_TO_BACKEND='true' \
                        USE_FILE_SYSTEM='true' \
                        SECRETS_DIRECTORY_PATH='/mnt/Zilla/pobox-config' \
                        STORAGE_DIRECTORY_PATH='/mnt/Zilla/pobox-output' \
                        ZILLA_CLIENT_ID=<Client id provided by CS team> \
                        ZILLA_CLIENT_SECRET=<Client secret provided by CS team> \
  --registry-login-server <registry login server> \
  --registry-username <registry user name> \
  --registry-password '<registry password>' \
  --azure-file-volume-share-name zilla-pobox-volume \
  --azure-file-volume-account-name <Azure storage account name> \
  --azure-file-volume-account-key '<Azure storage account access key>' \
  --azure-file-volume-mount-path /mnt

Create a Logic App to Restart the Container

Next, create a logic app to restart the container every 24 hours and pull latest ZINC image.

Log in to the Azure portal as an admin user, click Create a resource, search for Logic Apps, and click Add. Choose a hosting option and click Select.

Fill in the required details including Subscription, Resource Group, Logic App name, Region and Enable log analytics. Click Review and create.

Once deployed, click Go to resource. Expand the Development Tools option, click Logic app designer, and click Add a trigger.
Search for Recurrence and click Trigger.

Fill in the required details for the daily ACI restart time.

Click Add an action below the recurrence trigger.

Search for Container instance and select Start containers in a container group.

Sign in and fill the details of the container instance including Subscription Id, Resource Group, and Container Group Name.

Click Save to save the trigger and action. Run history can be monitored allowing you to check the logs.

Option 3: Execute PowerShell Script

This option allows you to use the PowerShell scripts supplied by Zilla to quickly set up the resources required to deploy PO Box to your environment.

Prerequisite

PowerShell must be installed in your instance to execute PowerShell scripts. You can download it from the official Microsoft site.

Log In to Azure

Log in to Azure using the command az login.

Select the Subscription

Select the subscription in which you want to create resources.

Run createAppRegistration.ps1 (see attachment document linked at the bottom of this article)

Before running the createAppRegistration.ps1 script, ensure the config_createAppRegistration.json (see attachment document linked at the bottom of this article) file is set up with the necessary values. This file should include any parameters required for the App Registration process.

{
    "resourceGroupName": "<Resource group name>",
    "storageAccountName": "zillapoboxstorage",
    "fileShareName": "zilla-pobox-volume",
    "appRegistrationName": "zillapobox-<Renant name>",
    "location": "<Location>"  
}

Open PowerShell and navigate to the directory where the createAppRegistration.ps1 script is located.
Execute the script by running the following command: .\createAppRegistration.ps1.

The script creates an App Registration in Azure and mount the necessary storage.

Once the createAppRegistration.ps1 script has completed, update the config_aci.json file (see attachment document linked at the bottom of this article) to include the App Registration ID and secret generated in the previous step.

The Support team also needs to authorize the application so that it can access Zilla’s Azure Container Registry. The App Registration ID is necessary for this.

Refer to readme.txt file under the azure folder shared by the Support team and execute the PowerShell script as instructed.

Run createACI.ps1 (see attachment document linked at the bottom of this article)

Before running the createACI.ps1 script, ensure the config_createACI.json (see attachment document linked at the bottom of this article) file is set up with the necessary values.

{
    "tenantName": "<Tenant name>",
    "resourceGroupName": "<Resource group name>",
    "storageAccountName": "zillapoboxstorage",
    "fileShareName": "zilla-pobox-volume",
    "containerInstanceName": "zillapobox",
    "imageName": "<Registry name provided by CS team>/zinc",
    "registryLoginServer": "<Registry name provided by CS team>",
    "appRegistrationName": "zillapobox-<Tenant name>",
    "appId": "<App Id from above step>",
    "clientSecret": "<secret from above step>",
    "location": "<Location>",
    "subscriptionId": "<Subscription Id>"
}

Open PowerShell and navigate to the directory where the createACI.ps1 script is located and execute the script by running the following command: .\createACI.ps1.

An Azure App Registration and an Azure Container Instance has been created.

Make sure to check the Azure portal for confirmation of above created resources.

Create a Logic App to Restart the Container

Next, create a logic app to restart the container every 24 hours and pull latest ZINC image.

Log in to the Azure portal as an admin user, click Create a resource, search for Logic Apps, and click Add. Choose a hosting option and click Select.

Fill in the required details including Subscription, Resource Group, Logic App name, Region and Enable log analytics. Click Review and create.

Once deployed, click Go to resource. Expand the Development Tools option, click Logic app designer, and click Add a trigger.
Search for Recurrence and click Trigger.

Fill in the required details for the daily ACI restart time.

Click Add an action below the recurrence trigger.

Search for Container instance and select Start containers in a container group.

Sign in and fill the details of the container instance including Subscription Id, Resource Group, and Container Group Name.

Click Save to save the trigger and action. Run history can be monitored allowing you to check the logs.

Deploying PO Box in Azure

Prerequisites

Azure Subscription

Azure Permisisons

Azure CLI

Zilla Support Ticket

Deployment Options

Option 1: Using Azure portal

Create App Registration

Add Client Secret

Create Storage Account

Create File Share

Add Client Credentials or Zilla_API_Key

Create Azure Container Instance

Create Logic App to Restart the Container

Option 2: Execute CLI commands

Create App Registration

Add Client Secret

Create Storage Account

Create File Share

Add Client Credentials or Zilla_API_Key

Create Azure Container Instance

Create a Logic App to Restart the Container

Option 3: Execute PowerShell Script

Prerequisite

Log In to Azure

Select the Subscription

Run createAppRegistration.ps1 (see attachment document linked at the bottom of this article)

Run createACI.ps1 (see attachment document linked at the bottom of this article)

Create a Logic App to Restart the Container

Attachments