Azure App Gateway (Advanced)

Deploy Keeper Automator to Azure Container Instances using the Azure App Gateway Service

Overview

This guide provides step-by-step instructions to publish Keeper Automator in a secure VNet with Azure Application Gateway. This method is more advanced than the Azure Container App configuration. If you don't require the use of Azure App Gateway or encrypted SAML requests, it would be best to use the Azure Container App method.

For this method, make sure you already have your SSL Certificate. If not, please follow the steps in the Custom SSL Certificate page.

Instructions

(1) Open the Azure Cloud Shell

(2) Create a resource group in your preferred region

If the resource group in Azure does not exist yet, create it. The example here uses the eastus region, but make sure to use your region.

az group create --name keeper_automator_rg --location eastus

(3) Create a Storage Account

If the storage account does not exist yet, create it and ensure to use the correct region (useast) and the name of the resource group above. Note: The name you choose (to replace keeperautomatorstorage) needs to be globally unique to azure.

az storage account create -n -g keeper_automator_rg -l eastus --sku Standard_LRS

If the file share does not exist yet, create it.

az storage share create --account-name --name keeperautomatorfileshare

List the current shares:

az storage share list --account-name

(5) Create a Virtual Network (VNet) and one Subnet for the container

az network vnet create --address-prefixes 10.100.0.0/16 --name keeper_automator_vnet --resource-group keeper_automator_rg --subnet-name keeper_automator_subnet --subnet-prefixes 10.100.2.0/24

(6) Update the Virtual Network with the Service Endpoints

az network vnet subnet update -g keeper_automator_rg -n keeper_automator_subnet --vnet-name keeper_automator_vnet --service-endpoints Microsoft.Storage --delegations Microsoft.ContainerInstance/containerGroups

(7) Retrieve Storage Key

To find a storage key for the account, use the command below. Replace the name of the storage account with your specific name.

az storage account keys list --resource-group keeper_automator_rg --account-name

Copy the key1 value which will look like this:

"value": "zuVgm9xnQNnxCQzY=5n4Ec6kxhDn2xMZSfpwZnTeqsyGaHd5Abn584mpAP3xamg3rGns4=Fd7FeFsaR6AgtnqW=="

(8) Retrieve Subnet ID

Run the below command to find the Subnet ID:

az network vnet subnet list --resource-group keeper_automator_rg --vnet-name keeper_automator_vnet | grep "id"

Copy the full subnet ID path that ends with _subnet. It will look like this:

"id": "/subscriptions/abc123-abc123-abc-123/resourceGroups/keeper_automator_rg/providers/Microsoft.Network/virtualNetworks/keeper_automator_vnet/subnets/keeperautomator_appgw_subnet"

(9) Create YAML Container File

In your local filesystem, create a folder such as automator.

In that folder, create a file called automator.yml with your favorite editor that has the below contents.

automator.yml

apiVersion: '2021-07-01'
location: eastus
name: keeperautomatorcontainer
properties:
  containers:
  - name: keeperautomatorcontainer
    properties:
      image: keeper/automator:latest
      ports:
      - port: 443
        protocol: TCP
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1.5
      volumeMounts:
        - name: automatorvolume
          mountPath: /usr/mybin/config
  osType: Linux
  restartPolicy: Always
  sku: Standard
  volumes:
  - name: automatorvolume
    azureFile:
      shareName: keeperautomatorfileshare
      readOnly: false
      storageAccountName: 
      storageAccountKey: 
  subnetids:
    - id: /subscriptions//path/to/subnets/keeper_automator_subnet
      name: keeper_automator_subnet
tags: null
type: Microsoft.ContainerInstance/containerGroups

Note there are several places where the string value needs to be changed based on your configuration in the prior steps.

subnet ID needs to match the full path of the ID retrieved from step 8
storageAccountName needs to match the value from Step 3
storageAccountKey needs to match the value from Step 7

(10) Upload the SSL Certificate and SSL Password Files

From the Azure interface, navigate to the Resource Group > Storage Account > File Share > into the Automator file share created. From here, upload the automator.yml file, SSL certificate file and SSL certificate password file.

Make sure your files are named automator.yml ssl-certificate.pfx and ssl-certificate-password.txt

(11) Copy the 3 files to your local CLI workspace

az storage copy -s https://keeperautomatorstorage.file.core.windows.net/keeperautomatorfileshare/automator.yml -d .

az storage copy -s https://keeperautomatorstorage.file.core.windows.net/keeperautomatorfileshare/ssl-certificate.pfx -d .

az storage copy -s https://keeperautomatorstorage.file.core.windows.net/keeperautomatorfileshare/ssl-certificate-password.txt -d .

(12) Create the Container Instance

Create the container using the configuration in automator.yml.

az container create -g keeper_automator_rg -f automator.yml

Obtain the Internal IP of the container in the response.

az container show --name keeperautomatorcontainer --resource-group keeper_automator_rg --query ipAddress.ip --output tsv

For later, set a variable of this IP, for example:

$aciPrivateIp=10.100.2.4

aciPrivateIp=10.100.2.4

(13) Create Application Gateway Subnet

az network vnet subnet create --name keeperautomator_appgw_subnet --resource-group keeper_automator_rg --vnet-name keeper_automator_vnet --address-prefix 10.100.1.0/24

(14) Create an Application Gateway

az network application-gateway create --name KeeperAutomatorAppGateway --location eastus --resource-group keeper_automator_rg --sku Standard_v2 --public-ip-address AGPublicIPAddress --cert-file ssl-certificate.pfx --cert-password --vnet-name keeper_automator_vnet --subnet keeperautomator_appgw_subnet --frontend-port 443 --http-settings-port 443 --http-settings-protocol Https --servers 10.100.2.4 --priority 100

Ensure that the SSL certificate password is replaced in the XXXXXX section.

(15) Locate the Public IP

In the Azure portal interface, navigate to the Resource Group > App Gateway and make note of the public IP address.

(16) Route DNS

Ensure that the DNS for your Automator service (e.g. automator.company.com) is pointed to the IP address generated in Step 15 by the Azure Container service.

The DNS name must match the SSL certificate subject name or else requests will fail.

(17) Create a Health Probe

A health probe will inform the App Gateway that the Automator service is running. From the Azure portal interface, open the Automator App Gateway and then click on "Health probes" from the left menu.

Now create a new Health Probe with the settings as seen in the below screenshot. Make sure to replace the Host with the FQDN set up in Step 16.

Click on "Test" and then add the probe. The test will succeed if the container IP is properly addressed to the host name.

(18) Configure the Web Application Firewall

From the Azure portal interface, open the Automator App Gateway and then click on "Web application firewall" on the left side. Enable the WAF V2 and configure the screen exactly as seen below.

Click on the "Rules" tab then select the Rule set to "OWASP 3.2" and then click on "Enabled" and "Save". This is a critical step.

🎉Your installation in Azure is complete.

The final step is to configure Automator using Keeper Commander.

(19) Install Keeper Commander

At this point, the service is running but it is not able to communicate with Keeper yet.

On your workstation, server or any computer, install the Keeper Commander CLI. This is just used for initial setup. The installation instructions including binary installers are here: Installing Keeper Commander After Commander is opened, login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.

My Vault> login admin@company.com

(20) Initialize with Commander

automator create --name="My Automator" --node="Azure Cloud"

The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.

The output of the command will display the Automator settings, including metadata from the identity provider.

                    Automator ID: 1477468749950
                            Name: My Automator
                             URL: 
                         Enabled: No
                     Initialized: No
                          Skills: Device Approval

Note that the "URL" is not populated yet. Edit the URL with the FQDN you selected.

automator edit --url=https://automator.lurey.com --skill=team --skill=team_for_user --skill=device "My Automator"

Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:

automator setup "My Automator"

Initialize the Automator with the new configuration

automator init "My Automator"

Enable the service

automator enable "My Automator"

At this point, the configuration is complete.

For automated health checks, you can use the below URL:

https://<server>/health

Example curl command:

$ curl https://automator.lurey.com/health
OK

Note this URL will not open in a web browser.

(21) For environments using AD FS ...

When activating Keeper Automator with AD FS as the identity provider, users will not be able to login until you update the Keeper certificate using the instructions below:

Login to the Keeper Admin Console
Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
Click on "Export SP Cert".
In the AD FS Management Console select the Keeper Cloud SSO Relying Party Trust properties.
On the "Encryption" tab, replace the old certificate with this new cert.
On the "Signature" tab, Add/Replace the new SP certificate with this new cert.

Setup Complete!

That's it, your Automator service should now be running.

Azure Portal

In the Azure Portal in the "Container Instances" system, you can see the container running. You can also connect to the container (using /bin/sh) and view running logs.

Updating the IP on Container Restart

Based on this configuration, it is possible that restarting the container will assign a new IP address from the /24 subnet. To quickly locate the new IP and update the Application Gateway backend pool with the correct IP, the below script can be run from the Azure CLI.

# change these 3 variables according to your setup
RESOURCE_GROUP="keeper_automator_rg"
GATEWAY_NAME="KeeperAutomatorAppGateway"
CONTAINER_NAME="keeperautomatorcontainer"

BACKEND_POOL_NAME="appGatewayBackendPool"

CONTAINER_IP=$(az container show --resource-group $RESOURCE_GROUP --name $CONTAINER_NAME --query 'ipAddress.ip' --output tsv)

az network application-gateway address-pool update --resource-group $RESOURCE_GROUP --gateway-name $GATEWAY_NAME --name $BACKEND_POOL_NAME --servers $CONTAINER_IP

Testing the Automator Service

Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.

The easiest way to test is to open an incognito mode window or guest mode window and go to to the Keeper Web Vault and login with SSO Cloud. If you are not be prompted for device approval, the automator is functioning properly.