Scanning in Microsoft Azure using Resource Manager (ARM)

Document created by George Akimov Employee on Jul 1, 2016Last modified by Qualys Documentation on Mar 16, 2018
Version 11Show Document
  • View in full screen mode

This document describes briefly how to deploy the Qualys Virtual Scanner Appliance using Microsoft Azure Resource Manager (ARM). This scanner, once deployed, will function as a standard Virtual Scanner and can scan based on IP address or CIDR block. Want to learn more about Microsoft Azure? Check out the Azure Support page.


We'll help you with these steps:

Create Resource Group

Create Storage Account

Create Virtual Network

Create Your Qualys Virtual Scanner

How do I know my scanner is ready to use?


On a Private Cloud Platform? See time saving tip for copying the image


About Managing Instances

Instance Snapshots/Cloning Not Allowed

Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly prohibited. The new instance will not function as a scanner. All configuration settings and platform registration information will be lost. This could also lead to scans failing and errors for the original scanner.

Moving/Exporting Instance Not Allowed

Moving or exporting a registered scanner instance from a virtualization platform (HyperV, VMware, XenServer) in any file format to Microsoft Azure cloud platform is strictly prohibited. This will break scanner functionality and the scanner will permanently lose all of its settings.



Create Resource Group

We recommend you create one resource group per location for your Qualys virtual scanners. Give your resource group a name that will be easy to recognize and represents the group location. Once created, the name cannot be changed.




Create Storage Account

If you don't already have a storage account for your Qualys virtual scanners you'll need to create one at this time. 1) Give the storage account a name following Microsoft Azure guidelines. The name cannot be changed later. 2) Choose the deployment model "Resource manager". 3) Choose "Use existing" for the resource group, and select the group created in the previous step. Other recommended settings are shown in the image below.




Create Virtual Network

You may already have a virtual network set up for your Qualys virtual scanners. If not, create a new virtual network. 1) Give your network a name. We recommend including the location in the name so you know where the network is. 2) Choose "Use existing" for the resource group, and select the group created in the first step.




Create Your Qualys Virtual Scanner

Prior to deploying the Qualys Virtual Scanner in Azure, you must first create a virtual scanner in the Qualys Cloud Platform, assign it a distinct scanner name and record the exact personalization code.


Find and select Qualys Virtual Scanner Appliance in the Marketplace.




Review the requirements on the screen. When you're ready to proceed, click Create to set up your virtual scanner.




Make these settings: 1) Give the virtual scanner a name. This is the name that will appear in the Virtual machines list in Microsoft Azure. Tip - Use the scanner name assigned to the virtual scanner in Qualys for easy identification. 2) The User name is your personalization code, retrieved from the Qualys platform, with a 'u' prepended: “u2009XXXXXXXXXX”. 3) Choose "Use existing" for the resource group, and select the group created in the first step.



- Since Qualys Virtual Scanner is a locked-down Linux appliance, managed completely from the Qualys Cloud Platform, Azure username, password and SSH public key are not used for any kind of authentication but rather as a mechanism to pass configuration information from Azure Cloud to the appliance.

- Azure passwords should not contain these special characters:  : @ & < > - "  ' \

- Passwords that look like "proxy://[user:password@]IP[:port]" URLs could be used to configure Qualys Scanner to use SSL proxy for all outbound communication with the Qualys Cloud Platform.




Choose a size for your virtual scanner - up to 16 cores and no more than 16 GB. We recommend a ratio of 3-4 GB of memory per core. Other storage settings like number of data disks, max IOPS, load balancing, etc can be ignored and should not factor into your decision. For instance, the disk options will not have a significant impact on the performance of your scanner.




Be careful to choose the correct storage account and the network created in the previous steps for your Qualys virtual scanners. We do not use Azure extensions or availability sets.




Confirm your virtual scanner settings and hit OK.




Review the Offer details and hit Purchase. Your virtual scanner will appear on the Virtual machines list in Microsoft Azure.




The Qualys Virtual Scanner Appliance will appear on your Microsoft Azure Dashboard.




Your scanner will update and connect to the Qualys Cloud Platform.  This process may take some time, depending on location. Once connected, you'll be able to use your Azure scanner from the Qualys Cloud Platform as you would any virtual scanner appliance.


How do I know my scanner is ready to use?

Check your virtual scanner status in Qualys. Go to Scans > Appliances, and find your scanner in the list. Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.




ico_connected.jpgtells you your virtual scanner is ready. Now you can start internal scans! (Next to this, you’ll see the busy icon is greyed out until you launch a scan using this scanner).



Enable boot diagnostics to troubleshoot issues with your scanner. Diagnostics will include log output from the scanner. It's easy to do. Set Status to On, select the storage account created for your Qualys scanners, select the Boot diagnostics check box, and hit Save (appears above the settings).




Check out these sample diagnostics.




For Customers on Private Cloud Platforms

It could take hours to download the latest qVSA image from Qualys cloud storage account to your machine and then upload it to your Azure storage account using the Azure GUI. Save time by copying the image directly from Qualys cloud storage to your Azure account with Azure CLI tools.


Here are the steps: 1) Qualys Operations will provide you with a link to the qVSA image. 2) Set up Azure CLI tools and log in to your Azure subscription using the Azure CLI "azure login" command. 3) Copy the qVSA image from Qualys to your Azure subscription using this format:


azure storage blob copy start [sourceUri] [options] [destContainer]


[sourceUri] is the qVSA image link provided by Qualys Operations

[options] are:
-a, --account-name <accountName> the storage account name
-k, --account-key <accountKey> the storage account key

[destContainer] is the destination container in the "storage" specified with option "-a"


azure storage blob copy start "" -a "storagevirginia"  -k "AbcdEfgh9piNUT1ZtVg8qEGp7KTlrlht3syhO8FjCNcaoqWkAqlZ3Sp+YXrJ4rBAuJ6+QflCwfhzXsz0yNBr99==" images


Looking for more help?

Check out our Help Center

1 person found this helpful