request a live demo
back to resources
  • Revised August 18, 2025
  • /

Enigma Azure Cloud Install

Azure Network Monitoring Setup for Enigma

This guide provides detailed instructions for setting up Enigma’s traffic analysis solution in your Microsoft Azure environment. We present three implementation options to accommodate different security requirements, budgets, and monitoring needs.

Diagram of the basic Azure environment to test Network traffic Tap in
Diagram of the basic Azure environment to test Network traffic Tap in

Overview

Enigma’s traffic analysis solution for Azure can be implemented using one of the following approaches:

  1. Virtual Network TAP (vTAP): Full packet capture with complete visibility
  2. Packet Watcher: Targeted packet capture for specific workloads
  3. NSG Flow Logs: Metadata-only monitoring with lower costs

Each approach offers different levels of visibility, cost implications, and deployment complexity. This guide will help you choose and implement the best option for your organization.

Prerequisites

  • Azure subscription with administrative permissions
  • Existing Virtual Network with running VMs
  • Network Security Groups (NSGs) associated with the VMs you want to monitor
  • Basic familiarity with Azure Portal and Azure CLI

Option 1: Virtual Network TAP (vTAP)

This approach provides comprehensive packet capture capabilities with the highest level of visibility.

vTAP Deployment Scenarios

The vTAP option offers three deployment scenarios based on your Azure subscription structure:

1.A Single Subscription Deployment:

In this scenario, both the workload VMs and Enigma collector VM are deployed in the same Azure subscription.

1.B Separate Security Subscription

In this scenario, the workload VMs remain in their existing subscription while the Enigma collector VM is deployed in a separate, dedicated security subscription.

1.C Multi-Subscription Monitoring

In this scenario, a central Enigma deployment monitors workloads across multiple Azure subscriptions.

1A: Single Subscription Deployment

In this scenario, both the workload VMs and Enigma collector VM are deployed in the same Azure subscription, providing a streamlined setup with simplified management.

1A.1 Create Collector VM

  1. Navigate to Virtual Machines in the Azure Portal
  2. Click + Add > + Virtual machine
  3. Configure the VM:
    • Resource Group: Create new or use existing
    • Virtual machine nameenigma-collector-vm (or your preferred name)
    • Region: Same as your monitored VMs
    • Image: Ubuntu Server 20.04 LTS
    • Size: B2s (minimum recommendation)
    • Authentication: Password or SSH key
    • Inbound ports: Allow SSH (port 22)
  4. Click Next: Disks
    • Default disk configuration is sufficient
  5. Click Next: Networking
    • Virtual network: Select your existing VNet containing workload VMs
    • Subnet: Create or select a subnet for the collector
    • Public IP: Required for initial setup (can be removed later)
    • NIC network security group: Basic or Advanced as needed
  6. Complete the VM creation process

1A.2 Configure Azure Virtual Network TAP

  1. Navigate to Virtual Networks in the Azure Portal
  2. Select the virtual network containing your target VMs
  3. Click on Network TAP in the left sidebar
  4. Click + Add TAP Configuration
  5. Configure the TAP:
    • Nameenigma-vtap
    • Source: Select the target VM’s network interface
    • Destination: Select the collector VM’s network interface
    • Mirroring direction: Select Both to capture inbound and outbound traffic
  6. Click Create
  7. Repeat for each VM interface you wish to monitor

1A.3 Install the Enigma Agent

1B: Separate Security Subscription

In this scenario, the workload VMs remain in their existing subscription while the Enigma collector VM is deployed in a separate, dedicated security subscription. This provides enhanced isolation for security monitoring resources.

1B.1 Prepare Hub-and-Spoke Network Architecture

  1. In your security subscription, create a hub VNet:
    • Navigate to Virtual Networks
    • Click + Add
    • Configure:
      • Namesecurity-hub-vnet
      • Address space10.0.0.0/16 (or appropriate range)
      • Resource Group: Create new security-focused resource group
      • Location: Same region as workload VMs
  2. In your workload subscription, ensure your workload VNet is ready:
    • Note the address space to avoid overlaps
    • Ensure NSGs allow the necessary traffic flows

1B.2 Configure VNet Peering

  1. From the security subscription:
    • Navigate to the security-hub-vnet
    • Select Peerings from the left menu
    • Click + Add
    • Configure:
      • Namehub-to-spoke-peering
      • Virtual network: Select the subscription containing workload VMs
      • Virtual network name: Select your workload VNet
      • Allow virtual network access: Enabled
      • Allow forwarded traffic: Enabled
      • Allow gateway transit: Enabled
  2. From the workload subscription:
    • Navigate to your workload VNet
    • Select Peerings from the left menu
    • Click + Add
    • Configure:
      • Namespoke-to-hub-peering
      • Virtual network: Select your security subscription
      • Virtual network namesecurity-hub-vnet
      • Allow virtual network access: Enabled
      • Allow forwarded traffic: Enabled
      • Use remote gateways: Enabled

1B.3 Create Collector VM in Security Subscription

  1. In your security subscription, create the collector VM:
    • Navigate to Virtual Machines
    • Click + Add > + Virtual machine
    • Configure the VM:
      • Resource Group: Your security resource group
      • Virtual machine nameenigma-collector-vm
      • Region: Same as your hub VNet
      • Image: Ubuntu Server 20.04 LTS
      • Size: B2s (minimum recommendation)
      • Authentication: Password or SSH key
      • Inbound ports: Allow SSH (port 22)
    • Select security-hub-vnet for networking
    • Complete the VM creation process

1B.4 Configure Azure Virtual Network TAP

  1. In the workload subscription:
    • Navigate to Virtual Networks in the Azure Portal
    • Select the virtual network containing your target VMs
    • Click on Network TAP in the left sidebar
    • Click + Add TAP Configuration
    • Configure the TAP:
      • Nameenigma-vtap
      • Source: Select the target VM’s network interface
      • Destination: Select the collector VM’s network interface (cross-subscription)
      • Mirroring direction: Select Both to capture inbound and outbound traffic
    • Click Create
    • Repeat for each VM interface you wish to monitor

1B.5 Install the Enigma Agent

1C: Multi-Subscription Monitoring

In this scenario, a central Enigma deployment monitors workloads across multiple Azure subscriptions, providing centralized visibility across your entire Azure environment.

1C.1 Create Central Hub VNet in Security Subscription

  1. In your security subscription, create a central hub VNet:
    • Navigate to Virtual Networks
    • Click + Add
    • Configure:
      • Nameenigma-central-hub
      • Address space10.0.0.0/16 (or appropriate range)
      • Resource Group: Create new or use existing security-focused resource group
      • Location: Central to your Azure regions

1C.2 Configure Azure Virtual WAN (Optional for Large Deployments)

For large-scale deployments with many subscriptions:

  1. Navigate to Virtual WANs in the Azure Portal
  2. Click + Add
  3. Configure:
    • Nameenigma-monitoring-wan
    • Resource Group: Your security resource group
    • Location: Same as your hub VNet
  4. Click Create
  5. Once created, add a hub:
    • Navigate to your Virtual WAN
    • Under Connectivity, select Hubs
    • Click + New Hub
    • Configure:
      • Region: Same as central hub VNet
      • Nameenigma-central-hub
      • Hub private address space10.1.0.0/24 (or appropriate range)
    • Click Next: Site to site > Next: Point to site > Next: ExpressRoute > Review + create > Create

1C.3 Establish Connectivity to Each Workload Subscription

For each workload subscription:

  1. Configure VNet peering from the central hub to each workload VNet:
    • From the security subscription:
      • Navigate to the enigma-central-hub VNet
      • Select Peerings from the left menu
      • Click + Add
      • Configure:
        • Namehub-to-subscription-X (replace X with subscription identifier)
        • Virtual network: Select the target subscription
        • Virtual network name: Select workload VNet
        • Allow virtual network access: Enabled
        • Allow forwarded traffic: Enabled
        • Allow gateway transit: Enabled
    • From each workload subscription:
      • Navigate to the workload VNet
      • Select Peerings from the left menu
      • Click + Add
      • Configure:
        • Nameworkload-to-central-hub
        • Virtual network: Select your security subscription
        • Virtual network nameenigma-central-hub
        • Allow virtual network access: Enabled
        • Allow forwarded traffic: Enabled
        • Use remote gateways: Enabled
  2. If using Virtual WAN, connect each VNet to the Virtual WAN:
    • Navigate to your Virtual WAN
    • Under Connectivity, select Virtual network connections
    • Click + Add connection
    • Select your subscription and VNet
    • Click Create

1C.4 Create Collector VM in Central Hub

  1. In your security subscription, create the collector VM:
    • Navigate to Virtual Machines
    • Click + Add > + Virtual machine
    • Configure the VM:
      • Resource Group: Your security resource group
      • Virtual machine nameenigma-central-collector
      • Region: Same as your central hub VNet
      • Image: Ubuntu Server 20.04 LTS
      • Size: B4ms or higher (for multi-subscription monitoring)
      • Authentication: Password or SSH key
      • Inbound ports: Allow SSH (port 22)
    • Select enigma-central-hub for networking
    • Complete the VM creation process

1C.5 Configure Azure Virtual Network TAP for Each Workload

For each VM in each workload subscription:

  1. Navigate to Virtual Networks in the workload subscription
  2. Select the virtual network containing the target VMs
  3. Click on Network TAP in the left sidebar
  4. Click + Add TAP Configuration
  5. Configure the TAP:
    • Nameenigma-vtap-subscription-X-vm-Y (replace X and Y appropriately)
    • Source: Select the target VM’s network interface
    • Destination: Select the central collector VM’s network interface (cross-subscription)
    • Mirroring direction: Select Both to capture inbound and outbound traffic
  6. Click Create
  7. Repeat for each VM interface you wish to monitor

1C.6 Install the Enigma Agent

Option 3: NSG Flow Logs

This approach provides metadata-level visibility with the lowest cost.

3.1 Create Storage Account

  1. Navigate to Storage accounts in the Azure Portal
  2. Click + Add
  3. Configure the storage account:
    • Resource Group: Create new or use existing
    • Storage account name: Unique, lowercase name
    • Location: Same region as your NSGs
    • Performance: Standard
    • Redundancy: Locally-redundant storage (LRS)
  4. Click Review + create, then Create

3.2 Enable NSG Flow Logs

  1. Navigate to Network Security Groups in the Azure Portal
  2. Select the NSG associated with the VMs you want to monitor
  3. Click on Flow logs in the left sidebar
  4. Click + Create
  5. Configure flow logs:
    • Status: Enabled
    • Flow logs version: Version 2
    • Storage account: Select the storage account created earlier
    • Retention (days): 1
    • Traffic Analytics: Enabled
    • Processing interval: 10 minutes
  6. Click Save
  7. Repeat for all NSGs you want to monitor

3.3 Deploy Collector VM

  1. Navigate to Virtual Machines in the Azure Portal
  2. Click + Add > + Virtual machine
  3. Configure the VM:
    • Resource Group: Same as storage account
    • Virtual machine nameenigma-flow-collector
    • Region: Same as your monitored VMs
    • Image: Ubuntu Server 20.04 LTS
    • Size: B2s (minimum)
  4. Complete the VM creation with default options for remaining steps

3.4 Install Enigma Flow Collector

Based on the VM’s OS please use one of the following docs to install Enigma Agent on the VM:

Access the Enigma AI Dashboard

After installation is complete, you’ll need to set up access to the Enigma AI dashboard:

  1. Contact your Enigma account representative to provide email addresses for users who need dashboard access
  2. Users will receive account setup instructions via email
  3. Follow the instructions to set up multi-factor authentication (MFA)
  4. Log in to the Enigma AI dashboard at https://enigmaai.net/

Verification

After completing the installation, your Enigma solution will begin collecting and analyzing network traffic. This typically takes approximately 1 hour before meaningful data appears in the dashboard.

To verify proper operation:

  1. Log in to the Enigma AI dashboard
  2. Navigate to the Traffic Analysis section
  3. Confirm that data is being received from your environment

Troubleshooting

Virtual Network TAP Issues

  • Verify that the VM interfaces are correctly configured for TAP
  • Check that the collector VM’s network interface allows promiscuous mode
  • Ensure the collector VM has sufficient disk space for packet capture

Packet Watcher Issues

  • Verify that Network Watcher is enabled in your region
  • Check permissions on the storage account
  • Ensure the packet capture configuration is correctly targeting your VMs

NSG Flow Logs Issues

  • Verify that the NSG is associated with the network interfaces
  • Check that flow logs are correctly configured
  • Ensure the storage account has sufficient permissions

Comparing the Options

FeatureVirtual Network TAPPacket WatcherNSG Flow Logs
Data CapturedFull packetsFull packetsMetadata only
VisibilityCompleteHighMedium
CostMediumHighLow
Deployment ComplexityMediumHighLow
Resource ImpactLowMediumVery Low
Storage RequirementsMediumHighLow

Choose the option that best aligns with your visibility requirements, budget constraints, and operational capabilities.