Clean Install of TOS Aurora on Azure

Overview

This procedure is for the clean installation of TOS Aurora on the Azure platform, including setting up the AzureVM . To add a node to an existing cluster, start with multi-node cluster.For all other installation and upgrade options, see Installing and Upgrading.

Tufin Orchestration Suite (TOS Aurora) includes SecureTrack, SecureChange and SecureApp. You will specify the applications you want to enable, when you run the install command.

Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS products and the operating system on the server.

After the installation you will have created a single data node TOS cluster to which you can add additional worker nodes. There is no need to install TOS on any additional nodes. Worker nodes require an operating system only.

High Availability (HA)

High availability is not supported in this release.

Remote Collectors (RCs)

Remote collectors can be deployed on Azure.

Prerequisites

  • You must allow access to required Ports and Services.
  • You must know the resources you will need - CPU cores, RAM, disk space and the load-model parameter for the tos install command, all of which can be obtained from your account team, based on the procedure Calculate resources - clean install.
  • To ensure optimal performance and reliability, the required resources need to be allocated exclusively to TOS. If resources become unavailable, this will affect TOS performance.
  • Do not install any software on your server before or after the deployment of TOS Aurora that is not specified in the current procedure.

  • There are some load limitations for deploying on cloud. Check with your account team that deployment on this platform is supported for your load model before going ahead.
  • Large deployments are not supported on Azure.

  • Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

  • Allocate a 24-bit CIDR subnet for the Kubernetes service network and a16-bit CIDR subnet for the Kubernetes pods network (10.244.0.0/16 is used by default).

    The pods and services networks must be inside the following private networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. In addition, ensure that the dedicated CIDR for the service network and pods network don't overlap with:

    • Each other

    • The physical addresses of your TOS Aurora servers (see below)

    • Your external load balancer IP(s)

    • Any other subnets communicating with TOS or with TOS nodes

  • Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.

  • The system will use a reverse DNS lookup (PTR record) to resolve the DNS IP addresses with the domain name during the TOS installation. Therefore you have to add these PTR records to the DNS server. If you do not, the TOS installation will fail.
  • You need to configure a separate partition for /opt, a separate disk for etcd, and the OS disk needs at least 300 GB of available storage. The /opt partition will contain your data, which will increase over time. Most of your available disk space should be allocated to this partition and the minimum is determined by the load model parameter (small, medium, large) provided by your account team.

    Minimum sizes for all partitions:

    • OS disk: 300 GB

    • /opt/ (small): 80 GB

    • /opt/ (medium): 170 GB

    • /opt/ (Large): 370 GB

    • etcd: 128 GB

    *Small, medium and large refer to the load model parameter provided by your account team.

    We recommend allocating /opt partition all remaining disk space after you have partitioned the OS disk and moved etcd to a separate disk.

  • For PGA, if you are using NFS your backup server needs to be running NFS 4.

    From PHF1.0.0 and later, if you are running NFS 3 on your backup server it will not work because of a security vulnerability. If you want to ignore the security vulnerability to enable NFS 3, you need to run the following commands on all TOS servers that are using TufinOS 4.20 and later:

    systemctl unmask rpcbind.socket rpcbind.service
    systemctl unmask rpcbind.socket rpcbind.service
    systemctl start rpcbind.socket rpcbind.service
    systemctl start rpcbind.socket rpcbind.service
    systemctl enable rpcbind.socket rpcbind.service
    systemctl enable rpcbind.socket rpcbind.service

     

  • The TOS installation removes all TOS files, directories and backups left on the machine from old deployments. If you have any files you want to keep, move them to a safe external location before starting this procedure.

Downloads

  • Download the TOS R24-2 PHF1.1.0 installation package from the Download Center.

  • The downloaded files are in .tgz format <FILENAME>.tgz.

Procedure

Read and understand Prerequisites before you start.

Download and extract the installation package (see Downloads section above).

Follow the steps below in sequence.