Microsoft Azure¶
Deploy the Sophos Remote Testing Appliance (RTA) as a virtual machine in your own Microsoft Azure subscription. We publish the appliance as a managed VHD and share it with you through a time-limited, read-only SAS URL; you copy it into your subscription and build a VM from it.
How delivery works on Azure¶
You receive two things from your engagement lead:
| Item | What it is |
|---|---|
| VHD read SAS URL | A blob SAS for azcopy / the CLI. Time-limited — request a fresh one if it has expired. |
| Container read+list SAS URL | For Azure Storage Explorer / the portal flow. Same expiry. |
The published image is a fixed-size, MB-aligned, Gen2 / UEFI Linux VHD. It is
a generic image with no engagement identity baked in — cloud-init provisions
the admin user, SSH key, hostname, and networking on first boot, so you do not
supply any seed/cidata disk.
First boot: activation
Because the VHD is generic, the appliance comes up in activation mode: its console (the Azure boot diagnostics screenshot) shows an Appliance Registration screen with a one-time activation code. Give the code to your Sophos engagement lead to activate the appliance. Once activated, it provisions itself, brings up the outbound VPN tunnel, and the console switches to the live status dashboard. (Azure downscales the console screenshot, so the text can look blurry — that's cosmetic.)
Get these two things right¶
Gen2 only, one disk only
- Gen2 / UEFI — the disk and the VM must both be Gen2. The legacy
Add-AzVhdpath creates a Gen1 disk that boots to a black screen. Use the upload-to-managed-disk flow in the guides below. - One OS disk only — do not attach a
cidata/seed disk. The generic image configures its OS (user, SSH key, hostname, networking) on first boot via the Azure datasource, then shows the activation screen.
What you'll need¶
- An Azure subscription with permission to create disks, images, and VMs
- Azure CLI or
Azure PowerShell (
Az) azcopy- Your SSH public key
Requirements¶
| Resource | Minimum | Recommended |
|---|---|---|
| VM size | Gen2-capable, 2 vCPU / 4 GB | Standard_D2s_v3 (2 vCPU / 8 GB) or larger |
| Boot disk | 40 GB | 40 GB |
| Networking | Outbound internet; no public IP / no inbound rules | Existing VNet/subnet with VPN reach to targets |
Choose a deployment method¶
-
Point-and-click: copy the VHD with Storage Explorer, then create the disk, image, and VM in the portal.
-
azend-to-end. The fastest path — a server-side copy straight into a managed disk, no storage account of your own required. -
The same flow using the
Azmodule, for Windows-centric workflows.