Microsoft Azure — PowerShell (Az)¶

Deploy the RTA with the Azure PowerShell Az module. This mirrors the Azure CLI flow — a server-side azcopy into a managed disk, then a generalized Gen2 image and a VM — for Windows-centric workflows.

Before you start

Review the Microsoft Azure overview. You'll need the VHD read SAS URL from your engagement lead, the Az module, azcopy, and your SSH public key.

Deploy directly to a managed disk¶

$RG  = "rg-rta"; $LOC = "eastus"
$VNet = "your-vnet"; $Subnet = "your-subnet"   # existing VNet/subnet for the appliance
$SAS = "<SAS_URL>"

New-AzResourceGroup -Name $RG -Location $LOC

# 1. Empty Gen2 upload disk (exact byte size)
$diskConfig = New-AzDiskConfig -Location $LOC -OsType Linux -HyperVGeneration V2 `
  -CreateOption Upload -UploadSizeInBytes 42949673472 -SkuName Standard_LRS
New-AzDisk -ResourceGroupName $RG -DiskName rta-disk -Disk $diskConfig

# 2-4. Write SAS, server-side copy, revoke
$grant = Grant-AzDiskAccess -ResourceGroupName $RG -DiskName rta-disk `
  -Access Write -DurationInSecond 86400
azcopy copy "$SAS" "$($grant.AccessSAS)" --blob-type PageBlob
Revoke-AzDiskAccess -ResourceGroupName $RG -DiskName rta-disk

# 5. Generalized Gen2 image from the disk
$disk = Get-AzDisk -ResourceGroupName $RG -DiskName rta-disk
$img  = New-AzImageConfig -Location $LOC -HyperVGeneration V2
Set-AzImageOsDisk -Image $img -OsType Linux -OsState Generalized -ManagedDiskId $disk.Id
New-AzImage -ResourceGroupName $RG -ImageName rta-image -Image $img

# 6. VM with SSH public key (no password auth)
$cred = New-Object System.Management.Automation.PSCredential( `
  "swag", (ConvertTo-SecureString "PlaceholderNotUsed!1" -AsPlainText -Force))
$vm = New-AzVMConfig -VMName rta-vm -VMSize Standard_D2s_v3
$vm = Set-AzVMOperatingSystem -VM $vm -Linux -ComputerName rta-vm `
  -Credential $cred -DisablePasswordAuthentication
$vm = Set-AzVMSourceImage -VM $vm -Id (Get-AzImage -ResourceGroupName $RG -ImageName rta-image).Id
$vm = Add-AzVMSshPublicKey -VM $vm `
  -KeyData (Get-Content ~/.ssh/your_key.pub -Raw) `
  -Path "/home/swag/.ssh/authorized_keys"

# Attach to your existing subnet, no public IP, no inbound rule
$subnetId = (Get-AzVirtualNetwork -ResourceGroupName $RG -Name $VNet | `
  Get-AzVirtualNetworkSubnetConfig -Name $Subnet).Id
$nic = New-AzNetworkInterface -ResourceGroupName $RG -Name "rta-vm-nic" `
  -Location $LOC -SubnetId $subnetId
$vm = Add-AzVMNetworkInterface -VM $vm -Id $nic.Id
New-AzVM -ResourceGroupName $RG -Location $LOC -VM $vm

Gen2 / UEFI throughout — Secure Boot off — never Add-AzVhd

The disk (-HyperVGeneration V2) and the image (New-AzImageConfig -HyperVGeneration V2) must both be Gen2 / UEFI. Add-AzVhd creates a Gen1 disk that boots to a black screen. Do not enable Trusted Launch / Secure Boot — leave the security type default. The password in the credential object is a placeholder — password auth is disabled and only the SSH key is used.

Verify¶

(Get-AzVM -ResourceGroupName $RG -Name rta-vm -Status).Statuses
# SSH from inside your network to the VM's private IP

The VHD is generic, so on first boot the appliance comes up in activation mode and shows an Appliance Registration screen with a one-time activation code. Read it from the boot-diagnostics screenshot and give it to your Sophos engagement lead to activate the appliance. See the overview troubleshooting for the benign cloud-init warning.

Network access¶

The appliance makes one connection to do its job: an outbound tunnel to the Sophos headend. Nothing inbound is ever required — you never open or forward any ports to the appliance.

Allow this outbound destination


Destination	`connect.remotetesting.secureworks.com`
IP addresses	`3.33.194.251` and `15.197.255.2` (static — these do not change)
Port / protocol	TCP 443, carrying OpenVPN (not HTTPS)
Direction	Outbound only

Allow egress on TCP/443 to that destination from the appliance's network. On a next-generation firewall or NAC-controlled network, an L3 "allow 443" rule is often not enough — Layer-7 application control, TLS/SSL decryption, or NAC can still drop the tunnel even when the port is open. See Connectivity Troubleshooting for the exact firewall and NAC exceptions to request.

Troubleshooting¶

Deployed but something isn't right?

See Microsoft Azure troubleshooting for the most common issues on this platform and how to fix them.