Azure Deployment with CLI

This guide provides the necessary technical steps to install the Microsoft Azure CLI, configure your project environment, and deploy BlueRock-hardened instances on Microsoft Azure.

Prerequisites

Microsoft Azure CLI tools (az), for installation refer to the official Microsoft Azure CLI installation guide.
BlueRock images: BlueRock provides pre-packaged images of BlueRock Ubuntu 2404 Linux Distribution - (Free or Full version), contact

Version

Kernel Version

Image Name

Description

Free

Ubuntu 24.04

6.12.63

bluerock-release-26-08-0-ubuntu2404-6.12.63-free

Loads default policy in observe mode and policy changes are not allowed.

Full

Ubuntu 24.04

6.12.63

bluerock-release-26-08-0-ubuntu2404-6.12.63

Provides full policy configuration control. Allow switching policy action from observe to enforce mode.

Procedure

To deploy the BlueRock-hardened instances on Microsoft Azure with CLI following is the procedure:

Instance Deployment

To deploy a BlueRock VM in a Customer (Target) Azure Account using the Golden Image hosted in the BlueRock Production Account, cross-tenant authentication must be established. A Service Principal authorized in both the source and target tenants is required to facilitate this deployment.

Execute the following Azure CLI script to authenticate the Service Principal across both tenants, generate the User Assigned Managed Identity, and provision the virtual machine. Modify the variables at the top of the script to match the target environment details:

# Define environment variables
$ tenant1="<Tenant-ID-of-BlueRock-Prod>"
$ tenant2="<Tenant-ID-of-Customer>"
$ appid="<BlueRock-Image-Share-AppID>"
$ secret="<BlueRock-Image-Share-App-Secret>"
$ image_id="<BlueRock-Ubuntu-Golden-Image-ID>"
$ rg_name="<Customer-Resource-Group-Name>"
$ uami_name="<Managed-Identity-Name>"
$ location="<Azure-Region-e.g.-eastus>"
$ ssh_pubkey_path="<path-to-ssh-pubkey>"

# Authenticate against the BlueRock Production tenant
$ az login --service-principal -u "${appid}" -p "${secret}" --tenant "${tenant1}"
$ az account get-access-token

# Authenticate against the Customer target tenant
$ az login --service-principal -u "${appid}" -p "${secret}" --tenant "${tenant2}"
$ az account get-access-token 

# Create Managed Identity
$ az identity create --resource-group "${rg_name}" --name "${uami_name}" --location "${location}"
$ uami_id=$(az identity show --resource-group "${rg_name}" --name "${uami_name}" --query id -o tsv)

# Provision the BlueRock VM in the target environment
$ az vm create \
  --resource-group "${rg_name}" \
  --name bluerock-ubuntu-vm \
  --image "${image_id}" \
  --admin-username ubuntu \
  --ssh-key-values @"${ssh_pubkey_path}" \
  --size Standard_D2s_v3 \
  --assign-identity "${uami_id}"

az vm create parameters table:

Parameter

Description

Value in Your Command

--resource-group

The logical container in Azure where the VM and its associated resources (disk, network, etc.) will be stored.

<resource-group-name>

--name

The unique name assigned to your virtual machine within the resource group.

bluerock-ubuntu-vm

--image

The Operating System image to install. In this case, you're using a variable ($image_id) which likely points to the BlueRock Node AMI.

$image_id

--admin-username

The name of the primary administrator account created on the VM.

ubuntu

--ssh-key-values

The path to your SSH public key for secure, passwordless authentication. The @ symbol tells the CLI to read the content of the file at that path.

@<path-to-ssh-pubkey>

--size

The hardware profile (SKU) of the VM. Standard_D2s_v3 provides a balanced 2 vCPUs and 8 GiB of memory.

Standard_D2s_v3

--location

The Azure region (datacenter) where the VM will be physically hosted.

eastus

--assign-identity

Associates a Managed Identity (such as a User-Assigned Managed Identity) with the virtual machine to allow secure, credential-free access to other Azure resources.

$uami_id

The required variable values are sourced from a combination of the BlueRock administrative team and the target Customer's Azure environment.

Below is a breakdown of where each specific value is retrieved:

Variable

Description & Source

tenant1

BlueRock Production Tenant ID: Provided directly by BlueRock support.

tenant2

Customer Tenant ID: Retrieved from the Customer's Azure environment. In the Azure Portal, navigate to Microsoft Entra ID > Overview. The value is listed as the Tenant ID.

appid

Service Principal App ID: Provided by BlueRock support. This is the Application (client) ID of the Service Principal explicitly authorized to access the shared Golden Image.

secret

Service Principal Secret: Provided securely by BlueRock support. This acts as the authentication password for the Service Principal.

image_id

Golden Image Resource ID: Provided by BlueRock support. This is the full Azure Resource Manager (ARM) path to the specific BlueRock Ubuntu image (e.g., /subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/images/...).

rg_name

Customer Resource Group Name: The existing resource group in the Customer's Azure environment where the VM and Managed Identity will be provisioned.

uami_name

Managed Identity Name: The desired name for the User Assigned Managed Identity (UAMI) created during the deployment.

location

Azure Region: The specific Azure data center location where the resources will be deployed (e.g., eastus, westeurope).

ssh_pubkey_path

SSH Public Key Path: The local file path to the SSH public key used for authenticating into the deployed VM (e.g., ~/.ssh/id_ed25519.pub).

To validate the instance status:

$ az vm show --resource-group <your-resource-group> --name <instance-name> --show-details --query "powerState" --output tsv

To connect with instance using SSH:

$ ssh -i <path-to-priv-key> ubuntu@<ssh-ip-address>

Note: SSH may give some warnings and prompts to generate an SSH key for the first time. While generating an SSH key leave the passphrase as empty by pressing Enter. It will automatically create the key and add the key permanently to the host.

Create a Storage Container

Ensure to create an Azure Storage Container to save the Configuration file and Policy files as the BlueRock Instance picks these files from a separate container using config.source file that contains this Blob's URL/URI.

Create Storage Account:

$ az storage account create \
  --name <storageaccountname> \
  --resource-group <your-resource-group> \
  --location eastus \
  --sku Standard_LRS

Create Storage Container:

$ az storage container create \
  --name <your-container-name> \
  --account-name <storageaccountname> \
  --auth-mode login

Identify the Managed Identity

Authentication for a BlueRock instance without managed keys requires a Managed Identity, either System-assigned or User-defined. The following command retrieves the Principal ID (Object ID) of the managed identity used while creating the VM instance.

Get the Object ID (Principal ID):

$ az identity show \
  --resource-group "my_resource_group" \
  --name "managed_identity_name" \
  --query principalId -o tsv

Authorize the BlueRock Instance (RBAC)

Granting the Storage Blob Data Contributor role to the identified Object ID ensures the instance possesses authority to download policy and configuration artifacts during the startup verification process. UC performs policy signature verification during startup before loading the configuration.

Create the Role Assignment:

$ az role assignment create \
  --assignee-object-id "object_id_from_previous_step" \
  --assignee-principal-type ServicePrincipal \
  --role "Storage Blob Data Contributor" \
  --scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<account>"

BlueRock Instance Configuration

BlueRock instances require a configuration file (config.toml or config.yaml) to define telemetry and policy settings. Create config.toml or config.yaml either one of them.

config.yaml

event_format: "OTEL"
event_url: "http://<your-internal-ip>:4318"
ucpcm:

config.toml

event_format = "OTEL"
event_url = "http://<your-internal-ip>:4318"
[ucpcm]

config.yaml

event_format: "OTEL"
event_url: "http://<your-internal-ip>:4318"
ucpcm:
  policy_url: "az://<storageaccountname>/<container-name>/"
  policy: "policy.json"
  policy_sig: "policy.json.sig"
  public_key: "az://<storageaccountname>/<container-name>/<public-key>.pem"
  transport:
    transport_type: "azure" # Indicates Azure Blob Storage
    region: "eastus"

config.toml

event_yformat = "OTEL"
event_url = "http://<your-internal-ip>:4318"

[ucpcm]
policy_url = "az://<storageaccountname>/<container-name>/"
policy = "policy.json"
policy_sig = "policy.json.sig"
public_key = "az://<storageaccountname>/<container-name>/<public-key>.pem"

[ucpcm.transport]
transport_type = "azure" # Indicates Azure Blob Storage
region = "eastus"

Parameter

Type

Description

hostid

String

A unique identifier for this specific machine or agent (e.g., bluerock). This flag is optional.

event_format

String

The data schema used for logging/events. OTEL stands for OpenTelemetry.

event_url

URL

The endpoint where the agent sends its telemetry data (usually an OTEL Collector).

ucpcm.policy_url

Blob URI

The Azure Blob Storage path where the master policy file is stored.

ucpcm.policy

File Name

The specific JSON file name that contains the configuration rules.

ucpcm.policy_sig

File Name

The digital signature file used to verify that the policy.json hasn't been tampered with.

ucpcm.public_key

Blob URI

The location of the public key used to validate the policy_sig.

ucpcm.transport_type

String

The protocol used to fetch files. azure indicates Azure Blob Storage.

ucpcm.auth_method

String

Authentication type. default uses the VM's attached Managed Identity.

ucpcm.region

String

The Azure region where the storage resources are located.

Note:

BlueRock Secure MCP Server enforces runtime security controls through configurable MCP Protection Policies. Refer to Policy Configuration guide to learn more about these policies.

Upload Configuration Files

Important:

To securely copy and upload configuration files, the VM's Managed Identity must have the Storage Blob Data Contributor role assigned. If the active Azure account lacks the administrative privileges required to assign IAM roles, please request an Azure Cloud Administrator to grant this access to the instance.

Upload or copy files to the Azure VM:

To enable az copy:

Retrieve Client ID for Authentication: Query the Azure Instance Metadata Service (IMDS) from inside the VM to fetch the Managed Identity's token and Client ID:

$ curl 'http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.core.windows.net&api-version=2018-02-01' -H "Metadata: true" | jq .

Expected output:

 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2286  100  2286    0     0   5720      0 --:--:-- --:--:-- --:--:--  5715
{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlUxc1g4WUZIUzdaNlZsN1ZITEl6VGVqYnZqMCIsImtpZCI6IlUxc1g4WUZIUzdaNlZsN1ZITEl6VGVqYnZqMCJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuY29yZS53aW5kb3dzLm5ldCIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2ZhMTVlMGRlLTU2MTItNDM1Ni04N2MzLWE4ZDE2NTZiODM5My8iLCJpYXQiOjE3NzcyOTUwMjUsIm5iZiI6MTc3NzI5NTAyNSwiZXhwIjoxNzc3MzgxNzI1LCJhaW8iOiJBV1FBbS84YkFBQUFLdjRoOTFaYnYybWgycmltVm9yWURDZkxPL0thQWtRRXhjazM1RHgvZGJETDVVMFN6ZUNRa2JlOE1OaEJCQkY5eXp3RnFjL3Z1OTN4a29WSE1mV3poeU5KTnR5Q3hmbDMwQ0dZS0pnTW52SFhldC95U1RPWUpoS09mcHhXZ3BNUyIsImFwcGlkIjoiNDBlZTZkMTctMjI3Yi00ODQ5LWEwZWYtOGIxMzFjODQwOWViIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZmExNWUwZGUtNTYxMi00MzU2LTg3YzMtYThkMTY1NmI4MzkzLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiNzJhZTU1NWEtYzFlMi00OTM3LTgyNDYtMDVhMmE2YzhhNmZmIiwicmgiOiIxLkFXOEEzdUFWLWhKV1ZrT0h3NmpSWld1RGswWklmM2tBdXRkUHVrUGF3ZmoyTUJNQUFBQnZBQS4iLCJzdWIiOiI3MmFlNTU1YS1jMWUyLTQ5MzctODI0Ni0wNWEyYTZjOGE2ZmYiLCJ0aWQiOiJmYTE1ZTBkZS01NjEyLTQzNTYtODdjMy1hOGQxNjU2YjgzOTMiLCJ1dGkiOiJlbFE0NWV5Y19VQy1mOE9ZV1J2WUFBIiwidmVyIjoiMS4wIiwid2lkcyI6WyIwOTk3YTFkMC0wZDFkLTRhY2ItYjQwOC1kNWNhNzMxMjFlOTAiXSwieG1zX2FjdF9mY3QiOiI5IDMiLCJ4bXNfZnRkIjoiQi0tblNPTXJHREIxNE5YY3lCczJmQ0pKdEl2cjFHalVrUDFVQ0w2enJNOEJkWE5sWVhOMExXUnpiWE0iLCJ4bXNfaWRyZWwiOiIyNiA3IiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvMzkyZjAxODctMTBhNi00YTAwLWE0N2MtMjY4NmM0MTcxZTNjL3Jlc291cmNlZ3JvdXBzL3FhLWJsdWVyb2NrL3Byb3ZpZGVycy9NaWNyb3NvZnQuQ29tcHV0ZS92aXJ0dWFsTWFjaGluZXMvcm0taW5zdGFuY2UtbmV3IiwieG1zX3JkIjoiMC5BVWtBdHY4S0JRZ0NFZ0Z2RWhRSUNSSVExWXRJWDExenFVU2FnY05QOUVraVV4SVVDQWdTRUVaSWYza0F1dGRQdWtQYXdmajJNQk1TRkFnTEVoQmptLV9BWGNRazM4RlZXWWpiSDRNciIsInhtc19zdWJfZmN0IjoiMyA5IiwieG1zX3RjZHQiOiIxNTk5NTkxNDgwIn0.lZYegQlxD-HLZ2yUHCJKOGrTgQABxWLff-jplWGX_PHVS742B5CTc2rssv2iZ3KYcELQlJ5CfIlNaALoKHiYZxrD6_7K81L1MA532R7ROHVD5oqx9tKmN46bT3sby9M9R4vfsAlLTeb615ArnfnhI327hj6d43gvl1_geCWUXiBD1RwcIl-trmnEiK6bnj4VGyp273eOJF_4tdLz7Bql4Gon-b7lgfCNeoCyHDgHDJkliebwNHJ_PKdfAKu_mWDXW_9dgDIc0zcQ-ihGb3cMJNOfrqHSOtAFb9Jce16MZEh0tY-atFNiByQ8f4DdYBFPFRKMhvhR-jrVEfwsYtaxFg",
  "client_id": "40ee6d17-227b-4849-a0ef-XXXXXXX",
  "expires_in": "86400",
  "expires_on": "1777381725",
  "ext_expires_in": "86399",
  "not_before": "1777295025",
  "resource": "https://management.core.windows.net",
  "token_type": "Bearer"
}

Example client_id :

"client_id": "40ee6d17-227b-4849-a0ef-XXXXXXX",

Login to Azure Storage Blob: Export the Managed Identity parameters as environment variables to authenticate the azcopy session (replace the <client-id> placeholder with the Client ID retrieved from the previous step):
```
$ export AZCOPY_AUTO_LOGIN_TYPE=MSI
$ export AZCOPY_MSI_CLIENT_ID=<client-id>
```
For example:
```
$ export AZCOPY_AUTO_LOGIN_TYPE=MSI
$ export AZCOPY_MSI_CLIENT_ID=40ee6d17-227b-4849-a0ef-XXXXXXX
```

BlueRock Free Edition: Default Policy Configuration

The Free Edition utilizes default security policies. Configuration requires uploading the BlueRock configuration file to the specified Azure Storage container.

Upload BlueRock configuration file config.toml:

$ azcopy copy "config.toml" "https://<storageaccountname>.blob.core.windows.net/<container-name>/config.toml"

BlueRock Full Edition: Custom Policy Configuration

The Full Edition facilitates custom policy enforcement via the TREX tool. This workflow includes environment activation, template generation, cryptographic signing, and artifact upload.

Activate TREX Environment Activation of the pre-created Python virtual environment on the BlueRock node is required:
```
$ source /opt/bluerock/trex/py312/bin/activate
```
Generate Policy Template Generation of a policy model file provides a template with default values:
```
$ python trex/models/customerpolicymodel.py -d > bru_policy.json
```
Manual editing of the JSON file allows for the definition of specific rules, such as enabling or disabling MCP remediation.
Generate Signed Policy Blob The TREX tool processes the JSON file to generate a signed policy package in .tar format:
```
$ python trex.py bru_policy.json
```
Extract Policy Artifacts Extraction of the signed blob archive yields the specific files necessary for UC verification:
```
$ tar xvf bru_policy.tar
```

Upload BlueRock configuration Successful deployment requires uploading the configuration file, the extracted policy blob, and the public key to the cloud storage bucket:

# 1. Upload the BlueRock configuration file
$ azcopy copy "config.toml" "https://<storageaccountname>.blob.core.windows.net/<container-name>/config.toml"

# 2. Upload the extracted policy blob
$ azcopy copy "policy.json" "https://<storageaccountname>.blob.core.windows.net/<container-name>/policy.json"

# 3. Upload the public key for verification
$ azcopy copy "public_key.pem" "https://<storageaccountname>.blob.core.windows.net/<container-name>/public_key.pem"

Note:

Upload only the public key for the digital signature so that the signed policy blob (policy.json) can be verified by the system using that key.

Updating Configuration Source

To ensure BlueRock agent stays synchronized with the latest policies, link your local environment to the cloud-hosted configuration. This is done by updating the config.source file's parameter with the Azure Blob URI.

To save the Azure URI in the config.source file:

Locate your file: Ensure your config.toml or config.yaml is uploaded to your Azure Container.
Get the URI: The address must use the az:// prefix. Use either the short storage account name or the full FQDN (Fully Qualified Domain Name) format:
1. Short format:
  az://<storageaccountname>/<container-name>/config.toml
2. FQDN format:
  az://<storageaccountname>.blob.core.windows.net/<container-name>/config.toml
Navigate to config.source file at:
```
$ cd /opt/bluerock/etc
```

Save the config.source file with the URI from the Azure Blob Storage.

config.source

az://<storageaccountname>.blob.core.windows.net/<your-container-name>/config.toml

# Bluerock Configuration
#
# config.source tells where to fetch the configuration file.

OTEL Event Collection Setup

To forward OpenTelemetry (OTEL) events and agent telemetry, an Azure Log Analytics Workspace and an Application Insights component must be created and linked.

Create Azure Monitoring Resources Use the Azure CLI to provision the workspace, create the Application Insights component, and retrieve the required connection string:

# Create the Log Analytics Workspace with a 30-day retention policy
$ az monitor log-analytics workspace create \
  --resource-group <rg-name> \
  --workspace-name <workspace-name> \
  --retention-time 30

# Create the workspace-based Application Insights component
$ az monitor app-insights component create \
  --app <app-name> \
  --location <region-name> \
  --resource-group <rg-name> \
  --workspace <workspace-resource-id>

# Retrieve the connection string required for the OTEL collector
$ az monitor app-insights component show \
  --app <app-name> \
  --resource-group <rg-name> \
  --query connectionString -o tsv

Configure the OTEL Collector Connect to the BlueRock VM and update the OTEL configuration file otel-config.yaml to include the retrieved connection string.
Edit the Configuration File Navigate to the OTEL directory and edit the otel-config.yaml file:
```
$ cd /opt/bluerock/otel
$ sudo nano otel-config.yaml
```
Update the azuremonitor exporter section with your specific connection string:
otel-config.yaml
```
exporters:
  azuremonitor:
    connection_string: "<insert-connection-string-here>"
```
Restart and Verify the Collector Restart the OTEL Collector container to apply the updated configuration, and then verify that the container is actively running:
```
$ sudo docker restart otel-collector
$ sudo docker ps
```
Check the Startup Logs Inspect the OTEL Collector container logs to ensure it started up cleanly without any configuration errors:
```
$ sudo docker logs otel-collector
```

Service Startup & Policy Verification

Once the configuration files are securely stored in Azure Blob Storage and telemetry routing is established, the core BlueRock agent services can be started.

Enable and Start the Service: Enable the BlueRock control plane to start automatically on boot, then initiate the service:

$ sudo systemctl enable uc-docker.service
$ sudo systemctl start uc-docker.service
$ sudo systemctl status uc-docker.service

Verify Startup and Download Logs: Inspect the logs to confirm the agent successfully authenticated with the Managed Identity, downloaded the policy files from Azure Blob Storage, and validated the digital signature:

# Check the primary service startup logs
$ /opt/bluerock/bin/uc-docker.sh logs

# Enter the Docker container to check the detailed policy download logs
$ docker exec -it uc bash
$ cd /var/log/uc
$ cat bluerockd_rCURRENT.log

View Logs in Azure

Events generated by the BlueRock instance are forwarded to the Azure Log Analytics Workspace and can be queried using Kusto Query Language (KQL).

Navigate to Azure Log Analytics Workspace > select an instance name > Logs. In the logs workspace change the Simple mode to KQL mode run the required query to view application traces.

Following is a sample KQL query:

// Retrieve the 50 most recent application traces from the last 10 minutes
AppTraces
| where TimeGenerated > ago(10m)
| project TimeGenerated, Message, SeverityLevel, Properties
| order by TimeGenerated desc
| take 50

Configuring Remote Project Workspace in Claude Desktop IDE

To allow AI-assisted development while maintaining BlueRock's telemetry tracking, a dedicated user session must be established for the Claude Desktop IDE.

Create the User Account and Configure SSH: Connect to the BlueRock Azure VM and execute the following commands in order to create a dedicated user and configure key-based SSH authentication:
1. Create the dedicated account First, create the new user account intended for the Claude Desktop IDE:
  $ sudo adduser claude_code_user
2. Switch to the new user profile Change your current session to operate as the newly created user:
  $ sudo su - claude_code_user
3. Generate an SSH keypair Run the ssh-keygen command. This will automatically create the .ssh directory with the correct permissions.
  $ ssh-keygen -t ed25519 -C "[email protected]"
  Note:
  When prompted, press Enter to accept the default file location, and press Enter again to leave the passphrase empty
4. Authorize the public key Finally, append the designated public key to the authorized_keys file to grant inbound access, and lock down the file's permissions:
  $ echo "<insert-public-key-here>" >> ~/.ssh/authorized_keys $ chmod 600 ~/.ssh/authorized_keys
Configure the Claude Desktop IDE: In the Claude Desktop IDE interface, click the environment selector menu (typically labeled Local in the bottom corner) and select + Add SSH host... from the dropdown list. In the Add SSH connection dialog box, populate the fields with the following parameters:
1. SSH Connection Name: <custom-name>
2. SSH Host: claude_code_user@<azure_vm_ip>
3. SSH Port: 22 (default)
4. Identity file: <path-to-private-key>
Initialize the Remote Workspace:
1. Upon successful SSH connection to the remote VM, select the project folder. Either the default home directory (/home/claude_code_user) or a newly created subfolder (e.g., project) can be used.
2. The Claude code session initializes in the background on the remote VM. Code generation occurs directly within the remote workspace based on instructions provided in the IDE chat interface.
Telemetry and Event Tracking: The BlueRock agent actively monitors this remote workspace and generates OpenTelemetry (OTEL) events for all Claude code actions, including file operations and forked/executed processes. These events are automatically forwarded to the configured Azure Log Analytics workspace for security monitoring.

Note:

When prompted, press Enter to accept the default file location, and press Enter again to leave the passphrase empty

PreviousAzure Deployments NextAzure Deployment with Terraform

Last updated 1 month ago