Azure Deployment with Terraform

This guide describes how the BlueRock Secure MCP Server is deployed on Microsoft Azure using Terraform.

Terraform scripts are executed from a local machine or CI/CD environment with the Microsoft Azure CLI (az) initialized. The scripts utilize the Azure Resource Manager APIs to provision the necessary Compute, Networking, Storage, and Monitor resources.

Prerequisites

Microsoft Azure CLI tools (az), for installation refer to the official Microsoft Azure CLI installation guide.
Terraform: Version 1.0 or higher installed.
BlueRock images: BlueRock provides pre-packaged images of BlueRock Ubuntu 2404 Linux Distribution - (Free or Full version), contact BlueRock Support.

Version

Kernel Version

Image Name

Description

Free

Ubuntu 24.04

6.12.63

bluerock-release-26-08-2-ubuntu2404-6.12.63-free

Loads default policy in observe mode and policy changes are not allowed.

Full

Ubuntu 24.04

6.12.63

bluerock-release-26-08-2-ubuntu2404-6.12.63

Provides full policy configuration control. Allow switching policy action from observe to enforce mode.

Prerequisite Steps

Execute the following steps prior to initiating a Terraform deployment to provision the BlueRock "Golden Image" within the customer's Azure Compute Gallery.

Set Environment Variables: Update the variables below with target environment details and execute the block in the terminal. Refer to the provided table for parameter definitions:
```
CUSTOMER_SUBSCRIPTION_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
CUSTOMER_RG="rg-customer-sec"
CUSTOMER_GALLERY="gal_customer_bluerock"
IMAGE_DEF="bluerock-golden-linux"
IMAGE_VER="1.0.4"
LOCATION="eastus"
SOURCE_IMAGE_VERSION_RESOURCE_ID="/subscriptions/<source-sub>/resourceGroups/<source-rg>/providers/Microsoft.Compute/galleries/<source-gallery>/images/<source-image-def>/versions/<source-version>"
```
Text
Text
Parameter
Description
CUSTOMER_SUBSCRIPTION_ID
Azure subscription where the customer deploys Terraform resources.
CUSTOMER_RG
Customer resource group for Compute Gallery resources.
CUSTOMER_GALLERY
Customer Azure Compute Gallery name (customizable).
IMAGE_DEF
Image definition name inside the customer gallery (e.g., bluerock-golden-linux).
IMAGE_VER
Image version to publish/use (e.g., 1.0.4).
LOCATION
Azure region for gallery resources (e.g., eastus).
SOURCE_IMAGE_VERSION_RESOURCE_ID
Full Azure resource ID of the source image version to copy/publish from.

Run Provisioning Commands: Execute the following Azure CLI commands to configure the gallery and import the image version.

# Set target subscription
$ az account set --subscription "$CUSTOMER_SUBSCRIPTION_ID"

# Create Resource Group and Compute Gallery
$ az group create --name "$CUSTOMER_RG" --location "$LOCATION"
$ az sig create --resource-group "$CUSTOMER_RG" --gallery-name "$CUSTOMER_GALLERY" --location "$LOCATION"

# Create Image Definition
$ az sig image-definition create \
  --resource-group "$CUSTOMER_RG" --gallery-name "$CUSTOMER_GALLERY" \
  --gallery-image-definition "$IMAGE_DEF" --publisher "bluerock" \
  --offer "bluerock-golden-linux" --sku "stable" --os-type "Linux" \
  --hyper-v-generation "V2" --location "$LOCATION"

# Create Image Version from Source
$ az sig image-version create \
  --resource-group "$CUSTOMER_RG" --gallery-name "$CUSTOMER_GALLERY" \
  --gallery-image-definition "$IMAGE_DEF" --gallery-image-version "$IMAGE_VER" \
  --managed-image "$SOURCE_IMAGE_VERSION_RESOURCE_ID" --target-regions "$LOCATION" \
  --replica-count 1 --location "$LOCATION" \
  --query "{name:name,state:provisioningState}" -o table

Note:

The image-definition create step is skippable if the definition already exists.

Terraform Mapping: Upon successful image provisioning, set the boot_image variable in the terraform.tfvars file to the new gallery image version ID:

boot_image = "/subscriptions/<CUSTOMER_SUBSCRIPTION_ID>/resourceGroups/<CUSTOMER_RG>/providers/Microsoft.Compute/galleries/<CUSTOMER_GALLERY>/images/<IMAGE_DEF>/versions/<IMAGE_VER>"

BlueRock Azure Architecture Components

A typical Premium Public Deployment on Azure provisions the following resources:

Azure Resource / Service

Description

Virtual Network (VNet) & Subnet

Provides an isolated virtual network environment. Can be newly created or linked to an existing network.

Network Security Group (NSG)

Controls network traffic. Default rules allow inbound SSH access (Port 22) from a specified IP CIDR.

Linux Virtual Machine

Runs the BlueRock MCP Server using the specified hardened Ubuntu image.

User-Assigned Managed Identity

Grants the VM minimal role-based access control (RBAC) permissions to interact with Blob Storage and Azure Monitor.

Storage Account & Blob Container

Stores runtime configuration files and cryptographic certificates for the BlueRock node.

Log Analytics & App Insights

Optional external telemetry stack for collecting and monitoring system events, application logs, and OpenTelemetry (OTEL) data.

Deployment Package Overview

Directory Structure

The Azure Terraform scripts follow a structured hierarchy containing the necessary definition files:

azure/compute/terraform/ubuntu/PublicDeployment/
├── main.tf                  # Core Azure resource definitions
├── outputs.tf               # Exported deployment variables
├── terraform.tfvars         # Active variable values (created by user)
├── terraform.tfvars.example # Template for variable configuration
├── user_data.sh.tpl         # Bootstrap script for the VM runtime
├── variables.tf             # Variable declarations and validation rules
└── README.md                # Deployment documentation

`terraform.tfvars` Parameter Reference

The following parameters are defined in the variables.tf file. These values must be updated in the local terraform.tfvars file to match the target Azure project environment before executing the deployment scripts.

Parameter

Description

Required

Example / Default Value

subscription_id

The unique Azure subscription ID used for deployment.

Yes

11111111-2222-3333-4444-555555555555

location

Azure region where resources are provisioned.

Yes

eastus

prefix

A string prefix applied to naming deployed resources.

bluerock-premium

allow_ip

Ingress CIDR IP range permitted to access the network.

Yes

0.0.0.0/0

vnet_cidr

CIDR block defined for the Virtual Network.

Yes

10.20.0.0/16

subnet_cidr

CIDR block defined for the subnet.

Yes

10.20.1.0/24

existing_vnet_name

Optional: Name of a pre-existing Virtual Network to use instead of creating a new one.

vnet-shared-prod

existing_subnet_name

Optional: Name of a pre-existing subnet to use.

snet-shared-prod

existing_network_resource_group_name

Optional: Resource group name of the existing network.

rg-network-shared

vm_size

Hardware profile/size for the virtual machine.

Yes

Standard_D4s_v5

os_disk_type

Storage tier for the operating system disk.

Yes

Premium_LRS

admin_username

Primary administrator username for the instance.

Yes

ubuntu

existing_ssh_public_key_name

Name of an existing SSH public key resource.

Yes

my-ssh-key

existing_ssh_public_key_resource_group_name

Resource group containing the existing SSH key.

Yes

shared-keys-rg

boot_image

Required: Azure custom image resource ID.

Yes

/subscriptions/.../images/<image-name>

policy_storage_account_name

Globally unique storage account name for policy artifacts. Must be 3-24 lowercase letters/numbers.

Yes

bluerockpremiumpolicy01

existing_storage_account_name

Optional: Name of a pre-existing storage account for policy files.

stsharedpolicy01

existing_storage_container_name

Optional: Name of a pre-existing storage container for policy files.

policies

existing_storage_resource_group_name

Optional: Resource group of the existing storage account.

rg-storage-shared

sample_host_name

Hostname assigned to the runtime node.

Yes

bluerock-premium-node-01

enable_external_otel

Flag to enable external OpenTelemetry integration.

Yes

true

monitor_resource_group_name

Optional: Resource group name for monitoring integration.

rg-bluerock-sentinel

create_monitor_resource_group

Optional: Flag indicating whether to create a new monitor resource group.

false

log_analytics_workspace_name

Name of the Log Analytics Workspace.

Yes

law-bluerock

log_analytics_retention_days

Data retention period for Log Analytics in days.

Yes

90

app_insights_name

Name of the Application Insights component.

Yes

ai-bluerock

existing_log_analytics_workspace_name

Optional: Name of an existing Log Analytics Workspace to reuse.

law-shared

existing_app_insights_name

Optional: Name of an existing Application Insights component to reuse.

ai-shared

Note:

Ensure the specified vm_size (e.g., Standard_D2s_v3) is available in the target location and meets Azure quota limits. Since Azure enforces VM deployments based on regional vCPU counts, verify sufficient capacity using:

$ az vm list-usage --location eastus --query "[?contains(localName, 'vCPU')].{Name:localName, Current:currentValue, Limit:limit}" -o table

Configuration Steps

To prepare the environment for deployment, follow these steps to initialize the variables:

Navigate to the deployment directory:

$ cd azure/compute/terraform/ubuntu/PublicDeployment/

Copy the example variables file to create a live configuration file:
```
$ cp terraform.tfvars.example terraform.tfvars
```
Edit the terraform.tfvars file and populate the mandatory fields, including the subscription_id, boot_image, and networking variables.

Note:

If deploying into an existing network or storage account, ensure the respective existing_* variables (e.g., existing_vnet_name, existing_subnet_name, existing_storage_account_name) are explicitly defined. Otherwise, Terraform will provision entirely new network and storage resources .

Running the Deployment

Execute the standard Terraform workflow to provision the Azure infrastructure:

Initialize the working directory:
```
$ terraform init
```
Review the execution plan:
```
$ terraform plan
```
Apply the configuration:
```
$ terraform apply
```

Post-Deployment Validation

Check BlueRock Instance: Verify the VM status and retrieve the Public IP address using the Azure CLI:

$ az vm list -d --query "[?name=='<prefix>-node'].{Name:name, Status:powerState, PublicIP:publicIps}" -o table

For example:

$ az vm list -d --query "[?name=='bluerock-test-node'].{Name:name, Status:powerState, PublicIP:publicIps}" -o table

Expected output:

Name                Status      PublicIP
------------------  ----------  ----------
bluerock-test-node  VM running  <public-ip-address>

Verify Services: Establish an SSH connection to the instance and verify the BlueRock control plane status:

Connect to the instance:

$ ssh -i <path-to-priv-key> ubuntu@<ssh-ip-address>

Check the service status

$ sudo systemctl status uc-docker.service

Expected Output:

● uc-docker.service - Manage the Ultracontrol Docker Service
     Loaded: loaded (/etc/systemd/system/uc-docker.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-04-28 15:31:22 UTC; 12h ago
   Main PID: 2430 (uc-docker.sh)
      Tasks: 2 (limit: 4614)
     Memory: 648.0K (peak: 9.0M)
        CPU: 18.644s
     CGroup: /system.slice/uc-docker.service
             ├─ 2430 /usr/bin/bash /opt/bluerock/bin/uc-docker.sh start
             └─21732 sleep 5

Apr 28 15:31:22 bluerock-test-node systemd[1]: uc-docker.service: Scheduled restart job, restart counter is at 1.
Apr 28 15:31:22 bluerock-test-node systemd[1]: Started uc-docker.service - Manage the Ultracontrol Docker Service.

Verify running containers

$ sudo docker ps

Expected output:

CONTAINER ID   IMAGE                                         COMMAND                  CREATED        STATUS        PORTS                                                                              NAMES
27c41fd6d422   ultracontrol:latest                           "/opt/bluerock/sbin/…"   13 hours ago   Up 13 hours                                                                                      uc
3f7fd76c0526   otel/opentelemetry-collector-contrib:0.95.0   "/otelcol-contrib --…"   13 hours ago   Up 13 hours   0.0.0.0:4317-4318->4317-4318/tcp, [::]:4317-4318->4317-4318/tcp, 55678-55679/tcp   otel-collector

Verify telemetry flow (optional)

$ sudo docker logs otel-collector

Expected output:

2026-04-28T15:31:21.786Z	info	[email protected]/telemetry.go:55	Setting up own telemetry...
2026-04-28T15:31:21.787Z	info	[email protected]/telemetry.go:97	Serving metrics	{"address": ":8888", "level": "Basic"}
2026-04-28T15:31:21.791Z	info	[email protected]/service.go:143	Starting otelcol-contrib...	{"Version": "0.95.0", "NumCPU": 2}
2026-04-28T15:31:21.791Z	info	extensions/extensions.go:34	Starting extensions...

Cleanup of Deployed Resource

To remove or delete the deployed BlueRock instances or all resources, run the following command.

$ terraform destroy --auto-approve

Note:

Azure Monitor generates hidden Smart Detector Alert Rules that block the terraform destroy command. Clear these rules beforehand by executing:

$ az resource list -g "<MONITOR_RG>" --resource-type "microsoft.alertsmanagement/smartDetectorAlertRules" --query "[].id" -o tsv | xargs -I {} az resource delete --ids "{}"

View Logs in Azure

For detailed instructions on how to view logs and OTEL events from the instance, please refer to the View Logs in Azure section.

Configuring Remote Project Workspace in Claude Desktop IDE

For detailed instructions on how to set up and connect your remote environment, refer to the Configuring Claude Desktop IDE section.

PreviousAzure Deployment with CLI NextBlueRock 26.08.0

Last updated 1 month ago

Prerequisites

Prerequisite Steps

BlueRock Azure Architecture Components

Deployment Package Overview

terraform.tfvars Parameter Reference

Configuration Steps

Running the Deployment

Post-Deployment Validation

Cleanup of Deployed Resource

View Logs in Azure

Configuring Remote Project Workspace in Claude Desktop IDE

`terraform.tfvars` Parameter Reference