Create an Azure Virtual Machine Snapshot

Tenable Cloud Security Agentless Assessment performs scans on Azure Virtual Machines through the assessment of virtual hard disk snapshots. Snapshots can be created manually or automatically through the use of Azure Backup Vault. Tenable recommends that you automate this process.

Create Azure Virtual Machine Snapshot Manually

To create a snapshot manually:

  1. In the Azure portal, select Create a resource.

  2. Search for and select Snapshot.

    The Snapshot window appears.

  3. Click Create.

    The Create snapshot window appears.

  4. In the Basics tab, do the following:

    1. For Resource group, select an existing resource group or enter the name of a new one.

    2. In the Instance details section, provide the following information:

      • Name — Name of the snapshot.

      • Region — The Azure region into which the resource should be deployed. For the list of supported regions, see Agentless Assessment Requirements for Azure.

      • Snapshot type — The type of snapshot determines its pricing and functionality.

        • Full: Make a complete read-only copy of the selected disk.

        • Incremental: Save on storage costs by making a partial copy of the disk based on the difference between the last snapshot.

      • Source subscription — The subscription that contains the managed disk to be backed up.

      • Source disk — The disk to use as the source of this new snapshot.

      • Storage type — Select Standard HDD, unless you require zone-redundant storage or high-performance storage (Premium HDD) for your snapshot.

  5. Click the Encryption tab and ensure that Key management is set to Platform-managed key.

    Platform-managed keys (PMKs) are key encryption keys that are generated, stored, and managed entirely by Azure.

  6. Click the Networking tab and ensure that Network access is set to Enable public access from all networks.

  7. Click the Advanced tab and ensure that the Enable data access authentication mode is disabled.

  8. (Optional) Configure the Tags tab by providing name/value pairs for your resources.

  9. Click Review + create.

    Azure validates the snapshot and shows a summary of the snapshot.

  10. Click Create to create the snapshot.

Automate Snapshot Creation with Azure Backup Vault

Azure provides automated Virtual Machine disk backup through Backup Vault. Tenable recommends creating a backup vault and policy to take regular snapshots of your Virtual Machines for Agentless Assessment. Create a vault in each subscription and each region.

Note: Recovery Service Vaults are not supported.

To automate snapshot creation:

  1. Create a Backup Vault for your subscription for a region.

  2. Create a backup policy and configure the Virtual Machine backup.

    Note: At a minimum, Tenable recommends scheduling snapshots to be created daily and inline with your Agentless Assessment scan schedule. Retention duration of Azure disks snapshots can be set to a minimum of one week as the most recently created snapshot is always scanned.

See this Terraform Configuration File as an example of automating deployment of these resources.