Sizing Guide
Based on the number of assets that will need to be secured, hardware specifications are listed as below.
Note: Customer is expected to provision AKS cluster, storage account, DB and other azure infrastructure prior to deployment. We will share the necessary files required prior to the deployment date. Files must be copied to the Bastion Host before installation.
Securing up to 100 assets
Hardware Requirements for Non HA setup
Non HA Kubernetes Cluster
| Layer | No of VMs | Specification | Resource |
|---|---|---|---|
| Platform Tier | Node pool of min=5 nodes, max=10 | - 4vCPU - 16 GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes Service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. |
| Bastion Host | 1 | - 4vCPU - 8 GB RAM - 220 GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
Non HA DB
| Layer | No of DBs | Specification | Resource |
|---|---|---|---|
| Data Tier | 1 | - 4vCPU - 16GB Memory - 256 GB Disk | Azure Database for PostgreSQL flexible servers |
Hardware Requirements for HA setup
HA Kubernetes Cluster
“The below configuration provides full HA for platform and data tier across DC and DR.”
| Layer | Site | No of VMs | Specification | Resource |
|---|---|---|---|---|
| Platform Tier | DC | Node pool of min=5 nodes and max=10 nodes | - 4vCPU - 16GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. |
| DR | Node pool of min=5 nodes and max=10 nodes | - 4vCPU - 16 GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. | |
| Bastion Host | DC | 1 | - 4vCPU - 8GB RAM - 220 GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
| DR | 1 | - 4vCPU, 8GB RAM - 220GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
HA DB
| Layer | Site | No of DBs | Specification | Resource |
|---|---|---|---|---|
| Data Tier | DC | 1 | - 4vCPU, 16GB Memory - 256 GB Disk | Azure Database for PostgreSQL flexible servers |
| DR | 1 | - 4vCPU, 16GB Memory - 256 GB OS Disk | Azure Database for PostgreSQL flexible servers |
The Disaster Recovery (DR) site should be set up as a replica of the Data Center (DC) site database. A virtual private endpoint must be established for the High Availability (HA) database. It is the customer's responsibility to manage HA within their managed HA environment.
HA Storage account
HA Storage Account should use Geo-redundant storage (GRS) or Read-access GRS (RA-GRS) for high availability across paired Azure regions, ensuring durability and disaster recovery.
It is the customer's responsibility to configure high availability (HA) for the storage account. https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy https://learn.microsoft.com/en-us/azure/reliability/regions-list#azure-regions-list-1
Disk space allocation per node type for RHEL 9.4
Bastion Host
| /HOME | /OPT | /VAR | / | Primary |
|---|---|---|---|---|
| 128 | 40 | 20 | 32 | 220 |
Securing up to 1000 assets
Hardware Requirements for Non HA setup
Non HA Kubernetes Cluster
| Layer | No of VMs | Specification | Resource |
|---|---|---|---|
| Platform Tier | Node pool of min=5 nodes, max=10 | - 4vCPU - 16 GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes Service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. |
| Bastion Host | 1 | - 4vCPU - 8 GB RAM - 220 GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
Non HA DB
| Layer | No of DBs | Specification | Resource |
|---|---|---|---|
| Data Tier | 1 | - 8vCPU - 64GB RAM - 256 GB Disk | Azure Database for PostgreSQL flexible servers |
Hardware Requirements for HA setup
HA Kubernetes Cluster
“The below configuration provides full HA for platform and data tier across DC and DR.”
| Layer | Site | No of VMs | Specification | Resource |
|---|---|---|---|---|
| Platform Tier | DC | Node pool of min=5 nodes and max=10 nodes | - 4vCPU - 16GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. |
| DR | Node pool of min=5 nodes and max=10 nodes | - 4vCPU - 16 GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. | |
| Bastion Host | DC | 1 | - 4vCPU - 8GB RAM - 220 GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
| DR | 1 | - 4vCPU - 8GB RAM - 220GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
HA DB
| Layer | Site | No of DBs | Specification | Resource |
|---|---|---|---|---|
| Data Tier | DC | 1 | - 8vCPU - 64 GB RAM - 256 GB Disk | Azure Database for PostgreSQL flexible servers |
| DR | 1 | - 8vCPU - 64 GB RAM - 256 GB OS Disk | Azure Database for PostgreSQL flexible servers |
The Disaster Recovery (DR) site should be set up as a replica of the Data Center (DC) site database. A virtual private endpoint must be established for the High Availability (HA) database. It is the customer's responsibility to manage HA within their managed HA environment.
HA Storage account
HA Storage Account should use Geo-redundant storage (GRS) or Read-access GRS (RA-GRS) for high availability across paired Azure regions, ensuring durability and disaster recovery.
It is the customer's responsibility to configure high availability (HA) for the storage account. https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy https://learn.microsoft.com/en-us/azure/reliability/regions-list#azure-regions-list-1
Disk space allocation per node type for RHEL 9.4
Bastion Host
| /HOME | /OPT | /VAR | / | Primary |
|---|---|---|---|---|
| 128 | 40 | 20 | 32 | 220 |
Securing up to 4000 assets
Hardware Requirements for Non HA setup
Non HA Kubernetes Cluster
| Layer | No of VMs | Specification | Resource |
|---|---|---|---|
| Platform Tier | Node pool of min=5 nodes, max=10 | - 8vCPU - 32 GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes Service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. |
| Bastion Host | 1 | - 4vCPU - 8 GB RAM - 220 GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
Non HA DB
| Layer | No of DBs | Specification | Resource |
|---|---|---|---|
| Data Tier | 1 | - 8vCPU - 64 GB RAM - 500 GB Disk | Azure Database for PostgreSQL flexible servers |
Hardware Requirements for HA setup
HA Kubernetes Cluster
“The below configuration provides full HA for platform and data tier across DC and DR.”
| Layer | Site | No of VMs | Specification | Resource |
|---|---|---|---|---|
| Platform Tier | DC | Node pool of min=5 nodes and max=10 nodes | - 8vCPU - 32 GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. |
| DR | Node pool of min=5 nodes and max=10 nodes | - 8vCPU - 32 GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. | |
| Bastion Host | DC | 1 | - 4vCPU - 8GB RAM - 220 GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
| DR | 1 | - 4vCPU - 8GB RAM - 220GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
HA DB
| Layer | Site | No of DBs | Specification | Resource |
|---|---|---|---|---|
| Data Tier | DC | 1 | - 8vCPU - 64 GB RAM - 500 GB Disk | Azure Database for PostgreSQL flexible servers |
| DR | 1 | - 8vCPU - 64 GB RAM - 500 GB OS Disk | Azure Database for PostgreSQL flexible servers |
The Disaster Recovery (DR) site should be set up as a replica of the Data Center (DC) site database. A virtual private endpoint must be established for the High Availability (HA) database. It is the customer's responsibility to manage HA within their managed HA environment.
HA Storage account
HA Storage Account should use Geo-redundant storage (GRS) or Read-access GRS (RA-GRS) for high availability across paired Azure regions, ensuring durability and disaster recovery.
It is the customer's responsibility to configure high availability (HA) for the storage account. https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy https://learn.microsoft.com/en-us/azure/reliability/regions-list#azure-regions-list-1
Disk space allocation per node type for RHEL 9.4
Bastion Host
| /HOME | /OPT | /VAR | / | Primary |
|---|---|---|---|---|
| 128 | 40 | 20 | 32 | 220 |
Securing up to 10000 assets
Hardware Requirements for Non HA setup
Non HA Kubernetes Cluster
| Layer | No of VMs | Specification | Resource |
|---|---|---|---|
| Platform Tier | Node pool of min=6 nodes, max=12 | - 8vCPU - 32 GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes Service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. |
| Bastion Host | 1 | - 4vCPU - 8 GB RAM - 220 GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
Non HA DB
| Layer | No of DBs | Specification | Resource |
|---|---|---|---|
| Data Tier | 1 | - 32vCPU - 128 GB RAM - 1024 GB Disk | Azure Database for PostgreSQL flexible servers |
Hardware Requirements for HA setup
HA Kubernetes Cluster
“The below configuration provides full HA for platform and data tier across DC and DR.”
| Layer | Site | No of VMs | Specification | Resource |
|---|---|---|---|---|
| Platform Tier | DC | Node pool of min=6 nodes and max=12 nodes | - 8vCPU - 32 GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. |
| DR | Node pool of min=6 nodes and max=12 nodes | - 8vCPU - 32 GB RAM - Ubuntu 22.04/RHEL9.4 | Azure Kubernetes service (v1.29.5 or higher). The node pool should preferably be multi-zone for better availability. | |
| Bastion Host | DC | 1 | - 4vCPU - 8GB RAM - 220 GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
| DR | 1 | - 4vCPU -8GB RAM - 220GB OS Disk - Ubuntu 22.04/RHEL9.4 | The Bastion Host serves the ColorTokens platform Docker images and binaries required for Xshield application setup during deployment. |
HA DB
| Layer | Site | No of DBs | Specification | Resource |
|---|---|---|---|---|
| Data Tier | DC | 1 | - 32vCPU - 128 GB RAM - 1024 GB Disk | Azure Database for PostgreSQL flexible servers |
| DR | 1 | - 32vCPU - 128 GB RAM - 1024 GB OS Disk | Azure Database for PostgreSQL flexible servers |
The Disaster Recovery (DR) site should be set up as a replica of the Data Center (DC) site database. A virtual private endpoint must be established for the High Availability (HA) database. It is the customer's responsibility to manage HA within their managed HA environment.
HA Storage account
HA Storage Account should use Geo-redundant storage (GRS) or Read-access GRS (RA-GRS) for high availability across paired Azure regions, ensuring durability and disaster recovery.
It is the customer's responsibility to configure high availability (HA) for the storage account. https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy https://learn.microsoft.com/en-us/azure/reliability/regions-list#azure-regions-list-1
Disk space allocation per node type for RHEL 9.4
Bastion Host
| /HOME | /OPT | /VAR | / | Primary |
|---|---|---|---|---|
| 128 | 40 | 20 | 32 | 220 |
Additional Requirements
-
The Kubernetes cluster must have read and write access to Azure Storage Account (Blob Storage) and Azure Container Registry (ACR).
-
The Bastion Host must also have read and write access to Azure Storage Account (Blob Storage) and Azure Container Registry (ACR).
-
Access keys need to be shared for storage account and ACR during the time of deployment.
-
Two unused static IPs are required for assigning to platform ingress components.
Additionally, the subnet from which the Load Balancer obtains its private IP must have both Contributor and Reader roles assigned to the AKS service principal.
Command:az role assignment create --assignee <principal_id> --role Reader --scope <resource-id-of-subnet>
az role assignment create --assignee <principal_id> --role Contributor --scope <resource-id-of-subnet> -
Permissions are required to create Persistent Volume Claims (PVCs) in the AKS subscription to support stateful application deployments.
-
FQDN and TLS:
a. FQDN(s) of your choice will be required to host the ColorTokens Xshield platform and related components (e.g., Blob Store, Monitoring).For example:
<colortokens>.<your-domain-name>.com (Xshield Platform UI) (IP1)
artifacts-<colortokens>.<your-domain-name>.com (Blob Storage) (IP1)
telemetry-<colortokens>.<your-domain-name>.com (Agent flow logs) (IP1)
logs-<colortokens>.<your-domain-name>.com (Agent logs) (IP1)
docs-<colortokens>.<your-domain-name>.com (Knowledge base) (IP1)
monitoring-<colortokens>.<your-domain-name>.com (Monitoring platform - Grafana) (IP2)b. The FQDN(s) must be resolvable from all managed assets.
c. TLS certificates must be issued by a well-known certificate authority for the FQDN(s).- Certificates should have
CN=<colortokens>.<your-domain-name>.com - SAN entries should cover all the above FQDNs.
d. The customer must configure a valid DNS and NTP server to ensure FQDN resolution and time synchronization across servers.
e. The Bastion Host must be based on RHEL 9.4 or Ubuntu 22.04, and should allow the following access:- Port 5432 (PostgreSQL)
- SSH port (22)
- Storage account (read/write access)
- ACR or similar registry (read/write access)
- Access to the database (read/write)
- Access to the cluster (read/write)
- Permission to deploy CRDs on the cluster
- Access to all of the above FQDNs
- TLS full certificate chain and private key copied to the Bastion Host
- Sudo access on the Bastion Host
- Network connectivity to all Kubernetes nodes
f. Access to port 3000 of the Bastion Host should be available from any other Windows machine.
g. Thekubeconfigfile of the cluster must be present on the Bastion Host.
h. For RHEL 9.4 and Ubuntu 22.04, offline installation files will be provided and must be copied to the Bastion Host.The following files must be copied prior to deployment:
File Type Location to Copy To Delivery Mode Platform deployment tar Bastion Host Provided by CT TLS certificate bundle Bastion Host Customer-provided OS package bundle Bastion Host Provided by CT i. A public SFTP server should be available to upload tar files from ColorTokens. These files must be made accessible on the Bastion Host.
- Certificates should have
Identity Management:
- ColorTokens console can be configured to work with any OAuth compatible Identity Provider such as Active Directory, ADFS, Okta, Auth0, Keycloak etc.