Agentless solution
Plerion’s workload security solution is fully agentless, eliminating the need to install software on Azure workloads. Instead, Plerion deploys ephemeral scanning appliances within your Azure subscription. These appliances automatically assess workloads and provide comprehensive visibility into their security posture. Each appliance is a short-lived Azure Virtual Machine (VM) deployed in a dedicated, Plerion-managed resource group. Appliances run in the same Azure region as the workloads being scanned to ensure efficiency, data locality, and compliance with regional requirements.Onboarding process
Before onboarding CWPP for an Azure subscription, make sure an Azure Active Directory (AD) integration is already configured in Plerion. CWPP uses the same App Registration created during that integration.For setup instructions, see Getting started with Microsoft Azure Active Directory.
Steps to onboard an Azure subscription
1
Create a dedicated resource group
| Resource Type | Resource Name | Description |
|---|---|---|
| Resource Group | plerion-cwpp-appliance-<plerionTenantId>-rg | Dedicated resource group for launching Plerion appliances. |
<plerionTenantId> is the tenant ID of your Plerion tenant, available on the Plerion platform.2
Create a user-managed identity
| Resource Type | Resource Name | Description |
|---|---|---|
| User Managed Identity | plerion-cwpp-appliance-<plerionTenantId>-mi | Managed identity attached to appliances for scanning workloads. |
3
Assign required permissions
| Identity | Role Name | Scope | Description |
|---|---|---|---|
plerion-cwpp-appliance-<plerionTenantId>-mi | Reader | Azure Subscription | Read-only access to all resources in the subscription. |
plerion-cwpp-appliance-<plerionTenantId>-mi | Disk Snapshot Contributor | Azure Subscription | Create, manage, and copy disk snapshots to the resource group for scanning. |
plerion-cwpp-appliance-<plerionTenantId>-mi | Contributor | Resource Group (plerion-cwpp-appliance-<plerionTenantId>-rg) | Full access to all resources in the appliance resource group. |
| Plerion App Registration (Service Principal) | Contributor | Resource Group (plerion-cwpp-appliance-<plerionTenantId>-rg) | Full access to manage appliance resources, networks, and perform cleanup operations. Used by the Plerion Control Plane to manage CWPP. |
Plerion control plane
- Creates virtual networks in Azure for appliance communication
- Launches appliances in the subscription
- Assigns workloads to appliances for scanning
- Manages appliance lifecycle operations
- Collects and processes scan results
1
Network configuration
The Plerion Control Plane creates a virtual network (VNet) in the Azure subscription for appliances to securely communicate with the Plerion platform.Virtual network configuration
Subnet configuration
Network security group configuration
| Specification | Details |
|---|---|
| Name | plerion-cwpp-appliance-<plerionTenantId>-vnet |
| Address space | 10.0.0.0/16 |
| Specification | Details |
|---|---|
| Name | plerion-cwpp-appliance-<plerionTenantId>-subnet |
| Address space | 10.0.0.0/24 |
| Specification | Details |
|---|---|
| Name | plerion-cwpp-appliance-<plerionTenantId>-nsg |
| Inbound traffic | Block all inbound traffic |
| Outbound traffic | Allow outbound HTTPS (port 443) to the Plerion platform and to download appliance dependencies |
Custom network configurations are not currently supported. Support for custom networks will be added in future releases.
2
Launching appliances
The Control Plane launches appliances in the dedicated resource group created during onboarding.Appliances are deployed in the same region as the workloads being scanned, using the following configuration:
| Specification | Details |
|---|---|
| Instance type | Standard D2s v3 |
| CPU | 2 vCPUs |
| Memory | 8 GiB |
| Storage | 30 GiB |
| Operating system | Linux (Ubuntu 22.04) |
| Networking | Public IP address for secure communication with the Plerion platform (aligned with Azure security best practices) |
3
Assigning workloads to appliances
The following workloads are currently supported for scanning Azure Virtual Machines.Plerion deploys appliances at a ratio of 1 appliance per 2 Azure Virtual Machines. For each region, up to 10 appliances can be launched concurrently, depending on the number of workloads to be scanned.
4
Managing appliance lifecycle
The Plerion Control Plane manages the full lifecycle of appliances, including:
- Starting appliances
- Deleting appliances
5
Collecting scan results
After completing the scan, appliances send their results to the Plerion Control Plane.The Control Plane stores and processes these results in the Plerion platform, making them available for review.Plerion Workload Scanner collects only security-related metadata from workloads. When combined with telemetry from CSPM and CIEM capabilities, this data provides rich context to help prioritize and remediate security issues.
The Plerion Workload Scanner does not collect raw data, PII/PHI, or sensitive business information.
Monitoring resources created by Plerion
All resources required for CWPP are deployed within the dedicated resource group (plerion-cwpp-appliance-<plerionTenantId>-rg) created during onboarding.Resources are prefixed with
plerion-cwpp-* and tagged with Owner=Plerion.
Benefits of a dedicated resource group:
- Simplifies monitoring and identification of Plerion-created resources
- Enables easy cleanup of Plerion resources
- Provides clear visibility into resource costs and supports budget tracking