HailBytes SAT Tutorial

Deploy on Azure via the CLI

Programmatic, reproducible HailBytes SAT deployment using the Azure CLI. Designed for CI pipelines, agents, and infrastructure-as-code workflows.

Overview

HailBytes SAT publishes a hardened VM image to the Azure Compute Gallery (built nightly via Packer on Ubuntu 24.04). This tutorial shows how to accept the marketplace terms and launch a VM entirely from the Azure CLI, with no portal clicks. If you'd rather use the portal, see the marketplace UI tutorial.

Prerequisites

  • Azure CLI 2.50+ signed in to the target subscription (az login)
  • Contributor on the target resource group (or the right to create one)
  • An SSH public key (~/.ssh/id_rsa.pub) to inject into the VM

Step 1: Set Variables

RG=hailbytes-sat-rg
LOCATION=eastus
VM_NAME=hailbytes-sat
VM_SIZE=Standard_D2s_v5            # 2 vCPU / 8 GiB — production: D4s_v5
ADMIN_USER=hailbytes
SSH_KEY=$(cat ~/.ssh/id_rsa.pub)
PUBLISHER=hailbytes
OFFER=hailbytes-sat
PLAN=hailbytes-sat
IMAGE_VERSION=latest               # or pin a specific build, e.g. 1.1511

Step 2: Accept Marketplace Terms

Required once per subscription before az vm create from a marketplace image succeeds:

az vm image terms accept \
  --publisher "$PUBLISHER" \
  --offer "$OFFER" \
  --plan "$PLAN"

Step 3: Find the Image URN

# List all available image versions
az vm image list \
  --publisher "$PUBLISHER" \
  --offer    "$OFFER" \
  --sku      "$PLAN" \
  --all -o table

# Pick the latest URN for the create command
IMAGE_URN="$PUBLISHER:$OFFER:$PLAN:$IMAGE_VERSION"
echo "Using $IMAGE_URN"

Step 4: Create the Resource Group

az group create --name "$RG" --location "$LOCATION"

Step 5: Create the VM

az vm create provisions the VM, NIC, public IP, NSG, and OS disk in one call. Cloud-init bootstraps the admin user and emails the first-boot password.

cat > cloud-init.yaml <<'EOF'
#cloud-config
hailbytes_sat:
  admin_email: admin@your-domain.com
  hostname:    sat.your-domain.com
EOF

az vm create \
  --resource-group "$RG" \
  --name           "$VM_NAME" \
  --image          "$IMAGE_URN" \
  --size           "$VM_SIZE" \
  --admin-username "$ADMIN_USER" \
  --ssh-key-values "$SSH_KEY" \
  --plan-name      "$PLAN" \
  --plan-product   "$OFFER" \
  --plan-publisher "$PUBLISHER" \
  --os-disk-size-gb 64 \
  --storage-sku    Premium_LRS \
  --custom-data    cloud-init.yaml \
  --public-ip-sku  Standard \
  --tags Product=HailBytes-SAT

Step 6: Open Inbound Ports

The VM provisioned with the default NSG. Open ports 80, 443, and 3333 explicitly, then restrict admin and SSH to your IP.

MY_IP=$(curl -s https://ifconfig.me)/32

# Phishing landing pages: open
az vm open-port --resource-group "$RG" --name "$VM_NAME" \
  --port 80  --priority 1010
az vm open-port --resource-group "$RG" --name "$VM_NAME" \
  --port 443 --priority 1020

# Admin UI: locked to your IP
NSG=$(az vm show --resource-group "$RG" --name "$VM_NAME" \
  --query 'networkProfile.networkInterfaces[0].id' -o tsv \
  | xargs -I{} az network nic show --ids {} \
  --query 'networkSecurityGroup.id' -o tsv \
  | xargs -I{} basename {})

az network nsg rule create --resource-group "$RG" --nsg-name "$NSG" \
  --name allow-admin --priority 1030 \
  --source-address-prefixes "$MY_IP" \
  --destination-port-ranges 3333 --protocol Tcp --access Allow
az network nsg rule create --resource-group "$RG" --nsg-name "$NSG" \
  --name allow-ssh --priority 1040 \
  --source-address-prefixes "$MY_IP" \
  --destination-port-ranges 22 --protocol Tcp --access Allow

Step 7: First-Boot Output

First boot takes 2–3 minutes. Bootstrap admin password is written to /var/log/hailbytes-sat-first-boot.log.

PUBLIC_IP=$(az vm show --show-details \
  --resource-group "$RG" --name "$VM_NAME" \
  --query publicIps -o tsv)

# Pull the bootstrap password
ssh -o StrictHostKeyChecking=accept-new "$ADMIN_USER@$PUBLIC_IP" \
    'sudo cat /var/log/hailbytes-sat-first-boot.log'

echo "Open https://$PUBLIC_IP:3333/"

Step 8: Verify

curl -k https://$PUBLIC_IP:3333/api/health
curl -k https://$PUBLIC_IP:3333/api/ready

Pinning a Specific Image Version

For change-controlled production deployments, pin to a specific gallery version (e.g. 1.1511) instead of latest. HailBytes SAT versions follow v1.<build-number>, where the build number increments with each release pushed to the gallery.

IMAGE_URN="hailbytes:hailbytes-sat:hailbytes-sat:1.1511"

Azure Government Notes

For Azure Government, switch the cloud (az cloud set --name AzureUSGovernment) and re-run az login. Use a Government region such as usgovvirginia. The HailBytes SAT image is published to the Azure Government Marketplace under the same publisher / offer / plan triplet.

Teardown

az group delete --name "$RG" --yes --no-wait

Next Steps

Quickstart

Now that the VM is up, log in and run your first campaign in 10 minutes.

View Tutorial →

Connect an AI Assistant

Wire Claude or Cursor to the built-in MCP server.

View Reference →

Related Tutorials

Get the Free HailBytes SAT Getting Started Guide

A 7-part email series covering everything from your first deployment to advanced configuration and real-world workflows. One email per day, no spam.