# Deploy with Virtual Appliance You can run an [Insight Point](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point) on the virtual machine service of your choice with a Veza-provided OVA image. The file includes a full Linux environment within a single file that can run on VMWare vSphere, Oracle Virtualbox, or another VM manager. ### Compatibility * The virtual appliance supports VMware vSphere 6.5+, and as Oracle VM Virtualbox 6.0+. * The virtual appliance runs Alpine Linux. ### Deploying the Virtual Appliance Download the current Insight Point build from **Note**: The virtual appliance is preconfigured to meet the [Insight Point system requirements](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point/..#system-requirements) with minimum CPU (2 cores), RAM (4 GB), and storage values. It is compatible with amd64 (x86\_64) systems. Unless instructed otherwise by Veza support, do not adjust the default values. #### VMware From the **VMware Host Client Inventory** screen, follow these steps to import the virtual appliance: 1. Right-click **Host** in the VMware Host client inventory and select **Create/Register VM** 2. In the **New Virtual Machine** window that appears, on the **Select creation type** page, select **Deploy a virtual machine from an OVF or OVA** and click **Next** 3. On the **Select OVF and VMDK files** page, provide a unique name for the virtual machine (ex: `veza_insight_point`) 4. Click the blue pane to begin browsing to the location of the `veza_insight_point_v2.ova` file on your local system storage 5. Browse to and select the `veza_insight_point_v2.ova` file, then click **Open** 6. The file appears in the blue pane in the **New Virtual Machine** wizard; click **Next** 7. On the **Select storage** page, select the storage type (Standard) and choose a datastore for the virtual machine, then click **Next** 8. On the **Deployment options** page, select network mappings, disk provisioning, and power-on settings, then click **Next** 9. On the **Ready to complete** page, review the virtual machine details and click **Finish** #### Oracle VM Virtualbox In the Oracle VM VirtualBox Manager, follow these steps to import the virtual appliance: 1. In the **File** menu, click **Import Appliance** 2. In the **Appliance Import Wizard** window that appears, click **Choose** to select the location of the `veza_insight_point_v2.ova` file 3. Browse to the location of the `veza_insight_point_v2.ova` file and click **Open** 4. Review the **Appliance Import Settings** displayed in the window and click **Import** ### Generate an Insight Point Registration Key The Insight Point requires a registration key to authenticate with the Veza platform. To generate an Insight Point registration key, follow these steps: 1. Browse to your Veza Instance and log in as an administrative user. 2. In the left navigation pane, locate **Configuration**, then click **Insight Point** in the subpane. 3. Click **Generate New Key** in the upper-right corner of the main pane. 4. Provide a name for the new Insight Point and set an expiration date and time. 5. Click **Generate Key** 6. Make note of the key value that is returned; this will be required for configuring the Insight Point below ### High Availability Deployments When deploying multiple Insight Point OVA instances for High Availability, each instance must be configured with a unique instance ID. This allows the Veza control plane to distinguish between different instances and track their individual status. **Important**: Instance ID is required in **High Availability deployments** where multiple OVA instances are being deployed. Each instance ID must be unique for each Insight Point instance. ### Configuring the Virtual Appliance Once the virtual appliance is deployed and powered on, complete the initial configuration from the hypervisor console or using SSH. #### Default Credentials Log in to the virtual appliance with the `root` account. This account has no password when initially deployed. #### Configuration From the shell prompt, run `setup-veza` to configure the system. The Message of the Day banner refers to this command when logging in. After invoking the `setup-veza` command, follow the prompts: 1. Set the timezone for the virtual machine **Note**: Communication between the Insight Point and the Veza SaaS platform is sensitive to time drift. Ensure that the virtual machine's clock matches the local time. 2. Set an appropriate hostname for the virtual appliance 3. Configure the eth0 interface to use DHCP or static values 4. If using static interface values, configure DNS settings 5. Set a password for the `root` account 6. Enter the Insight Point Registration Key **Note**: This value is a long base64-encoded string; copy it from the Veza platform and paste the value here 7. Configure an Instance ID (for High Availability deployments) **Note**: For High Availability deployments with multiple OVA instances, provide a unique instance ID for each instance (e.g., "ova-instance-1", "ova-instance-2"). If deploying a single instance, you can use the default value "default" or leave it empty. 8. The docker daemon will pull the most recent Insight Point image; this might take several seconds to initialize without screen output 9. The command will return to the shell prompt after the Insight Point deploys. ### Operation and Troubleshooting After the Insight Point deploys, verify that it has successfully connected to the Veza platform. Log in to the Veza platform and follow these steps: 1. On the left navigation pane, under **Configuration**, click **Insight Point** 2. Verify that a new Insight Point has registered with the platform. **Note**: One Insight Point will be named "Veza Insight Point" by default. Ensure at least two are present. #### Verifying Time Synchronization After deployment, verify that time synchronization is working properly: ```bash # Check time synchronization status timedatectl status # Verify system time is accurate date ``` #### Verifying Container Status If the newly deployed Insight Point does not appear on the Veza platform, verify the status of the container on the virtual machine: 1. Log into the virtual machine console or use SSH 2. List running Docker processes with the command: `docker ps -a --filter="name=veza-insight-point"` 3. Examine the output The Insight Point's container ID should include a **Status** column showing `Running`. #### Accessing Insight Point Logs If the Insight Point does not appear to be running, or if requested by Veza support, follow these steps to access the Insight Point logs: 1. Log into the virtual machine console or use SSH 2. Run the following command to output the Insight Point logs: `docker logs veza-insight-point` 3. The logs are in JSON format and can be output to a file or copied from the terminal for debugging #### Removing abandoned Insight Point instances When you deploy an Insight Point OVA, it registers itself with the Veza control plane using the provided registration key and instance ID ("default" if not specified). This allows the control plane to track the instance's status and connectivity. You can list all instances for each configured Insight Point in the Veza **Integrations** > **Insight Point** page. **Important**: If an Insight Point OVA instance is abandoned (no longer in use and the VM is deleted), you should manually remove it from the Insight Point in the Veza **Integrations** > **Insight Point** page. This ensures the control plane stops tracking the instance's status and prevents it from affecting the Insight Point's overall status in your monitoring dashboard. ### Tags Configuration Tags are custom key-value labels that help organize and categorize your Insight Point instances. For an overview of tags, their use cases, and requirements, see [Tags](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point/..#tags) in the main Insight Point documentation. **Note**: Tags are not available during the OVA deployment wizard. You must configure them after the VM starts. #### Configuring Tags To configure tags on an Insight Point OVA: 1. Log into the virtual machine console or connect via SSH 2. Edit the configuration file: ```bash vi /etc/veza-insight-point/config.env ``` 3. Add the following line with your desired tags: ```bash INSIGHT_POINT_TAGS="environment:production,datacenter:us-west-1,team:platform-engineering" ``` 4. Save the file and restart the Insight Point: ```bash rc-service veza-insight-point restart ``` #### Verifying Tags Configuration To verify tags are configured correctly: 1. Log into the virtual machine console or connect via SSH 2. Check the configuration file: ```bash cat /etc/veza-insight-point/config.env | grep INSIGHT_POINT_TAGS ``` 3. Inspect the container environment variables: ```bash docker inspect veza-insight-point --format='{{.Config.Env}}' ``` ### Custom Certificate Configuration The Insight Point runs as a Docker container on the OVA's Alpine Linux host. The container is isolated from the host operating system, so certificates your organization trusts (such as an internal CA used by in-house systems) are invisible to the container by default. This affects any Veza feature that makes outbound HTTPS calls to internal systems, including **Lifecycle Management REST API Actions**. If you see a `tls: failed to verify certificate: x509: certificate signed by unknown authority` error, a custom CA certificate needs to be added. The OVA handles this by updating the Alpine host's certificate truststore. The Insight Point container mounts the host's certificate bundle at startup, so adding a certificate to the Alpine truststore and restarting the service is all that's required. #### Adding a custom CA certificate 1. Access the virtual machine console or connect via SSH. 2. Copy your CA certificate (PEM or CRT format) to the Alpine certificate directory. Use `vi` or paste the content directly: ```bash vi /usr/local/share/ca-certificates/company-root-ca.crt # Paste your certificate content (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) and save ``` You can also use `scp` to copy the file from another machine: ```bash scp your-ca.crt root@:/usr/local/share/ca-certificates/company-root-ca.crt ``` 3. Update the system certificate bundle. This regenerates `/etc/ssl/certs/ca-certificates.crt` with your new certificate included: ```bash update-ca-certificates ``` Confirm the operation. The output should include `1 added`: ```txt Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. ``` 4. Restart the Insight Point service to apply the updated certificate bundle: ```bash rc-service veza-insight-point restart ``` #### Verifying the certificate is trusted After restarting, check the Insight Point logs to confirm the updated bundle is being used: ```bash docker logs veza-insight-point 2>&1 | grep "CA bundle" ``` You should see a line like: ```txt [Insight Point Configuration] Using CA bundle from /etc/ssl/certs/ca-certificates.crt ``` To verify your certificate is included in the bundle: ```bash grep "your-org-name" /etc/ssl/certs/ca-certificates.crt ``` #### Removing a certificate To remove a certificate, delete the file from `/usr/local/share/ca-certificates/` and re-run `update-ca-certificates`: ```bash rm /usr/local/share/ca-certificates/company-root-ca.crt update-ca-certificates rc-service veza-insight-point restart ``` ### Webhook Relay Configuration The webhook relay service allows the Insight Point to forward webhook requests to destinations in your private network. For an overview of webhook relay, when to use it, security considerations, and supported host formats, see [Webhook Relay](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point/..#webhook-relay) in the main Insight Point documentation. #### Configuration Methods **VMware vSphere (OVF Template)** When deploying via VMware vSphere, you can configure webhook relay during the OVF deployment: 1. During the **Customize template** step of OVF deployment: * **Webhook Relay Enabled**: Check the box to enable (unchecked by default) * **Webhook Relay Allowed Hosts**: Enter comma-separated allowed destinations 2. Complete the OVF deployment as normal 3. The Insight Point will start with webhook relay configured **Manual Configuration (VirtualBox and Other Hypervisors)** For VirtualBox or other hypervisors, configure webhook relay during initial setup: 1. Run the `setup-veza` command 2. When prompted "Enable webhook relay? (y/N):", enter: * `y` or `Y` to enable * `N` or press Enter to disable (default) 3. If enabled, enter the allowed hosts when prompted 4. Complete the rest of the setup normally #### Reconfiguring Webhook Relay To reconfigure webhook relay on an existing Insight Point: 1. Log into the virtual machine console or connect via SSH 2. Edit the configuration file: ```bash vi /etc/veza-insight-point/config.env ``` 3. Update or add the following lines: ```bash WEBHOOK_RELAY_ENABLED=true WEBHOOK_RELAY_ALLOWED_HOSTS=webhook.site,*.example.com,172.17.0.0/24 ``` To disable webhook relay: ```bash WEBHOOK_RELAY_ENABLED=false ``` 4. Save the file and restart the Insight Point: ```bash rc-service veza-insight-point restart ``` #### Verifying Webhook Relay Configuration To verify webhook relay is configured correctly: 1. Log into the virtual machine console or connect via SSH 2. Check the configuration file: ```bash cat /etc/veza-insight-point/config.env | grep WEBHOOK_RELAY ``` 3. Inspect the container environment variables: ```bash docker inspect veza-insight-point --format='{{.Config.Env}}' ``` If webhook relay is enabled but not working: * Verify the allowed hosts are in the correct format * Check that the destination is included in the allowed hosts list * Review the Insight Point logs for validation or connection errors * Ensure the destination is actually reachable from the Insight Point's network