Onboard an Azure Cloud Subscription

This topic explains how to onboard an Azure subscription.

Prerequisites

  • In Azure, copy the subscription ID and its parent management group ID for the subscription you want to onboard. You must provide them in the first step of the onboarding wizard.
  • The custom role must be set up properly before the running the onboarding PowerShell script mentioned in Onboard a Subscription below.
  • For simplicity, the user who onboards Azure with CloudSecure must have owner permissions or user access administrator privileges in Azure for that subscription. Having these permissions is required for CloudSecure to create a custom role in Azure named “Illumio Network Security Administrator." CloudSecure needs this custom role so that it has read/write permissions to the subscription resources.
  • If the user who onboards Azure with CloudSecure does not have the above permissions, submit a request to your group that has them so they can create a custom role using the recommended name of "Illumio Network Security Administrator" and containing the NSG write permissions defined in Azure Requirements. The custom role is created when you run the onboarding script.

Onboard a Subscription

  1. If this is the first time you are logging in, click + Azure on the Onboarding page to onboard your first account.

    If you've already onboarded other accounts, choose Onboarding from the left navigation. The Onboarding page appears. Click +Add Azure at the top of the page.

    The Add Azure Cloud Account wizard starts and displays the first step: Connect to Azure

  2. Provide the following information about your Azure account:
    • Name: You specify a name for the account; this name is what will appear in CloudSecure. The name should be descriptive so that you can easily identify it in CloudSecure.
    • Tenant ID: Paste the parent management group ID that you copied from Azure.
    • Subscription ID: Paste the subscription ID that you copied from Azure.
    3. NOTE:

    The page contains a toggle below the Subscription ID field to specify the type of access CloudSecure will have to your Azure subscription. Choosing Yes grants the Illumio Cross Account Role permission to view your Azure subscription resources and to apply policy to them. Choosing No provides the Illumio Cross Account Role read-only access. To view the permissions you are granting CloudSecure to your Azure subscription, click Download Permissions.

  3. When done completing these settings, click Next.

  4. Select a service account that you want to use or create a new one. Make sure to download the credentials, as they will be needed for the PowerShell script to return the Azure AD app credentials back to CloudSecure.

  5. Enter the ServiceAccountToken in the appropriate field.

The wizard advances to step two: Set up Access

  1. The Set up Access step includes a field containing a PowerShell command to run the illumio-init.ps1 script in Azure. Illumio securely hosts the script so that it can run during the onboarding process. The PowerShell command automatically appends the subscription ID you entered in the first step of the wizard.
  2. To the left of the PowerShell command field, click the copy icon. The icon refreshes with a check mark on a green field indicating you successfully copied the command.
  3. In a new browser window, open your Azure portal.
  4. From the top taskbar, click the Cloud Shell icon to open a console; select the PowerShell option.

  5. After Azure finishes building your Azure drive, paste the copied PowerShell command.

    When you run the script in Azure, it creates an AD app registration named “Illumio-CloudSecure-Access.” The script also creates a custom role named “Illumio Network Security Administrator." Additionally, the app registration includes Reader roles.

    Creation of the AD app registration and the roles allows CloudSecure access to the subscription resources. CloudSecure will be able to discover subscription resources and write policies for them.

    For the complete list of permissions granted to CloudSecure for your account, see Azure Requirements.

    The script sends the Client ID and Client Secret to CloudSecure. CloudSecure accesses your Azure subscription so that you don't have to repeatedly provide your Azure credentials.

    CloudSecure can access your Azure subscription so that you don't have to repeatedly provide your Azure credentials.

  6. Leave your Azure portal and return to CloudSecure. The Set up Access step in the onboarding wizard should still be displayed.

  7. Select the check box indicating that the “deployment” script has finished running in Azure, and click Next.

  8. The final step of the wizard appears. This step displays a summary of the subscription information you just specified for onboarding.

  9. Review the subscription information and if everything looks correct, click Save and Confirm. If you see issues you need to correct, click Back and return to that wizard step.
NOTE: CloudSecure can read flow logs from several NSGs going to the same storage account. With Azure, you can configure NSG flow logs in the same region, despite being from multiple VNets residing in different subscriptions, to be sent to a single storage account in the same region residing in a single subscription. By providing access to that specific storage account, CloudSecure can obtain and analyze flow logs for all the NSGs residing in different subscriptions. For more information on flow logs, see Grant Flow Log Access.

What's Next?

When finished, the Onboarding page opens and displays a new row for that account.

For the next steps after onboarding an account, see After Onboarding Cloud Accounts and What to Do Next.