Azure Requirements
Azure Permissions
The following items are Azure permissions that will be need to be granted to the Illumio App that is registered in Azure Active Directory. Check this page for updates, as new permissions may be included in the future.
READ Permission
Reader - role
NSG Write Permission
Use these permissions to create custom roles. Any custom roles with elevated permissions need to be defined as part of the PowerShell script that is run when you onboard an Azure subscription. See Onboard an Azure Cloud Subscription for information.
For example, if the user onboarding Azure does not have owner permissions, the "Illumio Network Security Administrator" custom rule needs to be created with these NSG write permissions before the onboarding PowerShell script is run.
If the user onboarding Azure does have owner permissions, these permissions will be automatically assigned to the "Illumio Network Security Administrator" custom role that is created when the onboarding PowerShell script is run.
"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action"
"Microsoft.Network/networkSecurityGroups/read"
"Microsoft.Network/networkSecurityGroups/write"
"Microsoft.Network/networkSecurityGroups/delete"
"Microsoft.Network/networkSecurityGroups/join/action"
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read"
"Microsoft.Network/networkSecurityGroups/securityRules/write"
"Microsoft.Network/networkSecurityGroups/securityRules/delete"
"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/read"
"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/write"
"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/logDefinitions/read"
"Microsoft.Network/networkWatchers/securityGroupView/action"
FLOW
Storage Blob Data Reader – role
Flow Log Support
Illumio CloudSecure supports NSG Flow logs version 2 (includes flow state and byte counts), but does not support version 1. CloudSecure also supports VNet flow logs.
There is no support for other "flow" logs, e.g., Firewall logs.
For instructions on setting up flow logs, see Set up Flow Logs in AWS and Azure.
CloudSecure Port and IP Addresses for Flow Log Access
CloudSecure uses TCP port 443 to access your flow logs, so open that port for the IP addresses listed in this section.
CloudSecure Control Plane (For All Azure Regions)
The CloudSecure control and data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound/outbound allowed list:
- 35.167.22.34
- 52.88.124.247
- 52.88.88.252
CloudSecure US East Data Plane for Azure
The CloudSecure US East data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound allowed list for the Azure regions listed following:
- 13.68.238.145
- 13.68.232.36
- 13.68.236.178
Azure Regions Requiring above IPs for US East Data Plane
- southeastasia
- centralus
- southafricanorth
- centralindia
- eastasia
- japaneast
- koreacentral
- canadacentral
- uaenorth
- brazilsouth
- centraluseuap
- eastus2euap
- qatarcentral
- centralusstage
- eastusstage
- eastus2stage
- northcentralusstage
- southcentralusstage
- westusstage
- westus2stage
- asia
- asiapacific
- australia
- brazil
- canada
- global
- india
- japan
- korea
- singapore
- southafrica
- uae
- unitedstates
- unitedstateseuap
- eastasiastage
- southeastasiastage
- brazilus
- eastusstg
- northcentralus
- westus
- jioindiawest
- devfabric
- westcentralus
- southafricawest
- australiacentral
- australiacentral2
- australiasoutheast
- japanwest
- jioindiacentral
- koreasouth
- southindia
- westindia
- canadaeast
- uaecentral
- brazilsoutheast
- chinaeast
- chinaeast2
- chinaeast3
- chinanorth
- chinanorth2
- chinanorth3
CloudSecure EU West (Germany) Data Plane for Azure
The CloudSecure EU West (Germany) data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound allowed list for the Azure regions listed following:
- 4.185.170.43
- 4.185.170.168
- 4.185.170.165
Azure Regions Requiring above IPs for EU West (Germany) Data Plane
- germanynortheast
- polandcentral
- swedensouth
- eastus
- northeurope
- swedencentral
- uksouth
- westeurope
- francecentral
- germanywestcentral
- norwayeast
- switzerlandnorth
- europe
- france
- germany
- norway
- switzerland
- uk
- francesouth
- germanynorth
- norwaywest
- switzerlandwest
- ukwest
- italynorth
- germanycentral
CloudSecure US West Data Plane for Azure
The CloudSecure US West data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound allowed list for the Azure regions listed following:
- 35.163.224.94
- 44.226.137.227
- 54.190.103.0
DoD/Gov/Sec Azure Regions Requiring above IPs for US West Data Plane
- usdodcentral
- usdodeast
- usgovarizona
- usgovtexas
- usgovvirginia
- usseceast
- ussecwest
- ussecwestcentral
Background
The Reader Role
This role gives CloudSecure the permissions to read data or resources from your subscription. According to Microsoft, the role is defined as follows: "View all resources, but does not allow you to make any changes."