Azure Requirements

Azure Permissions

The following items are Azure permissions that will be need to be granted to the Illumio App that is registered in Azure Active Directory. Check this page for updates, as new permissions may be included in the future.

READ Permission

Reader - role

NSG Write Permission

Use these permissions to create custom roles. Any custom roles with elevated permissions need to be defined as part of the PowerShell script that is run when you onboard an Azure subscription. See Onboard an Azure Cloud Subscription for information.

For example, if the user onboarding Azure does not have owner permissions, the "Illumio Network Security Administrator" custom rule needs to be created with these NSG write permissions before the onboarding PowerShell script is run.

If the user onboarding Azure does have owner permissions, these permissions will be automatically assigned to the "Illumio Network Security Administrator" custom role that is created when the onboarding PowerShell script is run.

  • "Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action"
  • "Microsoft.Network/networkSecurityGroups/read"
  • "Microsoft.Network/networkSecurityGroups/write"
  • "Microsoft.Network/networkSecurityGroups/delete"
  • "Microsoft.Network/networkSecurityGroups/join/action"
  • "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read"
  • "Microsoft.Network/networkSecurityGroups/securityRules/write"
  • "Microsoft.Network/networkSecurityGroups/securityRules/delete"
  • "Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/read"
  • "Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/write"
  • "Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/logDefinitions/read"
  • "Microsoft.Network/networkWatchers/securityGroupView/action"

FLOW

Storage Blob Data Reader – role

Flow Log Support

Illumio CloudSecure supports NSG Flow logs version 2 (includes flow state and byte counts), but does not support version 1. CloudSecure also supports VNet flow logs.

There is no support for other "flow" logs, e.g., Firewall logs.

For instructions on setting up flow logs, see Set up Flow Logs in AWS and Azure.

CloudSecure Port and IP Addresses for Flow Log Access

CloudSecure uses TCP port 443 to access your flow logs, so open that port for the IP addresses listed in this section.

The CloudSecure control and data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound allowed list if your firewall is preventing CloudSecure from reading your flow logs:

  • 35.163.224.94
  • 54.190.103.0
  • 44.226.137.227
  • 35.167.22.3
  • 52.88.124.247
  • 52.88.88.252

The CloudSecure UK data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound allowed list:

  • 18.169.5.9
  • 13.41.233.77
  • 18.169.6.17

The CloudSecure APAC (Sydney, Australia) data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound allowed list:

  • 52.64.120.98

  • 52.63.108.169

  • 13.54.140.138

Background

The Reader Role

This role gives CloudSecure the permissions to read data or resources from your subscription. According to Microsoft, the role is defined as follows: "View all resources, but does not allow you to make any changes."