Onboard Your Microsoft Azure Cloud Account

After subscribing to Aviatrix Cloud Network Security Platform-as-a-Service (Aviatrix PaaS), you need to connect your cloud accounts with the Aviatrix Platform. When your cloud account is onboarded, Aviatrix Platform can discover, monitor, and manage the assets in your Azure network.

There are two methods for onboarding your Azure cloud account. Select one of the following methods and complete the related tasks:

Use the CLI to Onboard Azure

The CLI method automates creation of and connection to an application (service principal) in Azure, so it is easy and quick. This is the recommended onboarding method.

The Aviatrix PaaS onboarding script performs the following tasks: (click to expand)
  • Creates a service principal/application

    Requires Application Administrator, Cloud Application Administrator, or Global Administrator role.

  • Assigns the Contributor role at the subscription level

    Requires User Access Administrator or Owner role at subscription level.

  • Generates a client secret

    Requires Application Administrator, Cloud Application Administrator, or Global Administrator role.

The script includes a validator that does the following: (click to expand)
  • Confirms you are logged in to Azure

  • Retrieves your user ID and subscription details

  • Verifies that Azure CLI and jq are installed

  • Verifies you have the permissions required to perform the onboarding tasks

    The validator does not make any actual changes to your Azure environment. If required permissions are not available, you must manually set the missing permissions before onboarding your account.

Prerequisite

The Azure CLI and the jq command-line processor must be installed on your system before running the script.

Perform the following steps to onboard Azure.

  1. Do one of the following:

    • At first-time login, click Begin in the Welcome page and then click Onboard Cloud Account.

    • To onboard after first-time login, go to Cloud Resources > Cloud Accounts, click + Cloud Account, and enter a unique Account Name.

  2. Click Azure and select Azure CLI.

    dialog for onboarding azure using the cli
  3. In a terminal window, log in to the Azure CLI.

    Example: az login

  4. Copy the command provided in the Onboard dialog, paste it into the terminal, and press Enter to run the script.

    If using Cloud Shell, you might need to use this alternative command:

    curl -fsSL --compressed https://console.avx-cloud-staging.com/assets/scripts/onboarding_azure/azure-cloud-account-onboarding.sh | bash
  5. When prompted, enter unique names for the custom role and for the Aviatrix Service Principal.

    If the custom role already exists, it will use the existing role.

  6. Copy and save the client secret from the decoded JSON output.

    The client secret is not saved in Azure or Aviatrix, so this is the only opportunity to save it. Keep it in a safe place for future reference.

    Example of the command and the command output:

    $ /bin/bash -c "$(curl -fsSL --compressed https://console.avx-cloud.com/assets/scripts/onboarding_azure/azure-cloud-account-onboarding.sh)"             (1)
    
    ###################################################################################
    🚀 Starting Aviatrix PaaS Onboarding Configuration
    ###################################################################################
    
    ###################################################################################
    ⏳ Checking for system pre-requisites
    ###################################################################################
    
    ⏳ Checking for Azure CLI...
    ⏳ Checking for jq...
    ⏳ Checking for Azure CLI login...
    ✅ System pre-requisites checks completed.
    
    
    ###################################################################################
    ⏳ Checking for azure account pre-requisites
    ###################################################################################
    
    Permissions check passed.
    ✅ Azure account pre-requisites checks completed.
    
    
    ###################################################################################
    ⏳ Setting up Azure Aviatrix Service Principal with Contributor Role
    ###################################################################################
    
    ⏳ Subscription ID detected: a1b2c3d4                                                        (2)
    Creating custom role for Aviatrix Paas
    Enter the name for the custom role (e.g., Aviatrix PaaS Role): Aviatrix PaaS Role            (3)
    ⚠️ Custom role 'Aviatrix PaaS Role' already exists. Will use existing role.
    
    Enter a user-friendly name for the Aviatrix Service Principal: Aviatrix PaaS SP              (4)
    
    📝 You entered: Aviatrix PaaS SP
    ℹ️  This name will appear in the Azure Portal under:
    Home > Your Subscription > Access control (IAM) > Check Access > Aviatrix PaaS SP
    
    ⏳ Creating Azure Service Principal
    WARNING: Creating 'contributor' role assignment under scope '/subscriptions/a1b2c3d4-ef56-78gh-i901-23456j7kl89m'               (5)
    WARNING: The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
    ✅ Azure Service Principal created successfully.
    ℹ️  Service Principal details saved to: aviatrix_sp_11111111111111.json                    (6)
    ⚠️  IMPORTANT: Keep the file (aviatrix_sp_11111111111111.json) safe!
    
    ⏳ Assigning custom role 'Aviatrix PaaS Role' to Service Principal '11aa22bb-33cc-4455-dd66-ee77ff88gg99'            (7)
    ✅ Role assigned successfully.
    
    ℹ️  The following is the decoded JSON output (pre-base64 encoding):
    {
    "subscription_id":
    "<your-unique-subscription-id>",
    "tenant_id": "<your-tenant-id>",
    "client_id": "<your-client-id>",
    "client_secret": "<your-client-secret>"                           (8)
    }
    
    ###################################################################################
    🎉 Paste the following base64-encoded value into the PaaS console to onboard your Azure account:              (9)
    abCdeFGhI1JklMNop23qrSTu4vWx5YZaGcDeFg6hIjK7...
    ###################################################################################
    1 Use this command to run the script to onboard your Azure cloud account.
    2 Verify your Azure subscription ID, which the script detects.
    3 Enter a name for the custom role. If the custom role already exists, it will use the existing role.
    4 Provide a user-friendly name for the Aviatrix Service Principal.
    5 The script creates a 'contributor' role assignment under the specified subscription scope with your unique ID. Note the associated warning about protecting credentials.
    6 The Service Principal details are saved to a JSON file for future reference, with a unique file name.
    7 The script assigns the custom role to the Service Principal, displaying the principal’s unique ID. Note the important warning about keeping the JSON file safe.
    8 Copy and save the client secret.
    9 Copy the value and paste it into the Aviatrix PaaS console.
  7. Copy the base64-encoded value from the terminal output and paste it into the Command Output field in the Onboard dialog box.

  8. Click Next.

    You will see a Discovering Cloud Resources message that changes to a success message after resources are discovered.

  9. Click Close.

  10. Verify that the new cloud account displays in the list on Cloud Accounts > Overview.

It can take a couple of minutes before your VNets display under Cloud Resources > Cloud Assets. These resources need to be onboarded to Aviatrix Platform.

Next Step:

Use the Console to Onboard Azure

The Aviatrix console method requires manually collecting several IDs from Azure Portal and entering the IDs in Aviatrix Platform to create the connection.

Prerequisite

The account onboarding process requires you to copy some information from your Azure account to the Aviatrix Platform.

Have the following information available for the Azure application you will associate with Aviatrix PaaS:

  • Subscription ID

  • Directory ID

  • Application ID

  • Client Secret

If you are uncertain how to collect this information, see Gather Information for Azure Onboarding.

Perform the following steps to onboard Azure.

  1. In Aviatrix PaaS, go to Cloud Resources > Cloud Accounts and click + Cloud Account.

  2. Enter a unique Account Name and click Azure.

    dialog for onboarding azure using the cli
  3. Enter the following required IDs from your Azure account.

    If you are uncertain how to collect this information, see Gather Information for Azure Onboarding.
    • Subscription ID

    • Directory ID

    • Application ID

    • Client Secret

  4. Click Next.

    You will see a Discovering Cloud Resources message that changes to a success message after resources are discovered.

  5. Click Close.

  6. Verify that the new cloud account displays in the list on Cloud Accounts > Overview.

It can take a couple of minutes before your VNets display under Cloud Resources > Cloud Assets. These resources need to be onboarded to Aviatrix Platform.

Next Step: