Onboard an Azure Subscription
This topic describes how to onboard a Microsoft Azure subscription to your Dome9 account.
Operational Modes for Azure subscriptions
There are two ways to manage your Azure account in Dome9.
- Read-Only - in this mode, you can view details for your Azure subscription in Dome9, run compliance tests on them, and receive alerts, notifications and reports of activities and changes to cloud entities, but you cannot actively manage them from Dome9.
- Manage - in this mode you have all the capabilities of Read-Only mode but, in addition, you can use Dome9 to actively manage your Network Security Groups.
The onboarding procedure is done from the Dome9 UI, with step-by-step instructions presented on-screen for both Read-Only and Manage modes. In the course of this procedure, you will be instructed to perform some actions on the Azure Management Portal, and some on the Dome9 UI. You will also enter some information. When you have done all this, you click FINISH, and the onboarding process starts. This can take a few minutes, depending on the number of resources in the account.
- In the Dome9 UI, navigate to the Onboarding page, in the Asset Management menu, and then select Get started with Azure.
Select operation mode. Read-Only or Manage. Select also the cloud platform hosting the account, Azure or Azure Gov.
Register an App for Dome9 on Azure and obtain a secret and key for it.
Configure roles for the App.
Enter a name for the account, in Dome9.
Optionally, select the Organizational Units in Dome9 with which the onboarded cloud account will be associated. These associations can always be modified later on, from the Organizational Units page in Cloud Inventory menu.
- Click FINISH. The onboarding process will begin. It may take a few minutes, depending on the number of entities in your cloud account.
Configure Policies for Azure Key Vault Entities
Azure Key Vaults have entities that are not accessible using the policy that is set up when the Azure account is onboarded to Dome9 (described above). This is because by default Azure does not grant access rights to vaults, secrets, certificates, and keys. In addition, new entities may be created from time to time. The Dome9 Compliance Engine, for example, needs to access these entities when evaluating the compliance of your Azure environments.
Follow the steps below to set up an Automation account and runbook in your Azure account, that will periodically grant rights to Dome9 to access these new entities. You must set up such an account and runbook for each Azure subscription.
In this step, you will create an Automation account and runbook, with access to the subscriptions containing the Key Vaults.
- Create an Azure Automation account, with the owner role for the subscription containing the Key Vaults with the entities that need to be updated in the Dome9 policies. See https://docs.microsoft.com/en-us/azure/automation/automation-intro for details about creating an Automation account.
In the Automation Account pane on the left, select the account you created, select Access control (IAM), and then click +Add at the top of the pane on the right.
- In the Add Permissions dialog, grant Owner permission to the Automation account, as follows, and then click Save.
- Repeat the above steps for each Azure subscription that has a Key Vault that needs to be updated (each subscription must have its own Automation Account and Runbook).
Select Modules (in Shared Resources), update the list of modules, and then check that the modules AzureRM.KeyVault and AzureRM.Profile are in the list. If not, click Browse gallery, to search for it in the Azure gallery, and then import it.
- Select Runbooks (in Process Automation), and then click Add a runbook.
In the Add Runbook dialog, select Create a new runbook. Enter a name for the runbook (say, KeyVault), and select type Powershell. Optionally, add a description, then click Create.
In this step, you will prepare a script that will grant permissions to the Dome9 application to access the entities in the Key Vaults. This script will then be scheduled as a job that is run periodically. The script used in this step is an example of a script. You can modify it, or replace it with your own script, if you are skilled in preparing automation scripts.
- Download the file Key-Vault-Runbook-Script.ps1
- In the Runbook page, open runbook created in Step 1, and then click Edit.
- Copy the script from the file into the edit pane.
- Search for the variable $excludedKeyVaults, and set its value to exclude specific Key Vaults (if there are no exclusions, leave it blank):
$excludedKeyVaults = "DBKeyvault", "VMKeyvault"
Save the changes, and close the edit pane.
From the Azure dashboard, select Enterprise applications, and then select Dome9-Connect (the application that was created as part of the onboarding process).
Copy the ObjectID value.
- Return to the Runbook page, select again the runbook, and open the edit pane.
- Search for the variable $objectIds, and paste the value copied above.
$objectIds = "f81cf819-f710-4c99-abd0-2af561dba51e"
- Save the runbook script.
Optionally, click Test, to open the Test pane, to test the script.
Click Start, to start the test. When it completes, the dialog should indicate that the access policies were update for the vaults.
- In the Runbook page, select the runbook created in Step 2, and open the edit pane.
- Click Publish.
In the Runbook, select the runbook, and then select Schedules, (in the Resources section) and then click Add a Schedule.
- Select Link a schedule to your runbook, and then Create a new schedule.
- Enter a schedule (for example, hourly). The repetition period should reflect the frequency with which new values are added to the Key Vaults.
Click Create to save the schedule. The runbook will be run as a job according to a schedule that you set up for it.
- Repeat the above steps for each runbook (if there are more than one).
In the Runbook page, select Jobs in the left pane to check the status of the jobs. A line will be each time the scheduled runbook completes.