CloudGuard Dome9 Help

Onboard an Azure Subscription


This topic describes how to onboard a Microsoft Azure subscription to your Dome9 Account.

Operational Modes for Azure subscriptions

There are two ways to manage your Azure account in Dome9.

  • Read-Only - in this mode, you can view details for your Azure subscription in Dome9, run compliance tests on them, and receive alerts, notifications and reports of activities and changes to cloud entities, but you cannot actively manage them from Dome9.
  • Managed - in this mode you have all the capabilities of Read-Only mode but, in addition, you can use Dome9 to actively manage your Network Security Groups.

Configure Policies for Azure Key Vault Entities

Azure Key Vaults have entities that are not accessible using the policy that is set up when the Azure account is onboarded to Dome9 (described above). This is because by default Azure does not grant access rights to vaults, secrets, certificates, and keys. In addition, new entities may be created from time to time. The Dome9 Compliance Engine, for example, needs to access these entities when evaluating the compliance of your Azure environments.

Follow the steps below to set up an Automation account and runbook in your Azure account, that will periodically grant rights to Dome9 to access these new entities. You must set up such an account and runbook for each Azure subscription.

See also

An introduction to Azure Automation

Automation Runbook Gallery

Key-Vault-Runbook-Script.ps1