CloudGuard Dome9 User Guide
Onboard an Azure Subscription to Dome9
This topic describes how to onboard a Microsoft Azure subscription to your Dome9 Account.
Operational Modes for Azure subscriptions
There are two ways to manage your Azure account in Dome9.
- Read-Only - in this mode, you can view details for your Azure subscription in Dome9, run compliance tests on them, and receive alerts, notifications and reports of activities and changes to cloud entities, but you cannot actively manage them from Dome9.
- Managed - in this mode you have all the capabilities of Read-Only mode but, in addition, you can use Dome9 to actively manage your Network Security Groups.
Onboard an Azure subscription
Follow these steps to onboard an Azure account to Dome9. Before starting, decide which Operation mode to use for your account, Manage or Read-Only.
In the Dome9 console, navigate to Cloud Inventory and select Add Azure Cloud Account:
Choose the Operation mode for your account, Read-Only or Manage. The Add Azure Account wizard will appear, directing you through the steps required to define Dome9 as an application.
Sign in to the Azure management portal in a separate browser window (keep the Dome9 console open in a browser tab as well).
Navigate to App Registrations (search for it in the More services)
Click New registration.
Fill in details for the Dome9 application, and then click Create.
name for the application (we recommend Dome9-Connect)
In the Redirect URI section, select Web, and enter the URL https://secure.dome9.com
Select Dome9-Connect in the list of App registrations.
Copy the Application ID and paste it In the Dome9 Azure Onboarding screen, in the Application ID field.
In the Azure App registration page, select the Dome9-Connect application, then select Certificates & Secrets in the menu on the left
- Click New Client Secret.
Enter Dome9-Connect for the description, and select an expiry time, then click Add. The key will be revealed.
Copy the key value, and paste it in the Dome9 Azure Onboarding screen,in the Secret Key field.
Note: You will not be able to retrieve the key afterwards, so copy it now.
In the Dome9 console, click NEXT to move to the next section (the Connect tab) of the onboarding process.
- In the Azure portal, navigate to Azure Active Directory (you can search for it in More Services).
- Copy the Directory ID and paste it in the Active Directory ID field, in the Dome9 Azure Onboarding screen, Connect tab.
In the Azure portal, click Subscriptions, and then select your Azure subscription.
Copy the Subscription ID and paste it in the Subscription ID field, in the Connect tab of the Dome9 Azure Onboarding screen.
Select Access control (IAM) in the menu.
Click Add, and select the Reader Role.
If you are onboarding your Azure account in Manage mode, add also the Network Contributor Role.
Search for the application you created in the previous step (Dome9-Connect), select it, and click Save.
Your Azure subscription will be onboarded to Dome9 in Read-Only or Managed mode (according to your selection).
Configure Policies for Azure Key Vault Entities
Azure Key Vaults have entities that are not accessible using the policy that is set up when the Azure account is onboarded to Dome9 (described above). This is because by default Azure does not grant access rights to vaults, secrets, certificates, and keys. In addition, new entities may be created from time to time. The Dome9 Compliance Engine, for example, needs to access these entities when evaluating the compliance of your Azure environments.
Follow the steps below to set up an Automation account and runbook in your Azure account, that will periodically grant rights to Dome9 to access these new entities. You must set up such an account and runbook for each Azure subscription.
Step 1 - create an automation account and runbook on Azure
In this step, you will create an Automation account and runbook, with access to the subscriptions containing the Key Vaults.
- Create an Azure Automation account, with the owner role for the subscription containing the Key Vaults with the entities that need to be updated in the Dome9 policies. See https://docs.microsoft.com/en-us/azure/automation/automation-intro for details about creating an Automation account.
- In the Automation Account pane on the left, select the account you created, select Access control (IAM), and then click +Add at the top of the pane on the right.
- In the Add Permissions dialog, grant Owner permission to the Automation account, as follows, and then click Save.
- Role - Owner
- Assign access to - Azure AD user, group, or application
- Select - enter the name of your Automation account, and then select the entry with "_...." appended.
- Repeat the above steps for each Azure subscription that has a Key Vault that needs to be updated (each subscription must have its own Automation Account and Runbook).
- Select Modules (in Shared Resources), update the list of modules, and then check that the modules AzureRM.KeyVault and AzureRM.Profile are in the list. If not, click Browse gallery, to search for it in the Azure gallery, and then import it.
- Select Runbooks (in Process Automation), and then click Add a runbook.
- In the Add Runbook dialog, select Create a new runbook. Enter a name for the runbook (say, KeyVault), and select type Powershell. Optionally, add a description, then click Create.
Step 2 - prepare the runbook script
In this step, you will prepare a script that will grant permissions to the Dome9 application to access the entities in the Key Vaults. This script will then be scheduled as a job that is run periodically. The script used in this step is an example of a script. You can modify it, or replace it with your own script, if you are skilled in preparing automation scripts.
- Download the Key-Vault-Runbook-Script.ps1 file attachment from this page.
- In the Runbook page, open runbook created in Step 1, and then click Edit.
- Copy the script from the file into the edit pane.
- Search for the variable $excludedKeyVaults, and set its value to exclude specific Key Vaults (if there are no exclusions, leave it blank):
$excludedKeyVaults = "DBKeyvault", "VMKeyvault"
- Save the changes, and close the edit pane.
- In the left pane, select App registrations, and then select Dome9-Connect (the application that was created as part of the onboarding process).
- In the right pane, click on the name of the app (circled in the image above), then select Properties in the left pane. Copy the ObjectID value.
- Return to the Runbook page, select again the runbook, and open the edit pane.
- Search for the variable $objectIds, and paste the value you copied from the Dome9 App registration.
$objectIds = "f81cf819-f710-4c99-abd0-2af561dba51e"
- Save the runbook script.
- Optionally, click Test, to open the Test pane, to test the script.
- Click Start, to start the test. When it completes, the dialog should indicate that the access policies were update for the vaults.
Step 3 - publish & schedule the runbook as an Azure job
- In the Runbook page, select the runbook created in Step 2, and open the edit pane.
- Click Publish.
- In the Runbook, select the runbook, and then select Schedules, (in the Resources section) and then click Add a Schedule.
- Select Link a schedule to your runbook, and then Create a new schedule.
- Enter a schedule (for example, hourly). The repetition period should reflect the frequency with which new values are added to the Key Vaults.
- Click Create to save the schedule. The runbook will be run as a job according to a schedule that you set up for it.
- Repeat the above steps for each runbook (if there are more than one).
- In the Runbook page, select Jobs in the left pane to check the status of the jobs. A line will be each time the scheduled runbook completes.