Onboarding Azure Organizations

Prerequisites

Before onboarding your AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. subscription, make sure:

  • You have permissions assigned through the Application Administrator or Owner role. For more information, see Permissions.

  • You allow sufficient time (about one hour) for Azure to synchronize all created resources. If you create the resources during the onboarding, the synchronization takes some time and impacts the onboarding process. For example, if you create a storage account immediately before the onboarding, Azure cannot export diagnostics logs to the storage because the storage or the subscription does not yet exist.

How it Works

When you onboard Azure organizations to CloudGuard, you select onboarding scope according to the Azure hierarchy:

  • Tenant - the highest node in the organization hierarchy, that is, a management group that contains all other management groups

  • Management Group - a unit to organize your subscriptions created under one tenant

In the onboarding scope, CloudGuard provides automatic onboarding for all subscriptions and nested management groups added to the selected management group.

CloudGuard allows onboarding for nested management groups with custom configurations. A subscription configuration in CloudGuard is defined by the configuration (Step 2 of the onboarding wizard) of its nearest Management Group:

  • CDR analyzes the selected types of logs for all subscriptions under the selected Management Group.

  • AWP scans all subscriptions under the selected Management Group with the selected scan mode.

However, after you onboard a nested management group, you cannot onboard management groups that precede and succeed it in the hierarchy. In other words, if you onboarded a management group, you cannot onboard its parent or its children.

Best Practice - Check Point does not recommend that you move nested management groups between management groups with different onboarding configurations. The resulting configuration is unpredictable and is not supported by CloudGuard.

All management groups under the same tenant must be onboarded to the same CloudGuard account. In other words, you cannot onboard a management group to a CloudGuard account, if this group's tenant contains a management groups which is already onboarded to another CloudGuard account.

CloudGuard automatically adds Key Vaults of each of the types:

The organizational credentials are automatically managed by the CloudGuard application.

After successful onboarding, CloudGuard gradually applies the selected configuration to all the subscriptions in the Management Group, and the process can take approximately one hour.

Onboarding in the Portal

  1. In the CloudGuard portal, open Assets > Environments.

  2. For first-time onboarding, click Azure and follow the setup instructions.

    Or, if you already onboarded environment(s), from the top menu, select Add > Azure Subscription.

  3. Select to onboard an Organization.

  4. Select the onboarding scope: Tenant or Management Group.

  5. Log in to the Azure management portal.

  1. Enter your Tenant ID.

  2. For onboarding management groups, enter the Management Group ID. For more information about this parameter, see the Azure documentation.

  3. Click Next.

  1. On the Configurations page, enter a name for the organization (optional) to identify it in the CloudGuard portal.

    Note - The CSPM option is always enabled.

  2. CDR - Account activity - enabled by default.

    1. Select the applicable log types. See on-screen instructions to enable each type of logs.

    2. Enter the Storage Account ID:

      • In the Azure portal, go to Storage Accounts and select the storage account, which subscription belongs to the onboarding scope (Management Group or Tenant).

      • On the right, click JSON View.

      • From the Resource JSON page, copy the ID value.

      You can use three storage accounts at most.

  3. AWP - Agentless Workload Posture - disabled by default.

    1. Click the toggle button to enable AWP.

    2. Select a scan mode. By default, the scan mode is In-Account Centralized.

    3. For In-Account Centralized mode, enter Centralized Subscription ID. Make sure the centralized subscription belongs to the onboarded management group.

      For more information about AWP, see AWP for Azure Environments.

  4. Click Next.

Caution - After successful onboarding, moving subscriptions or nested groups between management groups onboarded with different configurations can have unpredictable effects, so make sure to avoid these cases:

  • Moving a subscription from the onboarded organization to another organization which is not onboarded.

  • Moving a subscription from the onboarded organization to another organization onboarded without AWP/CDR.

  • Moving a subscription from the onboarded organization to another organization onboarded to AWP/CDR but with a different scan mode or a different log type.

Possible effects:

  • AWP/CDR can lose its permission and stop scanning the subscription or analyzing the logs.

  • Some resource groups that contain AWP/CDR resources can remain unmanaged.

  • If AWP/CDR still has the required permissions, it can continue to scan a subscription with the scan mode of the original management group or analyze the original type of logs.

If you select to onboard to CDR, and your Azure Storage account is private, CloudGuard requires access to the Storage account.

To allow connectivity to the Storage Account:

  1. In your Azure Storage account, navigate to Security + networking > Networking.

  2. On the Firewall and virtual networks page, Public network access is Disabled. Change it to the Enabled from selected virtual networks and IP address option.

  3. In the Firewall section, add an IP address to allow access to based on your Data Center location. For the list of allowed IP addresses, see FAQ.

  4. In the CloudGuard onboarding wizard, click the Check Now button to verify connectivity.

  1. On the Connect Management Group / Subscription page, click Onboarding script to review it. For additional script options, see Special Modes for Onboarding Script.

  2. Log in to the Azure Cloud Shell.

  3. Copy and run the command provided in the CloudGuard wizard. As the program runs it prints out its actions and shows resources created in your Azure account.

  4. In the CloudGuard wizard, select:

  5. Click Onboard. The onboarding starts.

    In a couple of minutes, you receive a notification that the management groups is successfully onboarded. Wait about 15 minutes (up to one hour in case of AWP In-Account Centralized mode) until the onboarded subscriptions appear on the Environments page.

The new organization appears on the Assets > Organizational Units page under the root OU as its child, like the manually created CloudGuard OUs. All actions available for regular OUs (creating sub-OU, renaming, moving, and deletion) are available for the onboarded Azure organization.

This procedure creates a default CSPM policy with two rulesets: Azure CloudGuard Checkup and Azure CIS Foundation v. 1.5.0.

Onboarding with API

To onboard Azure organizations with API:

  1. Make the first call: POST - https://api.dome9.com/v2/AzureCloudAccount/OnboardingExecutionCommand (Link). The output is the command string for execution from the Azure Cloud Shell.

  2. In the Azure Cloud Shell, run the command obtained from the response.

  3. Make the second call: POST - https://api.dome9.com/v2/azure-organization-management. Set the ActiveBlades parameter according to the enabled active blades.

Special Modes for Onboarding Script

  • To run the script in a quiet mode that skips all questions to the user, run it with the --quiet flag.

  • To remove the CloudGuard resources created in your Azure organization, run the onboarding script with the --clean flag. You can use the option for troubleshooting an unsuccessful onboarding. Make sure you use the same parameters as in the initial command.

Known Limitations

CloudGuard supports scanning of Function Apps in Azure Organizations only with AWP In-Account Centralized mode.

For more limitations related to AWP, see Known Limitations.

More Links