Connect to Azure

GigaVUE-FM connects to Azure using either an Application ID with the client secret or the MSI method of authentication. Once the connection is established, GigaVUE-FM launches the G-vTAP Controller, GigaVUE V Series Controller, and GigaVUE V Series node.

To connect to Azure using GigaVUE-FM:

1. Click Cloud in the top navigation link.
2. Under Azure, select Configuration > Connections, and then click the New drop-down menu. You can either create a new monitoring domain or a new connection.
   • If you select Monitoring Domain, then the Create Monitoring Domain dialog box is displayed. Enter the alias that is used to identify the monitoring domain.
   • If you select Connection, then the Azure Connection page is displayed. You can either create a new monitoring domain for the connection or select an existing monitoring domain that is already created.
3. Enter or select the appropriate information for the VNet and one or more Resource Groups.
   If the Authentication type of Application ID with Client Secret is used, have the Subscription ID, Tenant ID, Application ID and Application Secret information ready based on the Azure connectivity section mentioned above. Select the required Tapping Method.

   Note:  If you select Azure vTAP as tapping method, then you need not configure the G-vTAP controller as described in section Configure G-vTAP Controllers.

4. Click Save.
5. If the connection is established, the status is displayed as ‘Connected’ in the Connections page. GigaVUE-FM discovers the inventory of the VNet in the background. If the connection fails, a ‘Connection Failed’ error message is displayed when Save is clicked.

Once the configuration in the Connections tab is complete, the rest of the tabs under Cloud > Azure > Configuration can be configured so that GigaVUE-FM can deploy the rest of the solution components. As a final step, configure the monitoring session.

GigaVUE-FM Supports two types of authentication with Azure, which are described in the following sections:

• Managed Service Identity (MSI)
• Custom Roles
• Pre-defined Roles
• Accept EULA and Enable Programmatic Deployment in Azure

Managed Service Identity (MSI)

Note:  It may take up to 10 minutes or more for Azure to propagate the permissions. GigaVUE-FM will fail during this time to connect to Azure.

Managed Service Identity (MSI) is only available for GigaVUE-FMs launched inside Azure. You can run these commands in the Azure Portal in an cloud shell (icon in upper right of portal as seen here):

There are 2 steps to have MSI work:

1. Enable MSI on the VM running in GigaVUE-FM.
2. Assign permissions to this VM on all the resources where you need GigaVUE-FM to manage.

Enable MSI on the VM running GigaVUE-FM

Note:  If you are using an older CLI version, the command "az vm assign-identity" is replaced with the new command: "az vm identity assign"

1. Launch the GigaVUE-FM Virtual Machine in Azure.
2. Enable MSI and Assign roles to the VM. You can use the CLI or portal to enable MSI and assign roles to VMS.

Enable MSI using the CLI

1. Assign a custom role at resource group level where you will deploy the fabric:
   

   az vm identity assign -g xxx-fm-feb15 -n xxx-fm-feb15 --role "FM Custom Role RG Level" --scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/xxxz-rg

2. If you need the private images, then you have to assign permissions to the resource group of the fabrics. Therefore run this:
   

   az vm identity assign -g xxx-fm-feb15 -n xxx-fm-feb15 --role "FM Custom Role RG Level"--scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/vseries-rg

   az vm identity assign -g xxx-fm-feb15 -n xxx-fm-feb15 --role "FM Custom Role RG Level"--scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/gvtap-rg

3. Assign a custom role at the subscription level to view the complete account details:
   

   az vm identity assign -g xxx-feb8-fm -n xxx-feb8-fm --role "FM Custom Role Subscription Level" --scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111

For more information, refer to Configure managed identities on VMs topic in the Microsoft Azure Documentation.

Enable MSI Using the Portal

You can enable MSI at the time of launch or after the launch of GigaVUE-FM through the portal. For more information, refer to Configure managed identities on VMs topic in the Microsoft Azure Documentation.

Application ID with Client Secret

The GigaVUE-FM-to-Azure connection supports application id with client secret authentication. When using GigaVUE-FM to connect to Azure, it uses a service principal. A service principal is an account for a non-human such as an application to connect to Azure.

Note:  GigaVUE-FM must be able to resolve "login.microsoftonline.com" in order to connect to Azure. So GigaVUE-FM must be configured with a valid DNS server.

Perform the following steps to create the service principal and get the required information to create the Azure connection in GigaVUE-FM:

1.

Create a service principal using the Azure CLI: az ad sp create-for-rbac --name myRealName-app.

Note:  Azure generates the password automatically for the service principle.

This will return an output similar to:

{

"appId": "a487e0c1-82af-47d9-9a0b-af184eb87646d",

"displayName": "myRealName-app",

"name": "http://myRealName-app",

"password": "6266bc73-4b33-4651-8652-298c7180fffa",

"tenant": "tttttttt-tttt-tttt-tttt-tttttttttttt"

}

Note the appId and password from the output.

2.

Azure CLI: az account show -o json (you have to use the "-o json" option to display the full details)

This will return output similar to:

{

"environmentName": "AzureCloud",

"id": "6447xxx11-1x11-111x-11xx-11x11xx11111",

"isDefault": true,

"name": "XYZ Subscription",

"state": "Enabled",

"tenantId": "ad46cbb4-441b-4e7d-a40e-c08ff7dedaf0",

"user": {

"name": "name@yourcompany.com",

"type": "user"

}

}

Note the id and tenantId.

3.

The Azure connection POST should be populated with the following fields:

{

"alias": "<yourConnectionName>",

"authType": "clientSecret",

"regionName": "westus",

"subscriptionId": "<id from az account show>",

"tenantId": "<tenantId from az account show>",

"applicationClientId": "<appId from service principal creation>",

"applicationSecretKey": "<password from the service principal creation>",

"virtualNetworkName":"<virtual network name for connection domain>"

}

Custom Roles

The ‘built-in’ roles provided by Microsoft are open to all resources. You can create a custom role if required.

You can create a custom role in Azure as described in the following examples. The "assignableScopes" are the objects which this role is allowed to be assigned. In the example below, for the RG level role, you can assign permissions for GigaVUE-FM to access your resource group and also two other resource groups where the GigaVUE V series controller and G-vTAP controllers are placed. Without the GigaVUE V series controller and G-vTAP controllers you would only see images in the marketplace.

Using CLI:

az role definition create --role-definition FM-custom-role-azure-RG-level.json

This section provides examples of the JSON file above.The assignable scopes can be at the Resource Group level, or at the entire Subscription level. This is defined in that JSON file.

Example: Custom Role at Resource Group Level

The following is an example of what you need at RG level:

{

"Name": "FM Custom Role RG Level",

"IsCustom": true,

"Description": "Minimum permissions for FM to operate",

"Actions": [

"Microsoft.Compute/virtualMachines/read",

"Microsoft.Compute/virtualMachines/write",

"Microsoft.Compute/virtualMachines/delete",

"Microsoft.Compute/virtualMachines/start/action",

"Microsoft.Compute/virtualMachines/powerOff/action",

"Microsoft.Compute/virtualMachines/restart/action",

"Microsoft.Compute/virtualMachines/instanceView/read",

"Microsoft.Compute/locations/vmSizes/read",

"Microsoft.Compute/images/read",

"Microsoft.Compute/disks/read",

"Microsoft.Compute/disks/write",

"Microsoft.Compute/disks/delete",

"Microsoft.Network/networkInterfaces/read",

"Microsoft.Network/networkInterfaces/write",

"Microsoft.Network/virtualNetworks/subnets/join/action",

"Microsoft.Network/virtualNetworks/subnets/read",

"Microsoft.Network/networkInterfaces/join/action",

"Microsoft.Network/networkInterfaces/delete",

"Microsoft.Network/publicIPAddresses/read",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/publicIPAddresses/delete",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Network/virtualNetworks/read",

"Microsoft.Network/virtualNetworks/virtualMachines/read",

"Microsoft.Network/networkSecurityGroups/read",

"Microsoft.Network/networkSecurityGroups/join/action",

"Microsoft.Network/publicIPAddresses/read ",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/publicIPAddresses/delete",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Resources/subscriptions/locations/read",

"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.Resources/subscriptions/resourcegroups/resources/read"

],

"NotActions": [

 

],

"AssignableScopes": [

"/subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/xxxz-rg",

"/subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/vseries-rg",

"/subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/gvtap-rg"

]

}

Example: Custom Role for Subscription Level

The following is an example of what you need at the Subscription level:

"Name": "FM Custom Role Subscription Level",

"IsCustom": true,

"Description": "Minimum permissions for FM to operate at a subscription level",

"Actions": [

"Microsoft.Compute/virtualMachines/read",

"Microsoft.Compute/virtualMachines/write",

"Microsoft.Compute/virtualMachines/delete",

"Microsoft.Compute/virtualMachines/start/action",

"Microsoft.Compute/virtualMachines/powerOff/action",

"Microsoft.Compute/virtualMachines/restart/action",

"Microsoft.Compute/virtualMachines/instanceView/read",

"Microsoft.Compute/locations/vmSizes/read",

"Microsoft.Compute/images/read",

"Microsoft.Compute/disks/read",

"Microsoft.Compute/disks/write",

"Microsoft.Compute/disks/delete",

"Microsoft.Network/networkInterfaces/read",

"Microsoft.Network/networkInterfaces/write",

"Microsoft.Network/virtualNetworks/subnets/join/action",

"Microsoft.Network/virtualNetworks/subnets/read",

"Microsoft.Network/networkInterfaces/join/action",

"Microsoft.Network/networkInterfaces/delete",

"Microsoft.Network/publicIPAddresses/read",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/publicIPAddresses/delete",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Network/virtualNetworks/read",

"Microsoft.Network/virtualNetworks/virtualMachines/read",

"Microsoft.Network/networkSecurityGroups/read",

"Microsoft.Network/networkSecurityGroups/join/action",

"Microsoft.Network/publicIPAddresses/read ",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/publicIPAddresses/delete",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Resources/subscriptions/locations/read",

"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.Resources/subscriptions/resourceGroups/write",

"Microsoft.Resources/subscriptions/resourcegroups/resources/read"

],

"NotActions": [

 

],

"AssignableScopes": [

"/subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111"

]

}

Add Custom Role to Subscription or Resource Group

After creating the custom role, you can add the role to either the Resource Group, or at the Subscription level in the Azure console. In this example, the role is added to my Resource Group. As the GigaVUE-FM connection gets connected to the VNET in the resource Group "xxxz-rg", the following permissions/roles are added to the Resource Group. If you want to have GigaVUE-FM create a resource group to launch fabric into, you must add these permissions to the subscription level instead.

Note:  You are adding permissions for the GigaVUE-FM running in Azure (Virtual Machine).

In this example, GigaVUE-FM is running in another resource group "xxxz-fm-feb7". Select the VM and give the required permissions to access the other resource group "xxxz-rg":

You can also use the CLI to perform the same process. This adds the GigaVUE-FM instance in RG "xxx-feb8-fm" to have access to another RG called "xxxz-rg":

CLI to add role to Resource Group

az vm assign-identity -g xxx-feb8-fm -n xxx-feb8-fm --role "FM Custom Role RG Level" --scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/xxxz-rg

 

CLI for Subscription Level

az vm assign-identity -g xxx-feb8-fm -n xxx-feb8-fm --role "FM Custom Role Subscriptions Level" --scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111

If you want to update the Role, you can edit the JSON file, and then update the Role in Azure using the following CLI command:

update role

az role definition update --role-definition FM-custom-role-azure-RG-level.json

Pre-defined Roles

Resource groups pre-created (which the GigaVUE-FM monitors):

• Assign Reader
• Virtual Machine Contributor
• Network Contributor
• Storage Account Contributor

Resource groups created by GigaVUE-FM: Contributor on subscription level

Accept EULA and Enable Programmatic Deployment in Azure

For GigaVUE-FM to be able to launch the fabric images, you must accept the terms of the end user license agreements (EULAs) and enable programmatic access. This can be done in the Azure portal or through PowerShell.

1. Accept the Gigamon EULAs for each SKU. These examples show accepting the EULAs from a PowerShell terminal in the Azure Portal:
   1. HOURLY FM:
      

      Azure:/

      PS Azure:\> Get-AzureRmMarketplaceTerms -Publisher "gigamon-inc" -Product "gigamon-fm-5_4_00_hourly" -Name "GigaSECURE Cloud 5.4.00 Hourly (100 pack)" | Set-AzureRmMarketplaceTerms -Accept

   2. BYOL FM:
      

      Azure:/

      PS Azure:\> Get-AzureRmMarketplaceTerms -Publisher "gigamon-inc" -Product "gigamon-fm-5_4_00" -Name "GigaSECURE Cloud 5.4.00" | Set-AzureRmMarketplaceTerms -Accept

   3. Fabric Images (need to accept on all 3):
      

      Azure:/

      PS Azure:\> Get-AzureRmMarketplaceTerms -Publisher "gigamon-inc" -Product "gigamon-fm-5_4_00" -Name "gvtap-cntlr" | Set-AzureRmMarketplaceTerms -Accept

       

      Azure:/

      PS Azure:\> Get-AzureRmMarketplaceTerms -Publisher "gigamon-inc" -Product "gigamon-fm-5_4_00" -Name "vseries-cntlr" | Set-AzureRmMarketplaceTerms -Accept

       

      Azure:/

      PS Azure:\> Get-AzureRmMarketplaceTerms -Publisher "gigamon-inc" -Product "gigamon-fm-5_4_00" -Name "vseries-node" | Set-AzureRmMarketplaceTerms -Accept

2. Configure programmatic deployment through the Azure portal so that GigaVUE-FM can launch these images:
   1. Find the images in the Azure Marketplace.
   2. Click the "Want to deploy programmatically? Get started" link.
   3. Review the terms of service and the subscription name and then click Enable.

Disclaimer:
These are general guidelines for enabling a deployment in Azure. Since the Azure interface is subject to change and is outside Gigamon’s purview, please see Azure documentation for instructions on using Azure.