Connecting to Azure

GigaVUE-FM connects to Azure using either an Application ID with the client secret or the MSI method of authentication. Once the connection is established, GigaVUE-FM launches the G-vTAP Controller, GigaVUE V Series Controller, and GigaVUE V Series node.

To connect to Azure using GigaVUE-FM:

1.   Click Cloud in the top navigation link.
2. Under Azure, select Configuration > Connections, and then click the New drop-down menu. You can either create a new monitoring domain or a new connection.
If you select Monitoring Domain, then the Create Monitoring Domain dialog box is displayed. Enter the alias that is used to identify the monitoring domain.
If you select Connection, then the Azure Connection page is displayed. You can either create a new monitoring domain for the connection or select an existing monitoring domain that is already created.
3. Enter or select the appropriate information for the VNet and one or more Resource Groups.

If the Authentication type of Application ID with Client Secret is used, have the Subscription ID, Tenant ID, Application ID and Application Secret information ready based on the Azure connectivity section mentioned above. Select the required Tapping Method.

Note:  If you select Azure vTAP as tapping method, then you need not configure the G-vTAP controller as described in section Configuring the G-vTAP Controllers.

4. Click Save.
5. If the connection is established, the status is displayed as ‘Connected’ in the Connections page. GigaVUE-FM discovers the inventory of the VNet in the background. If the connection fails, a ‘Connection Failed’ error message is displayed when Save is clicked.

Once the configuration in the Connections tab is complete, the rest of the tabs under Cloud > Azure > Configuration can be configured so that GigaVUE-FM can deploy the rest of the solution components. As a final step, configure the monitoring session.

GigaVUE-FM Supports two types of authentication with Azure, which are described in the following sections:

1.   Managed Service Identity (MSI)
2. Application ID with Client Secret

Managed Service Identity (MSI)

Note:  It may take up to 10 minutes or more for Azure to propagate the permissions. GigaVUE-FM will fail during this time to connect to Azure.

Managed service identity is only available for GigaVUE-FMs launched inside Azure. You can run these commands in the Azure Portal in an cloud shell (icon in upper right of portal as seen here):

There are 2 steps to have MSI work:

1.   Enable MSI on the VM running GigaVUE-FM
2. Assign permissions to this VM on all the resources you need GigaVUE-FM to manage.
Enable MSI on the VM running GigaVUE-FM

Note:  If you are using an older CLI version, the command "az vm assign-identity" is replaced with the new command: "az vm identity assign"

1.   Launch the GigaVUE-FM Virtual Machine in Azure
2. Enable MSI and Assign roles to the VM. You can use the CLI or portal, each of which is described below.
Enable MSI using the CLI
a. Custom role at resource group level using CLI (recommended) where you will deploy fabric to:

az vm identity assign -g xxx-fm-feb15 -n xxx-fm-feb15 --role "FM Custom Role RG Level" --scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/xxxz-rg

b. If you need the private images, (for fabric nodes, NOT the public images) then you have to assign permissions to the RG those live in as well. Therefore run this:

az vm identity assign -g xxx-fm-feb15 -n xxx-fm-feb15 --role "FM Custom Role RG Level"--scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/vseries-rg

az vm identity assign -g xxx-fm-feb15 -n xxx-fm-feb15 --role "FM Custom Role RG Level"--scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/gvtap-rg

c. Custom role at the subscription level using CLI. This will assign the role at the subscription level, you can see everything in the account:

az vm identity assign -g xxx-feb8-fm -n xxx-feb8-fm --role "FM Custom Role Subscription Level" --scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111

d. Assign role using the Portal:
1.   Enable MSI for the GigaVUE-FM VM and use the portal to assign a role later:

az vm identity assign -g <your resource group> -n <your fm vm name>
2. If GigaVUE-FM needs to create resource groups, MSI permissions must be assigned at the subscription level
a. Subscriptions > Your subscription
b. Click Access Control (IAM)
c. Click Add (if Add button is not available, then you do not have the required permissions)
d. Select the GigaVUE-FM custom role Contributor role.
e. Select Virtual Machine for Assign access to
f. Select your subscription
g. Select the Resource Group of the VM you would like to add permissions for
h. Select the instance running GigaVUE-FM
3. If all resource groups are pre-created, permissions for GigaVUE-FM managed service identity can be assigned at the resource group level
a. Go to the resource group you would like to add permissions for the MSI in the Azure portal
b. Click Access Control (IAM)
c. Click Add (if Add button is not there you do not have proper permissions)
d. Select Reader/Virtual Machine Contributor/Network Contributor/Storage Account Contributor role or whatever Role you want
e. Select Virtual Machine for Assign access to
f. Select your subscription
g. Select the Resource Group of VM you would like to add permissions for
h. Select the instance running GigaVUE-FM
i. Fabric nodes can be deployed in different resource groups. Make sure you assign the proper permissions for each resource group.

Using the Portal to Enable MSI is now available.

Enable MSI Using the Portal

You can enable MSI at the time of launching GigaVUE-FM through the portal. In step 3 of VM creation, an option is available to enable MSI.

Click yes. You still need to add permissions for the Resource Groups in this VM (which you want GigaVUE-FM to see):

If you already launched your GigaVUE-FM in the portal and did not enable MSI, you can still enable MSI in the portal. Click on your VM, open the blade for “Configuration,” and then click Yes to Register the VM with AD:

Figure 1132: Enabling Managed Service Identity

 

Once that is done, you can select the required resource for which you want to give the GigaVUE-FM permissions (Subscription level, resource group level, etc). Click the object and then select the “Access Control IAM" blade:

Figure 1133: Selecting Resource Group

Search by Type "Virtual Machines". Your VM should not be there yet.

Click the Add button, and find your VM, select a Role, and Save. This will give the VM the required permissions the role has on the object you selected earlier. In the example above, a Resource Group.

Application ID with Client Secret

The GigaVUE-FM-to-Azure connection supports application id with client secret authentication. When using GigaVUE-FM to connect to Azure, it uses a service principal. A service principal is an account for a non-human such as an application to connect to Azure.

Note:  GigaVUE-FM must be able to resolve "login.microsoftonline.com" in order to connect to Azure. So GigaVUE-FM must be configured with a valid DNS server.

Perform the following steps to create the service principal and get the required information to create the Azure connection in GigaVUE-FM:

1.   Create a service principal using the Azure CLI: az ad sp create-for-rbac --name myRealName-app --password "mySecurePassword"

This will return an output similar to:

{

"appId": "a487e0c1-82af-47d9-9a0b-af184eb87646d",

"displayName": "myRealName-app",

"name": "http://myRealName-app",

"password": mySecurePassword,

"tenant": "tttttttt-tttt-tttt-tttt-tttttttttttt"

}

Note the appId and password from the output.

2. Azure CLI: az account show -o json (you have to use the "-o json" option to display the full details)

This will return output similar to:

{

"environmentName": "AzureCloud",

"id": "6447xxx11-1x11-111x-11xx-11x11xx11111",

"isDefault": true,

"name": "XYZ Subscription",

"state": "Enabled",

"tenantId": "ad46cbb4-441b-4e7d-a40e-c08ff7dedaf0",

"user": {

"name": "name@yourcompany.com",

"type": "user"

}

}

Note the id and tenantId.

3. The Azure connection POST should be populated with the following fields:

{

"alias": "<yourConnectionName>",

"authType": "clientSecret",

"regionName": "westus",

"subscriptionId": "<id from az account show>",

"tenantId": "<tenantId from az account show>",

"applicationClientId": "<appId from service principal creation>",

"applicationSecretKey": "<password from the service principal creation>",

"virtualNetworkName":"<virtual network name for connection domain>"

}

Example of the UI input:

Figure 1134: Azure Connection Example

Custom Roles

The ‘built-in’ roles provided by Microsoft are open to all resources. You can create a custom role if required.

You can create a custom role in Azure as described in the following examples. The "assignableScopes" are the objects which this role is allowed to be assigned. In the example below, for the RG level role, you can assign permissions for GigaVUE-FM to access your resource group and also two other resource groups where the GigaVUE V series controller and G-vTAP controllers are placed. Without the GigaVUE V series controller and G-vTAP controllers you would only see images in the marketplace.

Using CLI:

az role definition create --role-definition FM-custom-role-azure-RG-level.json

This section provides examples of the JSON file above.The assignable scopes can be at the Resource Group level, or at the entire Subscription level. This is defined in that JSON file.

Example: Custom Role at Resource Group Level

The following is an example of what you need at RG level:

{

"Name": "FM Custom Role RG Level",

"IsCustom": true,

"Description": "Minimum permissions for FM to operate",

"Actions": [

"Microsoft.Compute/virtualMachines/read",

"Microsoft.Compute/virtualMachines/write",

"Microsoft.Compute/virtualMachines/delete",

"Microsoft.Compute/virtualMachines/start/action",

"Microsoft.Compute/virtualMachines/powerOff/action",

"Microsoft.Compute/virtualMachines/restart/action",

"Microsoft.Compute/virtualMachines/instanceView/read",

"Microsoft.Compute/locations/vmSizes/read",

"Microsoft.Compute/images/read",

"Microsoft.Compute/disks/read",

"Microsoft.Compute/disks/write",

"Microsoft.Compute/disks/delete",

"Microsoft.Network/networkInterfaces/read",

"Microsoft.Network/networkInterfaces/write",

"Microsoft.Network/virtualNetworks/subnets/join/action",

"Microsoft.Network/virtualNetworks/subnets/read",

"Microsoft.Network/networkInterfaces/join/action",

"Microsoft.Network/networkInterfaces/delete",

"Microsoft.Network/publicIPAddresses/read",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/publicIPAddresses/delete",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Network/virtualNetworks/read",

"Microsoft.Network/virtualNetworks/virtualMachines/read",

"Microsoft.Network/networkSecurityGroups/read",

"Microsoft.Network/networkSecurityGroups/join/action",

"Microsoft.Network/publicIPAddresses/read ",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/publicIPAddresses/delete",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Resources/subscriptions/locations/read",

"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.Resources/subscriptions/resourcegroups/resources/read"

],

"NotActions": [

 

],

"AssignableScopes": [

"/subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/xxxz-rg",

"/subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/vseries-rg",

"/subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/gvtap-rg"

]

}

Example: Custom Role for Subscription Level

The following is an example of what you need at the Subscription level:

"Name": "FM Custom Role Subscription Level",

"IsCustom": true,

"Description": "Minimum permissions for FM to operate at a subscription level",

"Actions": [

"Microsoft.Compute/virtualMachines/read",

"Microsoft.Compute/virtualMachines/write",

"Microsoft.Compute/virtualMachines/delete",

"Microsoft.Compute/virtualMachines/start/action",

"Microsoft.Compute/virtualMachines/powerOff/action",

"Microsoft.Compute/virtualMachines/restart/action",

"Microsoft.Compute/virtualMachines/instanceView/read",

"Microsoft.Compute/locations/vmSizes/read",

"Microsoft.Compute/images/read",

"Microsoft.Compute/disks/read",

"Microsoft.Compute/disks/write",

"Microsoft.Compute/disks/delete",

"Microsoft.Network/networkInterfaces/read",

"Microsoft.Network/networkInterfaces/write",

"Microsoft.Network/virtualNetworks/subnets/join/action",

"Microsoft.Network/virtualNetworks/subnets/read",

"Microsoft.Network/networkInterfaces/join/action",

"Microsoft.Network/networkInterfaces/delete",

"Microsoft.Network/publicIPAddresses/read",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/publicIPAddresses/delete",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Network/virtualNetworks/read",

"Microsoft.Network/virtualNetworks/virtualMachines/read",

"Microsoft.Network/networkSecurityGroups/read",

"Microsoft.Network/networkSecurityGroups/join/action",

"Microsoft.Network/publicIPAddresses/read ",

"Microsoft.Network/publicIPAddresses/write",

"Microsoft.Network/publicIPAddresses/delete",

"Microsoft.Network/publicIPAddresses/join/action",

"Microsoft.Resources/subscriptions/locations/read",

"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.Resources/subscriptions/resourceGroups/write",

"Microsoft.Resources/subscriptions/resourcegroups/resources/read"

],

"NotActions": [

 

],

"AssignableScopes": [

"/subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111"

]

}

Add the Custom Role to Subscription or Resource Group

After creating the custom role, you can add the role to either the Resource Group, or at the Subscription level in the Azure console. In this example, the role is added to my Resource Group. As the GigaVUE-FM connection gets connected to the VNET in the resource Group "xxxz-rg", the following permissions/roles are added to the Resource Group. If you want to have GigaVUE-FM create a resource group to launch fabric into, you must add these permissions to the subscription level instead.

Note:  You are adding permissions for the GigaVUE-FM running in Azure (the Virtual Machine).

In this example, GigaVUE-FM is running in another resource group "xxxz-fm-feb7". Select the VM and give the required permissions to access the other resource group "xxxz-rg":

Figure 1135: Adding Permissions

You can also use the CLI to perform the same process. This adds the GigaVUE-FM instance in RG "xxx-feb8-fm" to have access to another RG called "xxxz-rg":

CLI to add role to Resource Group

az vm assign-identity -g xxx-feb8-fm -n xxx-feb8-fm --role "FM Custom Role RG Level" --scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111/resourceGroups/xxxz-rg

 

CLI for Subscription Level

az vm assign-identity -g xxx-feb8-fm -n xxx-feb8-fm --role "FM Custom Role Subscriptions Level" --scope /subscriptions/6447xxx11-1x11-111x-11xx-11x11xx11111

If you want to update the Role, you can edit the JSON file, and then update the Role in Azure using the following CLI command:

update role

az role definition update --role-definition FM-custom-role-azure-RG-level.json

Pre-defined Roles

Resource groups pre-created (which the GigaVUE-FM monitors):
Assign Reader
Virtual Machine Contributor
Network Contributor
Storage Account Contributor
Resource groups created by GigaVUE-FM: Contributor on subscription level

Accept EULA and Enable Programmatic Deployment in Azure

For GigaVUE-FM to be able to launch the fabric images, you must accept the terms of the end user license agreements (EULAs) and enable programmatic access. This can be done in the Azure portal or through PowerShell.

1.   Accept the Gigamon EULAs for each SKU. These examples show accepting the EULAs from a PowerShell terminal in the Azure Portal:
a. HOURLY FM:

Azure:/

PS Azure:\> Get-AzureRmMarketplaceTerms -Publisher "gigamon-inc" -Product "gigamon-fm-5_4_00_hourly" -Name "GigaSECURE Cloud 5.4.00 Hourly (100 pack)" | Set-AzureRmMarketplaceTerms -Accept

b. BYOL FM:

Azure:/

PS Azure:\> Get-AzureRmMarketplaceTerms -Publisher "gigamon-inc" -Product "gigamon-fm-5_4_00" -Name "GigaSECURE Cloud 5.4.00" | Set-AzureRmMarketplaceTerms -Accept

c. Fabric Images (need to accept on all 3):

Azure:/

PS Azure:\> Get-AzureRmMarketplaceTerms -Publisher "gigamon-inc" -Product "gigamon-fm-5_4_00" -Name "gvtap-cntlr" | Set-AzureRmMarketplaceTerms -Accept

 

Azure:/

PS Azure:\> Get-AzureRmMarketplaceTerms -Publisher "gigamon-inc" -Product "gigamon-fm-5_4_00" -Name "vseries-cntlr" | Set-AzureRmMarketplaceTerms -Accept

 

Azure:/

PS Azure:\> Get-AzureRmMarketplaceTerms -Publisher "gigamon-inc" -Product "gigamon-fm-5_4_00" -Name "vseries-node" | Set-AzureRmMarketplaceTerms -Accept

2. Configure programmatic deployment through the Azure portal so that GigaVUE-FM can launch these images:
a. Find the images in the Azure Marketplace.
b. Click the "Want to deploy programmatically? Get started" link.
c. Review the terms of service and the subscription name and then click Enable.

Disclaimer: These are general guidelines for enabling a deployment in Azure. Since the Azure interface is subject to change and is outside Gigamon’s purview, please see Azure documentation for instructions on using Azure.