Permissions and Privileges

When you first connect GigaVUE-FM to Azure, you need the appropriate authentication for Azure to verify your identity and check if you have permission to access the resources that you are requesting. The authentication helps GigaVUE-FM integrate with Azure APIs and to automate the fabric deployment and management.

Prerequisite

Pre-defined custom roles or
Create custom roles to attach to the resource group or subscription level.

For details, refer to Custom Roles.

Custom Roles

The ‘built-in’ roles of Microsoft are open to all resources. You can create a custom role if required. For more information, refer to Azure custom roles in the Azure Documentation.

You can use the following command to create custom roles in CLI:

az role definition create --role-definition <Custom Role>.json

The following examples provides the minimum permissions required for GigaVUE-FM to deploy the fabric components and/or inventory the UCT-V. You can apply the permissions at the resource group level or subscription level.

You can use the following snippet in the below example JSON file to assign your custom role at either the resource group level or subscription level.

For Resource group level:

Copy

"assignableScopes": [
      "/subscriptions/<Subscription ID>/resourceGroups/<resourceGroup name>"
    ],

For Subscription level:

Copy

"assignableScopes": [
      "/subscriptions/<Subscription ID>/"
    ],

Example 1: Create Custom Role for GigaVUE‑FM to deploy visibility fabric components and inventory UCT-V

Copy

{
  
    “name”: “GigaVue-FM-Service-Role”    
    "roleName": "CustomRoleFabricDeploymentAndInventory",
    "description": "The minimum requirements for FM to deploy Fabric Components and inventory UCT-V",
    "assignableScopes": [
      "/subscriptions/<SubscriptionID>/resourceGroups/<resourceGroup name>"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Compute/virtualMachines/read",
          "Microsoft.Compute/virtualMachines/write",
          "Microsoft.Compute/virtualMachines/delete",
          "Microsoft.Compute/virtualMachines/start/action",
          "Microsoft.Compute/virtualMachines/powerOff/action",
          "Microsoft.Compute/virtualMachines/restart/action",
          "Microsoft.Compute/virtualMachines/instanceView/read",
          "Microsoft.Compute/locations/vmSizes/read",
          "Microsoft.Compute/images/read",
          "Microsoft.Compute/disks/read",
          "Microsoft.Compute/disks/write",
          "Microsoft.Compute/disks/delete",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Network/networkInterfaces/write",
          "Microsoft.Network/virtualNetworks/subnets/join/action",
          "Microsoft.Network/virtualNetworks/subnets/read",
          "Microsoft.Network/networkInterfaces/join/action",
          "Microsoft.Network/networkInterfaces/delete",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/publicIPAddresses/write",
          "Microsoft.Network/publicIPAddresses/delete",
          "Microsoft.Network/publicIPAddresses/join/action",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/virtualNetworks/virtualMachines/read",
          "Microsoft.Network/networkSecurityGroups/read",
          "Microsoft.Network/networkSecurityGroups/join/action",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/publicIPAddresses/write",
          "Microsoft.Network/publicIPAddresses/delete",
          "Microsoft.Network/publicIPAddresses/join/action",
          "Microsoft.Resources/subscriptions/locations/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/resourcegroups/resources/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
}

Example 2: Create Custom Role for GigaVUE‑FM to only inventory UCT-V

Copy

{   
   “name”: “GigaVue-FM-Service-Role”
    "roleName": "CustomRoleInventoryUCT-V ",
    "description": "Minimum requirements for FM to inventory UCT-V",
      "/subscriptions/<Subscription ID>/resourceGroups/<resourceGroup name>"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Compute/virtualMachines/read",
          "Microsoft.Compute/virtualMachines/instanceView/read",
          "Microsoft.Compute/images/read",
          "Microsoft.Compute/disks/read",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Network/virtualNetworks/subnets/read",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/virtualNetworks/virtualMachines/read",
          "Microsoft.Network/networkSecurityGroups/read",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Resources/subscriptions/locations/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/resourcegroups/resources/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
}

To add a role assignment, refer to Steps to assign an Azure role.

GigaVUE-FM supports two types of authentication with Azure. Refer to the following sections for more detailed information on how to enable each type of authentication for GigaVUE‑FM and how to assign the above-created custom roles for GigaVUE‑FM:

Managed Identity (recommended)
Application ID with client secret

Managed Identity (recommended)

Managed Identity (MSI) is a feature of Azure Active Directory. When you enable MSI on an Azure service, Azure automatically creates an identity for the service VM in the Azure AD tenant used by your Azure subscription.

Managed Identity (MSI) is only available when you launch GigaVUE‑FM inside Azure. If the launch location of GigaVUE‑FM differs from the VNet where you deploy the Nodes, then you need to configure Virtual Network Peering. For details, refer to Virtual Network Peering.

There are two steps to have MSI work:

Enable MSI on the VM running in GigaVUE‑FM using either Azure portal or CLI.
- Azure Portal: For instructions, refer to Configure managed identities using the Azure portal in the Azure documentation.
- Azure CLI:
  - For resource group level: az vm identity assign -g <Resource group where FM is deployed> -n <GigaVUE-FM name> -scope <resource group id>
  - For subscription level: az vm identity assign -g <Resource group where FM is deployed> -n <GigaVUE-FM name> -scope <subscription id>
    For more information, refer to Configure managed identities for Azure resources using Azure CLI topic in the Azure Documentation.
Assign permissions to this VM on all the resources where you need GigaVUE‑FM to manage.

After enabling MSI, you can assign custom roles to GigaVUE‑FM at a resource group level or subscription level.

NOTE: Use a system-assigned managed identity in Azure when a single resource needs to authenticate to other services, and you want the identity's lifecycle tied to the resource's. This indicates that the identity is created and deleted along with the resource.

Assign a Custom Role using CLI

Assign a custom role at resource group level where you deploy the fabric:
az vm identity assign -g <Resource group where FM is deployed> -role <Custom Role> -n <GigaVUE-FM name> --scope <resource group id>
Assign a custom role at the subscription level to view the complete account details:
az vm identity assign -g <Resource group where FM is deployed> -role <Custom Role> -n <GigaVUE-FM name> --scope <subscription id>

If you want to update the Role, you can edit the JSON file and then update the Role in Azure using the following CLI command:

az role definition update --role-definition <Custom Role>.json

You can run these commands in the Azure Portal in a cloud shell (icon in the upper right of the portal as seen here): .

Assign a Custom Role using Azure Portal

You can assign roles to GigaVUE-FM using Azure Portal for Resource Group Level or Subscription Level. For details, refer to Assign Azure roles topic in Azure Documentation.

Application ID with client secret

GigaVUE-FM supports application id with client secret authentication. When GigaVUE-FM connects to Azure, it authenticates using a service principal. A service principal is an account for a non-human such as an application to connect to Azure. If you launch GigaVUE-FM outside Azure, use the application ID with client secret for authentication.

To create a service principal in Azure, refer to the following topics in the Azure Documentation:

■

Create an Azure service principal with the Azure CLI

■

Create an Azure service principal with Azure PowerShell

■

Create an Azure service principal with Azure Portal

Ensure that GigaVUE‑FM is able to access the URLs listed in the Allow the Azure portal URLs on your firewall or proxy server in order to connect to Azure.
Following are the required endpoints for Azure GovCloud:

authentication_endpoint = https://login.microsoftonline.us/
azure_endpoint = https://management.usgovcloudapi.net/

After creating service principal in Azure, you can add custom roles. For details, refer to Assign a Custom Role using CLI or Assign a Custom Role using Azure Portal.

The key fields required for GigaVUE-FM to connect to Azure are Subscription ID, Tenant ID, Application ID, and Application Secret.

When creating the service principal using the Azure CLI, the output of that command displays the "appId" and "password" fields. These two are the Application ID and Application Secret fields that GigaVUE-FM requires to connect to Azure. Copy them.
Now, using the Azure CLI again, run an ‘account show’ command and copy the Subscription ID and the Tenant ID of your subscription.

You need to use the Subscription ID, Tenant ID, Application ID, and Application Secret when creating credentials in GigaVUE-FM. For instructions, refer to Create Azure Credentials.

Disclaimer: General guidelines are available for enabling a deployment in Azure. Since the Azure interface is subject to change and is outside Gigamon’s purview, refer to Azure documentation for instructions on using Azure.