Permissions and Privileges (Azure)

When you first connect GigaVUE-FM to Azure, you need the appropriate authentication for Azure to verify your identity and check if you have permission to access the resources that you are requesting. This is used for GigaVUE-FM to integrate with Azure APIs and to automate the fabric deployment and management.

Prerequisite

Have pre-defined custom roles or create new custom roles, that can be attached to the resource group or subscription level. Refer to Custom Roles topic for more detailed information on how to create custom roles.

Custom Roles

The ‘built-in’ roles provided by Microsoft are open to all resources. You can create a custom role if required. For more information, refer to Azure custom roles topic in the Azure Documentation.

You can use the following command to create custom roles in CLI:

az role definition create --role-definition <Custom Role>.json

The following examples provides the minimum permissions that are required for GigaVUE-FM to deploy the fabric components and/or inventory the UCT-V. The permissions can be applied at the resource group level or subscription level:

Example 1: Create Custom Role for GigaVUE-FM to deploy visibility fabric components and inventory UCT-V

Copy
{
  
    “name”: “GigaVue-FM-Service-Role”    
    "roleName": "CustomRoleFabricDeploymentAndInventory",
    "description": "The minimum requirements for FM to deploy Fabric Components and inventory UCT-V",
    "assignableScopes": [
      "/subscriptions/<SubscriptionID>/resourceGroups/<resourceGroup name>"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Compute/virtualMachines/read",
          "Microsoft.Compute/virtualMachines/write",
          "Microsoft.Compute/virtualMachines/delete",
          "Microsoft.Compute/virtualMachines/start/action",
          "Microsoft.Compute/virtualMachines/powerOff/action",
          "Microsoft.Compute/virtualMachines/restart/action",
          "Microsoft.Compute/virtualMachines/instanceView/read",
          "Microsoft.Compute/locations/vmSizes/read",
          "Microsoft.Compute/images/read",
          "Microsoft.Compute/disks/read",
          "Microsoft.Compute/disks/write",
          "Microsoft.Compute/disks/delete",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Network/networkInterfaces/write",
          "Microsoft.Network/virtualNetworks/subnets/join/action",
          "Microsoft.Network/virtualNetworks/subnets/read",
          "Microsoft.Network/networkInterfaces/join/action",
          "Microsoft.Network/networkInterfaces/delete",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/publicIPAddresses/write",
          "Microsoft.Network/publicIPAddresses/delete",
          "Microsoft.Network/publicIPAddresses/join/action",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/virtualNetworks/virtualMachines/read",
          "Microsoft.Network/networkSecurityGroups/read",
          "Microsoft.Network/networkSecurityGroups/join/action",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/publicIPAddresses/write",
          "Microsoft.Network/publicIPAddresses/delete",
          "Microsoft.Network/publicIPAddresses/join/action",
          "Microsoft.Resources/subscriptions/locations/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/resourcegroups/resources/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
}

Example 2: Create Custom Role for GigaVUE-FM to only inventory UCT-V

Copy
{   
   “name”: “GigaVue-FM-Service-Role”
    "roleName": "CustomRoleInventoryUCT-V ",
    "description": "Minimum requirements for FM to inventory UCT-V",
      "/subscriptions/<Subscription ID>/resourceGroups/<resourceGroup name>"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Compute/virtualMachines/read",
          "Microsoft.Compute/virtualMachines/instanceView/read",
          "Microsoft.Compute/images/read",
          "Microsoft.Compute/disks/read",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Network/virtualNetworks/subnets/read",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/virtualNetworks/virtualMachines/read",
          "Microsoft.Network/networkSecurityGroups/read",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Resources/subscriptions/locations/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/resourcegroups/resources/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
}

You can use the following snippet in the above JSON file to assign your custom role at either resource group level or subscription level

For Resource group level:

Copy
"assignableScopes": [
      "/subscriptions/<Subscription ID>/resourceGroups/<resourceGroup name>"
    ],

For Subscription level:

Copy
"assignableScopes": [
      "/subscriptions/<Subscription ID>/"
    ],

To add a role assignment, refer to Steps to assign an Azure role.

GigaVUE-FM supports two types of authentications with Azure. Refer to the following sections for more detailed information on how to enable each type of authentication for GigaVUE-FM and how to assign the above created custom roles for GigaVUE-FM:

Managed Identity (recommended)

Managed Identity (MSI) is a feature of Azure Active Directory. When you enable MSI on an Azure service, Azure automatically creates an identity for the service VM in the Azure AD tenant used by your Azure subscription.

Managed Identity (MSI) is only available when GigaVUE-FM is launched inside Azure. If GigaVUE‑FM is launched in one VNet and the GigaVUE V Series Nodes are deployed in a different VNet, then Virtual Network Peering must be configured. Refer to the Virtual Network Peering for more details on how to configure Virtual Network Peering.

Note:  When using Managed Identity (MSI), the IAM policy modified in Azure Portal takes a long duration to reflect in GigaVUE-FM. Refer to the Limitation of using managed identities for authorization section in Azure Documentation for more detailed information.

There are 2 steps to have MSI work:

  1. Enable MSI on the VM running in GigaVUE‑FM. It can be done in using Azure portal or CLI.
    1. Azure Portal: Refer to Configure managed identities using the Azure portal in the Azure documentation for detailed instructions
    2. Azure CLI:
      • For resource group level: az vm identity assign -g <Resource group where GigaVUE-FM is deployed> -n <GigaVUE-FM name> -scope <resource group id>
      • For subscription level: az vm identity assign -g <Resource group where GigaVUE-FM is deployed> -n <GigaVUE-FM name> -scope <subscription id>

        For more information, refer to Configure managed identities for Azure resources using Azure CLI topic in the Azure Documentation.

  2. Assign permissions to this VM on all the resources where you need GigaVUE‑FM to manage.

After enabling MSI, you can assign custom roles to GigaVUE-FM at a resource group level or subscription level:

Assign a Custom Role using CLI

  1. Assign a custom role at resource group level where you will deploy the fabric:

    az vm identity assign -g <Resource group where GigaVUE-FM is deployed> -role <Custom Role> -n <GigaVUE-FM name> --scope <resource group id>

  2. Assign a custom role at the subscription level to view the complete account details:

    az vm identity assign -g <Resource group where GigaVUE-FM is deployed> -role <Custom Role> -n <GigaVUE-FM name> --scope <subscription id>

If you want to update the Role, you can edit the JSON file, and then update the Role in Azure using the following CLI command:

az role definition update --role-definition <Custom Role>.json

You can run these commands in the Azure Portal in a cloud shell (icon in the upper right of the portal as seen here): .

Assign a Custom Role using Azure Portal

You can assign roles to GigaVUE-FM using Azure Portal for Resource Group Level or Subscription Level. Refer to Assign Azure roles topic in Azure Documentation for detailed information.

Application ID with client secret

GigaVUE-FM supports application id with client secret authentication. When using GigaVUE-FM to connect to Azure, it uses a service principal. A service principal is an account for a non-human such as an application to connect to Azure. When GigaVUE-FM is launched outside Azure, Application ID with client secret is preferred.

To create a service principal in Azure, refer to the following topics in the Azure Documentation:

■   Create an Azure service principal with the Azure CLI
■   Create an Azure service principal with Azure PowerShell
■   Create an Azure service principal with Azure Portal
GigaVUE‑FM must be able to access the URLs listed in the Allow the Azure portal URLs on your firewall or proxy server in order to connect to Azure.
Following are the required endpoints for Azure GovCloud:
  • authentication_endpoint = https://login.microsoftonline.us/
  • azure_endpoint = https://management.usgovcloudapi.net/

After creating service principal in Azure, you can add custom roles. Refer to Assign a Custom Role using CLI or Assign a Custom Role using Azure Portal for detailed information on how to assign roles.

The key fields required for GigaVUE-FM to connect to Azure are Subscription ID, Tenant ID, Application ID, and Application Secret.

  • When creating the service principal using the Azure CLI, the output of that command will display the "appId" and "password" fields. These two are the Application ID and Application Secret fields that are required for GigaVUE-FM to connect to Azure. Copy them.
  • Now, using the Azure CLI again, do an ‘account show’ command and copy the Subscription ID and the Tenant ID of your subscription.

The Subscription ID, Tenant ID, Application ID, and Application Secret will be used when creating credentials in GigaVUE-FM. Refer to Create Azure Credentials for step-by-step instructions.

Disclaimer: These are general guidelines for enabling a deployment in Azure. Since the Azure interface is subject to change and is outside Gigamon’s purview, please see Azure documentation for instructions on using Azure.