Skip to main content

Cloud

Onboard an Azure Cloud subscription - default setup

Learn how to onboard an Azure subscription. Before you begin:

  1. If this is the first time logging in to Illumio Cloud, click + Azure on the Onboarding page to onboard your first account.

    If you've already onboarded other accounts, choose Onboarding from the left navigation. The Onboarding page appears. Click +Add Azure at the top of the page.

    The Add Azure Cloud Account wizard starts and displays the first step: Connect to Azure

  2. Provide the following information about your Azure account:

    • Name: You specify a name for the account; this name is what will appear in Illumio Cloud. The name should be descriptive so that you can easily identify it.

    • Tenant ID: Paste this ID that you copied from Azure. The tenant ID is also known as the parent management group ID.

    • Subscription ID: Paste the subscription ID that you copied from Azure.

    Note

    The page contains a toggle below the Subscription ID field to specify the type of access Illumio Cloud will have to your Azure subscription. Choosing Yes grants the Illumio Cross Account Role permission to view your Azure subscription resources and to apply policy to them. Choosing No provides the Illumio Cross Account Role read-only access. To view the permissions you are granting Illumio Cloud to your Azure subscription, click Download Permissions.

  3. When done completing these settings, click Next.

  4. Select a service account that you want to use or create a new one. Make sure to download the credentials, as they will be needed for the PowerShell script to return the Azure AD app credentials back to Illumio Cloud.

  5. Enter the ServiceAccountToken in the appropriate field.

The wizard advances to step two: Set up Access

  1. The Set up Access step includes a field containing a PowerShell command to run the illumio-init.ps1 script in Azure. Illumio securely hosts the script so that it can run during the onboarding process. The PowerShell command automatically appends the subscription ID you entered in the first step of the wizard.

  2. To the left of the PowerShell command field, click the copy icon. The icon refreshes with a check mark on a green field indicating you successfully copied the command.

  3. In a new browser window, open your Azure portal.

  4. From the top taskbar, click the Cloud Shell icon to open a console; select the PowerShell option.

  5. After Azure finishes building your Azure drive, paste the copied PowerShell command.

    When you run the script in Azure, it creates an AD app registration named “Illumio-CloudSecure-Access.” The script also creates a custom role named “Illumio Network Security Administrator." Additionally, the app registration includes Reader roles.

    Creation of the AD app registration and the roles allows Illumio Cloud access to the subscription resources. Illumio Cloud is able to discover subscription resources and write policies for them.

    For the complete list of permissions granted to Illumio Cloud for your account, see Permissions for Onboarding Azure.

    The script sends the Client ID and Client Secret to Illumio Cloud. It accesses your Azure subscription so that you don't have to repeatedly provide your Azure credentials.

  6. Leave your Azure portal and return to Illumio Cloud. The Set up Access step in the onboarding wizard should still be displayed.

  7. Select the check box indicating that the “deployment” script has finished running in Azure, and click Next.

  8. The final step of the wizard appears. This step displays a summary of the subscription information you just specified for onboarding.

  9. Review the subscription information and if everything looks correct, click Save and Confirm. If you see issues you need to correct, click Back and return to that wizard step.

Onboard a subscription with Illumio Cloud

Note

Illumio Cloud can read flow logs from several NSGs going to the same storage account. With Azure, you can configure NSG flow logs in the same region, despite being from multiple VNets residing in different subscriptions, to be sent to a single storage account in the same region residing in a single subscription. By providing access to that specific storage account, Illumio Cloud can obtain and analyze flow logs for all the NSGs residing in different subscriptions. For more information on flow logs, see Grant Flow Log Access.

What's next after onboarding your subscription?

When finished, the Onboarding page opens and displays a new row for that account.

For the next steps after onboarding a subscription, set up and enable flow logs. See Onboarding Azure. Once you set up and enable flow logs, see After onboarding your accounts.

If you originally set the permissions to read only, and wish to change them to read and write, see Change Azure permissions from read to read and write.

Updating your Service Account Principals

If you need to update your service account principals when they expire, see Update Service Principals for Onboarded Azure Subscriptions and Tenants.