• Spaces
  • People
  • Help
    • BMC Support Central BMC Community BMC.com
    ×
    Configipedia

    Page tree
    Skip to end of metadata
    Go to start of metadata

    Microsoft Azure is a cloud service provided by Microsoft. Microsoft Azure enables you to have virtualized computing platforms accessible through the internet. It is divided into a number of regulatory domains around the world, so that in countries with particular regulations regarding data, organizations can store and manage data in compliance with local laws. 

    Node changes in Technology Knowledge Update TKU 2019-Dec-1

    TKU December 2019 enhances the model for Cloud Regions and Cloud Services to be segregated by account. If you discover more than one AWS Account, more than one Azure Subscription or more than one GCP Project, all the data from Cloud Region through to individual nodes within services will be clearly separated, where before it was intermingled.

    As a result, the keys of all CloudRegion and CloudService nodes, and many contained nodes will change, even if you only discover a single account. If you synchronize to a CMDB, the identities of the corresponding CIs will also change.

    The existing nodes are not deleted automatically with the application of the TKU. To remove the old nodes from the BMC Discovery model, you can delete the patterns that were deactivated by the new patterns in the TKU. However, the old CIs in the CMDB will not be deleted automatically. The simplest way to remove them is to perform a resynchronization.

    Discovering Microsoft Azure

    This section describes the settings and procedures required to discover services running in Azure. It contains the following sections:

    Services and regulatory domains discovered

    You access and configure all of your services in the Azure Public cloud using the Microsoft Azure portal and in the other clouds using the appropriate portals.

    The following regulatory domains can be discovered with the latest product content update:

    BMC Discovery enables you to discover your cloud services running in Microsoft Azure. The following set of Microsoft Azure services can be discovered with the latest product content update:

    More detailed information on discovery of Microsoft Azure services is contained in the following Configipedia pages:


    BMC Discovery enables you to discover your cloud services running in these regions. To do so, you must provide application ID and authentication key (credential) with which BMC Discovery can access the cloud, you create the access key using the Microsoft Azure portal or the the Microsoft Azure Germany portal.

    Create a credential

    Creating a credential is a two stage process, in the Microsoft Azure Portal you obtain a Directory ID, Application ID, and authentication key. Then in BMC Discovery, you use this information to add the cloud discovery credential. These two steps are mandatory for setting the Microsoft Azure discovery. 

    Find the Directory ID, Application ID and Authentication Key in the Microsoft Azure Portal

    The procedure is outlined here, though the steps to do this are described fully on this Microsoft Azure web page.

    1. Use the Microsoft Azure Portal to find a Directory ID for your Microsoft Azure account.
      1. Directory ID–Find the Directory ID for your Microsoft Azure account under Azure Active Directory > Properties in the Microsoft Azure Portal.
        The Directory ID is a GUID, and is also known as the Tenant ID.
    2. Find the Application ID and Authentication Key.
      1. Continuing in the Microsoft Azure Portal, add an "App registration" for your BMC Discovery appliance in the in Azure Active Directory > App registrations section. You must provide a name, for example "BMC Discovery", an application type, "Web app / API", and a sign-on URL for the appliance. The URL is mandatory, but is not used. Once you have created the application registration for BMC Discovery, obtain the following information for the application.
      2. Application ID–It is shown in the Properties for the application in Azure Active Directory > App registrations in the Microsoft Azure Portal.  The Application ID is a GUID. Ensure that you select the Application ID and not the Object ID.

      3. Application Key–Create the Application Key (press +New client secret) in the Certificates & secrets for the application in Azure Active Directory > App registrations in the Microsoft Azure Portal. You can only copy the key when you first create it, so keep it safe.

        Note

        If you lose the Application Key, you cannot retrieve it from the Microsoft Azure Portal. You must create a new application key and use the new key in the BMC Discovery cloud credential. You should keep a note of the application key until you have successfully tested the cloud credential.

    Assign the required permissions for the BMC Discovery application registration in the Microsoft Azure Portal

    The built-in Reader role is sufficient to discover everything except size and encryption (D@RE) values for VHDs used by VMs. To discover size and encryption (D@RE) values for VHDs used by VMs, you need the Microsoft.Storage/storageAccounts/listKeys/action permission. If you only need to discover Managed Disks, the built-in Reader role is sufficient.

    Grant the application permissions (roles) to your subscriptions.

    1. Under More services > Subscriptions, select Access Control (IAM).
    2. In the Role Assignments, click +Add and select Add role assignments from the drop-down list.
    3. From the the Role drop-down list, select Reader.
    4. From the Select drop-down list, choose your newly created application.


    5. For each additional Subscription you want to be discovered, navigate to the More services > Subscriptions, chose needed subscription, and repeat steps 1-4.

    Note

    BMC Discovery will not be able to discover resources in the target subscriptions without permissions granted to your application.

    When the main configuration is done, you can set the optional settings.

    Discovery Microsoft Azure storage (Optional)

    If you need to discover Microsoft Azure storage, you also need to grant the Microsoft.Storage/storageAccounts/listKeys/action role for full discovery of Azure Storage. You do not need this permission if you are only using managed disks. A JSON file is provided in the BMC Discovery UI which is used with the Microsoft Azure command line tools to create a Discovery role which gives the correct permissions. Custom roles are described in the Microsoft Azure documentation.

      1. From the BMC Discovery UI, from the Manage > Discovery Tools page, download the Azure Discovery role JSON template.
      2. Edit the JSON file to set the subscription scope. Add your subscription id in the field <SUBSCRIPTION ID HERE>.
      3. Rename template file to azure_discovery_role.json.

      4. Run the following command, depending on your Azure cli version:

        az role definition create --role-definition <PATH>azure_discovery_role.json

        or
        az role create --config <PATH>azure_discovery_role.json
      5. Make sure that the role is created and appeared in the Azure Portal roles list.

      6. Assign recently created custom 'Discovery' role to the application registration which you used for BMC Discovery. (Step 1).

    Create an Azure cloud credential in BMC Discovery

    Create the Azure cloud credential in the same way as any other credential. The Azure cloud credential uses the Directory ID, Application ID, and Application Key as the equivalent of a username and password combination.

    1. From the BMC Discovery Device Credentials page, click Add.
      The Add Credential page is displayed.
    2. Click add more to add the cloud provider type. Select Microsoft Azure from the drop-down list.
    3. Add the usual credential information:
      • Label
      • Description
    4. Add the additional fields with the information that you copied from the Microsoft Azure Portal:
      1. Directory ID
      2. Application ID
      3. Application Key

      4. CyberArk–If the CyberArk integration is enabled, do not enter a key ID and secret, rather enter a CyberArk search string in this field to extract a CyberArk credential. An example search string is:
        Object=Cloud Service-Azure-keys-fc2636b7-426d-42df-a13f-f45b903bd40a
        See Integrating with CyberArk Enterprise Password Vault for more information on the integration.

        Note

        The Directory ID and Application ID are both GUIDs, 32 hex digits grouped 8-4-4-4-12. They are easy to transpose, and if you do so, your credential will never work, and the problem will be difficult to diagnose.

    5. Optionally specify a proxy to use to access. To use a proxy you must specify the following:
      • Hostname
      • Port
      • Username (only for authenticating proxies)
      • Password (only for authenticating proxies)
    6. Click Apply to save the credential.

    Test the credential 

    Once you have created the credential, you should test it to ensure that it works.

    1. From the credentials page, click Devices.

    2. Filter the list to show cloud credentials.
    3. Click Actions for the Microsoft Azure cloud credential you added, and then click Test.
    4. Select Microsoft Azure from the list.
    5. For the Regulatory Domain, select Azure Public or Azure Germany.
    6. Click Test.
      The screen below shows a successful test.

    If the credential test was unsuccessful, ensure that you copied the Directory ID and Application ID correctly.

    Note

    The BMC Discovery appliance must be able to access Microsoft Azure using https (port 443).

    Run a cloud scan

    To perform cloud discovery, from the Discovery Status page, use the Add New run control.

    1. Click Add New run.
      The Add a Cloud Run dialog is displayed.


    2. Enter a Label for the cloud discovery run.
    3. To add a scheduled cloud run, select Scheduled and fill in the scheduling information as with normal scheduled discovery runs.
    4. Select Cloud.
    5. Select the provider from the drop-down list. Select Microsoft Azure.
    6. Select the appropriate cloud credential. If none are available, you must add one.
    7. Select the regulatory domain to scan, for example, for the public cloud, select Azure Public, or for Azure Germany, select Azure Germany.
    8. Click OK.

    Scan the hosts running the VMs in the cloud

    Perform a normal scan on the hosts running the VMs discovered in the cloud scan. Use the Unscanned Cloud Hosts report on the Cloud Overview dashboard to find these.

    Scanning the hosts assumes that the appliance or proxy has network access to hosts running in the cloud, for example, using a VPN.

    Public IP addresses do not respond to ICMP pings. You must disable "Ping before scanning", otherwise all scans are dropped reporting no response.

    Examine results

    Once you have scanned, you can examine the results. The screen below shows a discovered VM running in Microsoft Azure.

    Database discovery

    Microsoft Azure supports Microsoft SQL Server. The Microsoft Azure API reports the database. If you only need to discover the database, these are reported as part of normal cloud discovery, and no further configuration is required.

    If you need deeper database discovery, for example, you need to report the tables, or run queries for application specific data, you need to configure database discovery using integration points.

    Database server and database firewalls

    Each database server has a firewall, and you can add a rule stating which IP addresses are permitted access.To do this:

    1. From the database server, configure the firewall to enable BMC Discovery to access it.
    2. Add the following information
      1. Rule name, for example Discovery Access.
      2. Start IP, for example, 77.168.1.100.
      3. End IP, for example, 77.168.1.100.
      You can now access the database server from BMC Discovery.

    You can also configure rules on a firewall on the database, in addition to the firewall on the server, configured earlier. The server firewall and the database firewall must both permit access to BMC Discovery.

    BMC Discovery database credential

    When you configure your database credential, you must specify a username and some additional JDBC parameters.

    Username

    The username is of a particular form. For example:

    • The server name is serverxyxyxy.database.windows.net
    • The Discovery username, that is, name of the database user that BMC Discovery connects with, is tideway.

    The JDBC username is tideway@serverxyxyxy

    Each server requires a different username. Consequently, each server requires a different credential for that username. In large deployments on Microsoft Azure, with many servers, you must create many database credentials. During discovery, each database credential is checked in turn, meaning a potential performance reduction, and administrative overhead in creating the database credentials.

    JDBC parameters

    The JDBC connection string, given in the Azure Portal, in the Database connection strings page for that database, is as follows. The italicized section shows the JDBC parameters:

    JDBC (SQL authentication)
    jdbc:sqlserver://serverxyxyxy.database.windows.net:1433;database=wordpressdb;user=tideway@serverxyxyxy;password=password;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;

    The following additional JDBC parameters must be specified in the BMC Discovery database credential:

    • encrypt=true
    • trustServerCertificate=false
    • hostNameInCertificate=*.database.windows.net
    • loginTimeout=30

    Microsoft Azure discovery patterns

    The Microsoft Azure discovery patterns are available on the Manage > Knowledge page. They are located in the Pattern modules list, under Cloud > Microsoft Azure.

    Azure tags discovery

    Information about tags is described here

    Troubleshooting

    Problem: Tenant ID is not found.
    Solution:     Check Directory ID in Azure Active Directory > Properties.

    Problem: Application with the identifier is not found (ID is correct, but application ID is wrong or does not exist).
    Solution:     Check Application id or register the new one.

    Problem: Invalid client secret provided (application in Azure portal is created, application key in the ADDM credentials is not set, or key is expired).
    Solution:      Check the security key, or add the new one.

    Problem: Failed to get dynamic parameter 'subsribtionid: No values' (Directory ID, Application ID, and Security key are correct. No role is assigned to the application in Azure portal).
    Solution: Assign role in More services > Subscriptions, then select Access Control (IAM) - Role Assignments.

    Problem: Failed to get dynamic parameter subscriptionId: 'some request name': Authentication failure: AADSTS7000222: The provided client secret keys are expired.

    Description: Keys encryption bug.

    Solution: Please check if your keys contain / and + characters. Try to generate new key using manual above. Keys that will work 100% are keys exclusively with alphanumeric characters.


    Related topics

    Cloud providers

    Microsoft Azure Supported Cloud Regions




    • No labels
    © Copyright 2005-2021 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.