Page tree
Skip to end of metadata
Go to start of metadata

Microsoft Azure is a cloud service provided by Microsoft. Microsoft Azure enables you to have virtualized computing platforms accessible through the internet. It is divided into a number of regulatory domains around the world, so that in countries with particular regulations regarding data, organizations can store and manage data in compliance with local laws. 

Node changes in Technology Knowledge Update TKU 2019-Dec-1

TKU December 2019 enhances the model for Cloud Regions and Cloud Services to be segregated by account. If you discover more than one AWS Account, more than one Azure Subscription or more than one GCP Project, all the data from Cloud Region through to individual nodes within services will be clearly separated, where before it was intermingled.

As a result, the keys of all CloudRegion and CloudService nodes, and many contained nodes will change, even if you only discover a single account. If you synchronize to a CMDB, the identities of the corresponding CIs will also change.

The existing nodes are not deleted automatically with the application of the TKU. To remove the old nodes from the BMC Discovery model, you can delete the patterns that were deactivated by the new patterns in the TKU. However, the old CIs in the CMDB will not be deleted automatically. The simplest way to remove them is to perform a resynchronization.

Discovering Microsoft Azure

This section describes the settings and procedures required to discover services running in Azure. It contains the following sections:

Services and regulatory domains discovered

You access and configure all of your services in the Azure Public cloud using the Microsoft Azure portal and in the other clouds using the appropriate portals.

The following regulatory domains can be discovered with the latest product content update:

BMC Discovery enables you to discover your cloud services running in Microsoft Azure. The following set of Microsoft Azure services can be discovered with the latest product content update:


More detailed information on discovery of Microsoft Azure services is contained in the following Configipedia pages:


BMC Discovery enables you to discover your cloud services running in these regions. To do so, you must provide application ID and authentication key (credential) with which BMC Discovery can access the cloud, you create the access key using the Microsoft Azure portal or the the Microsoft Azure Germany portal.

Create a credential

Creating a credential is a two stage process, in the Microsoft Azure Portal you obtain a Directory ID, Application ID, and authentication key. Then in BMC Discovery, you use this information to add the cloud discovery credential.

Find the Directory ID, Application ID and Authentication Key in the Microsoft Azure Portal

The procedure is outlined here, though the steps to do this are described fully on this Microsoft Azure web page.

  1. Use the Microsoft Azure Portal to find a Directory ID for your Microsoft Azure account.
    1. Directory ID–Find the Directory ID for your Microsoft Azure account under Azure Active Directory > Properties in the Microsoft Azure Portal.
      The Directory ID is a GUID, and is also known as the Tenant ID.
  2. Find the Application ID and Authentication Key.
    1. Continuing in the Microsoft Azure Portal, add an "App registration" for your BMC Discovery appliance in the in Azure Active Directory > App registrations section. You must provide a name, for example "BMC Discovery", an application type, "Web app / API", and a sign-on URL for the appliance. The URL is mandatory, but is not used. Once you have created the application registration for BMC Discovery, obtain the following information for the application.
    2. Application ID–It is shown in the Properties for the application in Azure Active Directory > App registrations in the Microsoft Azure Portal.  The Application ID is a GUID. Ensure that you select the Application ID and not the Object ID.
    3. Application Key–Create the Application Key (Client Secret) in the Certificates & secrets for the application in Azure Active Directory > App registrations in the Microsoft Azure Portal. You can only copy the key when you first create it, so keep it safe.

      Note

      If you lose the Application Key, you cannot retrieve it from the Microsoft Azure Portal. You must create a new application key and use the new key in the BMC Discovery cloud credential. You should keep a note of the application key until you have successfully tested the cloud credential.

Assign the required permissions for the BMC Discovery application registration

The built-in Reader role is sufficient to discover everything except size and encryption (D@RE) values for VHDs used by VMs. To discover size and encryption (D@RE) values for VHDs used by VMs, you need the Microsoft.Storage/storageAccounts/listKeys/action permission. If you only need to discover Managed Disks, the built-in Reader role is sufficient.

  1. Grant the application permissions (roles) to your subscriptions.
    1. Under More services > Subscriptions, select Access Control (IAM).
    2. Assign the built-in Reader role to the application registration you just created; BMC Discovery.
  2. If you need to discover Microsoft Azure storage, you also need to grant the Microsoft.Storage/storageAccounts/listKeys/action role for full discovery of Azure Storage. You do not need this permission if you are only using managed disks. A JSON file is provided in the BMC Discovery UI which is used with the Microsoft Azure command line tools to create a Discovery role which gives the correct permissions. Custom roles are described in the Microsoft Azure documentation.
    1. From the BMC Discovery UI, from the Manage > Discovery Tools page, download the Azure Discovery role JSON template.
    2. Edit the JSON file to set the subscription scope.
    3. Run the following command:
      az role definition create --role-definition azure_discovery_role.json

Create an Azure cloud credential in BMC Discovery

Create the Azure cloud credential in the same way as any other credential. The Azure cloud credential uses the Directory ID, Application ID, and Application Key as the equivalent of a username and password combination.

  1. From the BMC Discovery Device Credentials page, click Add.
    The Add Credential page is displayed.
  2. Click add more to add the cloud provider type. Select Microsoft Azure from the drop-down list.
  3. Add the usual credential information:
    • Label
    • Description
  4. Add the additional fields with the information that you copied from the Microsoft Azure Portal:
    1. Directory ID
    2. Application ID
    3. Application Key
    4. CyberArk–If the CyberArk integration is enabled, do not enter a key ID and secret, rather enter a CyberArk search string in this field to extract a CyberArk credential. An example search string is:
      Object=Cloud Service-Azure-keys-fc2636b7-426d-42df-a13f-f45b903bd40a
      See Integrating with CyberArk Enterprise Password Vault for more information on the integration.

      Note

      The Directory ID and Application ID are both GUIDs, 32 hex digits grouped 8-4-4-4-12. They are easy to transpose, and if you do so, your credential will never work, and the problem will be difficult to diagnose.

  5. Optionally specify a proxy to use to access. To use a proxy you must specify the following:
    • Hostname
    • Port
    • Username (only for authenticating proxies)
    • Password (only for authenticating proxies)
  6. Click Apply to save the credential.

Test the credential 

Once you have created the credential, you should test it to ensure that it works.

  1. From the credentials page, click Devices.

  2. Filter the list to show cloud credentials.
  3. Click Actions for the Microsoft Azure cloud credential you added, and then click Test.
  4. Select Microsoft Azure from the list.
  5. For the Regulatory Domain, select Azure Public or Azure Germany.
  6. Click Test.
    The screen below shows a successful test.

If the credential test was unsuccessful, ensure that you copied the Directory ID and Application ID correctly.

Note

The BMC Discovery appliance must be able to access Microsoft Azure using https (port 443).


Run a cloud scan

To perform cloud discovery, from the Discovery Status page, use the Add New run control.

  1. Click Add New run.
    The Add a Cloud Run dialog is displayed.
  2. Enter a Label for the cloud discovery run.
  3. To add a scheduled cloud run, select Scheduled and fill in the scheduling information as with normal scheduled discovery runs.
  4. Select Cloud.
  5. Select the provider from the drop-down list. Select Microsoft Azure.
  6. Select the appropriate cloud credential. If none are available, you must add one.
  7. Select the regulatory domain to scan, for example, for the public cloud, select Azure Public, or for Azure Germany, select Azure Germany.
  8. Click OK.

Scan the hosts running the VMs in the cloud

Perform a normal scan on the hosts running the VMs discovered in the cloud scan. Use the Unscanned Cloud Hosts report on the Cloud Overview dashboard to find these.

Scanning the hosts assumes that the appliance or proxy has network access to hosts running in the cloud, for example, using a VPN.

Public IP addresses do not respond to ICMP pings. You must disable "Ping before scanning", otherwise all scans are dropped reporting no response.

Examine results

Once you have scanned, you can examine the results. The screen below shows a discovered VM running in Microsoft Azure.

Database discovery

Microsoft Azure supports Microsoft SQL Server. The Microsoft Azure API reports the database. If you only need to discover the database, these are reported as part of normal cloud discovery, and no further configuration is required.

If you need deeper database discovery, for example, you need to report the tables, or run queries for application specific data, you need to configure database discovery using integration points.

Database server and database firewalls

Each database server has a firewall, and you can add a rule stating which IP addresses are permitted access.To do this:

  1. From the database server, configure the firewall to enable BMC Discovery to access it.
  2. Add the following information
    1. Rule name, for example Discovery Access.
    2. Start IP, for example, 77.168.1.100.
    3. End IP, for example, 77.168.1.100.
    You can now access the database server from BMC Discovery.

You can also configure rules on a firewall on the database, in addition to the firewall on the server, configured earlier. The server firewall and the database firewall must both permit access to BMC Discovery.

BMC Discovery database credential

When you configure your database credential, you must specify a username and some additional JDBC parameters.

Username

The username is of a particular form. For example:

  • The server name is serverxyxyxy.database.windows.net
  • The Discovery username, that is, name of the database user that BMC Discovery connects with, is tideway.

The JDBC username is tideway@serverxyxyxy

Each server requires a different username. Consequently, each server requires a different credential for that username. In large deployments on Microsoft Azure, with many servers, you must create many database credentials. During discovery, each database credential is checked in turn, meaning a potential performance reduction, and administrative overhead in creating the database credentials.

JDBC parameters

The JDBC connection string, given in the Azure Portal, in the Database connection strings page for that database, is as follows. The italicized section shows the JDBC parameters:

JDBC (SQL authentication)
jdbc:sqlserver://serverxyxyxy.database.windows.net:1433;database=wordpressdb;user=tideway@serverxyxyxy;password=password;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;

The following additional JDBC parameters must be specified in the BMC Discovery database credential:

  • encrypt=true
  • trustServerCertificate=false
  • hostNameInCertificate=*.database.windows.net
  • loginTimeout=30

Microsoft Azure discovery patterns

The Microsoft Azure discovery patterns are available on the Manage > Knowledge page. They are located in the Pattern modules list, under Cloud > Microsoft Azure.

Azure tags discovery

Information about tags is described here

Related topics

Cloud providers


  • No labels

2 Comments

  1.  

  2.