Skip to main content

Connect an Azure subscription manually

Overview

The following is a step-by-step guide on how to connect your Azure subscriptions to Upwind platform manually. This page outlines the necessary steps to connect your Azure subscription to Upwind. The process comprises the following steps:

  1. Create app registration.
  2. Create service principal.
  3. Create Role definition for the Upwind permissions in the Azure subscription.
  4. Create a Role assignment for the Upwind permissions in the Azure subscription.
  5. Enter the credentials of the service principal, subscription id, tenant id and app registration in the Upwind console.
  6. Verify that the connection is successful.

Prerequisites

To connect your Azure subscription to Upwind, you need to have the following access:

  1. Owner permissions role assigned to the Azure subscription you want to connect.
  2. Permissions to create App Registration & Service Principal (if you have Azure AD administrator role, this will be sufficient).

Setup

Step 1: Create App Registration

  1. Log into Azure Portal

In the search bar, type App Registration and click the App Registration item. img_2.png

  1. Click + New registration and fill in the following fields:
    1. Name: upwindsecurity-<your-azure-subscription-name>
    2. Supported account types: Accounts in this organizational directory only (Default Directory only - Single tenant)
    3. Redirect URIs:
      1. Platform: Web
      2. URI: https://www.upwind.io
  2. Click Register

Now you have successfully created an app registration.

Please copy the following parameters to the Upwind console:
  1. Application (client) ID field, and paste it into Application (client) ID
  2. Directory (tenant) ID field, and paste it into Tenant ID

img_3.png

Step 2: Create Service Principal

In this step, you will create the service principal and secret to allow Upwind a secure connection to your Azure subscription.

  1. In the App Registration page that you created, click Certificate & secrets.
  2. Click + New client secret and fill in the following fields: img_4.png
    1. Description: Brief description of the client secret.
    2. Expires: Recommended value is 1 year. img_5.png
note

Please Copy the secret value, as it will disappear, and you will need it to complete the subscription connection in the Upwind console.

Step 3: Grant Permissions to the App Registration

In this section, you will be asked to grant the application permissions to the Azure subscription by adding a Role assignment. Attachment of the Role definition to the app registration, means that Upwind will be able to access the resources in the Azure subscription it is scoped to.

There are two types of permissions that you can grant to the application:

  1. Read Only: This grants Upwind permissions to read all resources in the Azure subscription.
  2. Enforce: This grants Upwind extended capabilities, to perform operations such as creating, updating, and deleting resources in the Azure subscription.

Add Role Assignment

  1. From the Access control (IAM) page, for the specific subscription click Role assignments.
  2. Click + Add and select Add role assignment.
  3. Select the built-in role Reader.
  4. In the Members section, Click + Select members and select the app registration you created in Step #1.
  5. Click Review + assign to finish the process.

You have successfully assigned the role to the App Registration.

caution

There is a common issue that you might encounter in this step, which is that the App Registration you created in Step #1 is not listed in the Members section. If this is the case, you will need to wait for a few minutes and try again, or you can pull the App Registration from Azure CLI:

  1. Open the Azure CLI.
  2. Run the following command:
az ad sp list --display-name "{your-upwind-app-registration-name}"
  1. Copy the appId value.
  2. Run the following command, to create the Azure role assignment:
az role assignment create --role "Reader" --assignee "{your-object-id}" --scope "/subscriptions/{your-subscription-id}"

Step 4: complete the subscription connection in the Upwind console

Now that all the prerequisites are done, you can complete the subscription connection in the Upwind console.

  1. In the Application id field, paste the Application (client) ID you copied in Step #1.
  2. In the Tenant id field, paste the Directory (tenant) ID you copied in Step #1.
  3. In the Secret field, paste the secret value you copied in Step #2.
  4. In the Subscription id field, paste the Subscription ID you copied in Step #1.
  5. Click Connect.

img_9.png

Step 5: Verify that the connection is successful

Now that you have successfully connected your Azure subscription to Upwind, you can verify that the connection is successful. If the connection is successful, you will see the following message displayed: img_10.png

Troubleshooting

If you encounter any issues in the process of connecting your Azure subscriptions to Upwind, please contact our support team at support@upwind.io.

Next Steps

After establishing a connection to your Azure subscription(s), Upwind will populate an inventory of all compute resources and show which resources are Unprotected.

To connect a Kubernetes cluster with Upwind, follow the instructions provided in the console: Connect a Kubernetes cluster or review

To connect a Linux host with Upwind, follow the instructions provided in the console: Connect a host.