Integration
Overview
This article outlines the steps to integrate your Azure tenant and its subscriptions with Upwind.
Prerequisites
1. Azure Admin Access
Make sure your account has the following permissions:
- Azure Global Administrator – Required to grant tenant-level permissions.
- Azure Owner Role – Required in each subscription you intend to onboard and monitor with Upwind.
2. Azure CLI Authentication
Verify that you're authenticated and have access to the correct subscriptions:
az login
az account list
# Ensure the listed subscriptions include those you plan to onboard
3. Check Spot VM Quota
Upwind Cloud Scanners use Spot VMs. Ensure you have a quota of at least 40 vCPUs available for Spot instances:
az vm list-usage --location <region> --query "[?name.value=='lowPriorityCores']" --output table
If your quota is insufficient:
- Go to Azure Portal → Subscriptions → [Your Subscription]
- Click Settings → Usage + quotas
- Locate Spot vCPUs and submit a request to increase the quota
Integration Steps
The integration of the Azure tenant consists of three steps:
- Step 1: Selecting the Azure tenant and an Orchestrator subscription.
- Step 2: Creating the required managed identities, role definitions and role assignments.
- Step 3: Defining which subscriptions you want Upwind to scan.
- Log in to the Upwind Management Console .
- Select the + (plus) symbol at the top of the screen and select Connect cloud account.
- Choose Azure, and from there Connect Azure Tenant.
Step 1: Onboard your Azure Tenant and designate an Orchestrator Subscription
In this step, you will provide key identifiers from your Azure environment and register them in the Upwind Management Console.
Step 1.1: Provide the parameters to identify your Azure Tenant
- Sign in to the Azure Portal
- Navigate to Management Groups
- Copy the Tenant Root Group ID (Tenant ID)
- Paste the Tenant ID into the field labeled "Enter Tenant Root Group ID"
Step 1.2: Designate an Orchestrator Subscription
- Enter the Subscription ID you want to designate as the Orchestrator Subscription. This subscription will be responsible for deploying and managing Cloud Scanner resources on behalf of your organization.
Step 1.3: Generate Credentials for Upwind
In this step, you will generate the client credentials that allow the Upwind Orchestrator Subscription to authenticate with the Upwind Authorization Service and interact with Upwind APIs.
These credentials are required to connect your Azure tenant to Upwind and enable secure reporting and scanning.
You will generate two sets of credentials:
-
AzureOrgConnectionCredentials- used to authenticate and identify subscriptions within your Azure tenant.
These credentials are essential for allowing Upwind to discover, connect, and onboard your Azure subscriptions. -
AzureScannersReportingCredentials- used to securely report scan results from your Azure subscriptions back to Upwind.
They enable continuous visibility by allowing Upwind to receive findings, metadata, and status updates from your scanned resources.
Click "Generate new client credentials" to create both sets of credentials. Once generated, they will be used in later steps to complete the onboarding process.
Step 2: Create the Required Organizational Resources
In this step, you will create the necessary resources to enable Upwind to access and scan your Azure subscriptions.
By assigning these roles, you allow Upwind to automatically deploy the Cloud Scanner infrastructure – including required components like IAM roles and compute resources – ensuring full and continuous scanning coverage across your environment.
All required parameters have already been injected into the Terraform module for you – no manual input is needed.
Step 2.1: Assign the required Azure roles
-
Before proceeding, review all the settings and parameters to ensure the configuration settings are tailored to your environment.
-
Create a new directory for your Terraform project and navigate to it in your terminal. Inside the project directory.
-
Create a new file named
main.tfto hold the Terraform configuration. -
Copy the code snippet from the Terraform setup section and paste it into
main.tf.main.tfmodule "upwind_integration_azure_onboarding" {
source = "http://get.upwind.io/terraform/modules/azure-new-onboarding/azure-new-onboarding-latest.tar.gz"
# Upwind Credentials
upwind_client_id = "your-unique-upwind-client-id"
upwind_client_secret = "your-unique-upwind-client-secret"
# Cloud Scanner Credentials
scanner_client_id = "your-unique-upwind-scanner-id"
scanner_client_secret = "your-unique-upwind-scanner-secret"
# Upwind Details
upwind_organization_id = "your-upwind-organization-id"
# Azure Details
azure_tenant_id = "your-azure-tenant-id"
# Azure Subscription to act as the orchestrator
azure_orchestrator_subscription = "your-azure-orchestrator-subscription-id"
# (Optional) Define a custom resource suffix for the Upwind resources
# This is limited to 10 characters and must be alphanumeric
resource_suffix = "upwind"
# (Optional) Define the location for the shared Cloud Scanner resources
# This has no implications on resources deployed in other locations.
azure_cloudscanner_location = "eastus"
}Default Module Parameters azure_tenant_idEnsure the parameter is set with the Azure Tenant ID used for provisioning. This is required in the provider block to target the correct Azure tenant. upwind_organization_idEnsure the parameter is set with your Upwind Organization ID. This ID typically starts with org_and uniquely identifies your organization in the Upwind platform.upwind_client_idEnsure the parameter is set with the AzureOrgConnectionCredentialsclient ID generated in the previous step.upwind_client_secretEnsure the parameter is set with the AzureOrgConnectionCredentialsclient secret generated in the previous step. Must be used in conjunction with Upwind Client ID.scanner_client_idEnsure the parameter is set with the AzureScannersReportingCredentialsclient ID generated in the previous step.scanner_client_secretEnsure the parameter is set with the AzureScannersReportingCredentialsclient secret generated in the previous step. Must be used in conjunction with Upwind Client ID.azure_orchestrator_subscriptionEnsure the parameter is set with the Azure Subscription ID designated to act as the orchestrator. This subscription will host the Scanner managed identities, key vault for secrets and coordinate scanning operations. resource_suffix(Optional)Ensure the parameter is set with a short, alphanumeric string (max 10 characters) if you want to customize the suffix used in Upwind resource naming to prevent naming collisions.
Step 2.2: Terraform apply
The module can be run manually using terraform init && terraform apply, however, it was designed with the expectation that it will be integrated into an Infrastructure-as-Code (IaC) tool such as Terragrunt or a CI/CD pipeline.
Once the terraform apply command has successfully executed, the connection should be established within a few moments. Detected subscriptions will be listed in the next section.
Step 3: Define Subscription Scope
The final step of the onboarding process allows you to define the scope for each Azure subscription you’ve just connected — as well as for any new subscriptions that may be created in the future.
-
This view displays your organization structure and connected subscriptions, allowing you to choose which subscriptions should be audited using Cloud APIs or scanned using Upwind Cloud Scanners.
-
Enable
Cloud APIto grant general access to the Upwind API. -
Enable
Cloud Scannerto deploy the Upwind Cloud Scanner in the selected subscription.Scope DependencyCloud Scanner scopes are dependent on the Cloud API scope. If you enable the Cloud Scanner scope, the Cloud API scope must also be enabled.
-
-
Enable Auto-Connect for New Subscriptions - when enabled, all newly created subscriptions under the organization will be automatically connected to Upwind. These subscriptions will be granted Cloud API access and scanned by the Cloud Scanner by default, ensuring continuous visibility and protection without further setup.
-
Test Connectivity by clicking the Test & Save button. This will store the scope settings and check the connection between Upwind and the Azure organization. If successful, you will see a success message.
You're now fully connected to Upwind and protected across the selected Azure subscriptions.
Unsupported Regions
Some regions are not yet supported for Upwind Cloud Scanner deployments, as Azure Container Jobs are not available in those regions:
- westindia
- koreasouth
- israelcentral
- mexicocentral
- newzealandnorth
- qatarcentral
Troubleshooting
If you encounter issues during deployment or operation, consult the Troubleshooting guide for solutions and best practices.
Resources Created
Azure Resource Group
A resource group named upwind-cs-rg-{orgId} is created containing:
Azure Key Vault
- Contains secrets for scanner authentication (client ID and client secret)
Managed Identities
Three managed identities are created:
-
VMSS Identity (
upwind-cs-vmss-identity-{orgId})- Assigned to virtual machine scale sets
- Manages snapshots and disks
- Has read and snapshot access across subscriptions
- Has Key Vault Secrets User access
-
Scaler Function Identity (
upwind-cs-scaler-function-identity-{orgId})- Assigned to container app jobs
- Manages VMSS scaling
- Manages disks and snapshots cleanup
- Has Key Vault Secrets User access
-
Disk Encryption Identity (
upwind-cs-disk-encryption-identity-{orgId})- Assigned to disk encryption sets
- Has Key Vault Crypto Service Encryption User access
RBAC Configuration
Service Principal
Tenant-wide roles:
- Reader
- Key Vault Reader
- Security Reader
- Cosmos DB Account Reader Role
- Backup Reader
- Log Analytics Reader
- Custom role:
upwindsecurity-{random-hex}
VMSS Managed Identity
Tenant-wide roles:
- Storage Blob Data Reader
- Custom role:
CloudScannerTargetRole-{suffix}-{managementGroup}
Scaler Managed Identity
Orchestrator subscription role:
- Custom role:
CloudScannerScalerRole-{suffix}
Disk Encryption Set Managed Identity
Role:
- Key Vault Crypto Service Encryption User