Azure Cloud
Overview
Azure organizational onboarding enables customers to seamlessly connect their Azure subscriptions to Upwind, providing centralized visibility, control, and protection across all resources. By leveraging Azure's role-based access control (RBAC) and managed identities, this integration streamlines resource management while safeguarding your cloud environment against misconfigurations and threats.
Architecture
Azure organizational onboarding allows the integration of Azure subscriptions with Upwind by provisioning service principals, managed identities, and necessary resources for discovery and security auditing. It designates an orchestrator subscription for deploying scanning infrastructure and configuring cloud scanners. This architecture supports centralized security visibility and management across all Azure subscriptions.
Connecting an Azure subscription involves four key components:
| Component | Description | Purpose |
|---|---|---|
| Resource Group | Creates upwind-cs-rg-{orgId} containing shared resources for cloud scanners | Resource Management |
| Managed Identities | Three identities for VMSS, scaler function, and disk encryption | Access Control |
| Service Principal | Application identity with tenant-wide permissions for deployment operations | Authentication |
| RBAC Assignments | Custom roles and permissions for cloud scanner operations | Authorization |
Prerequisites
- Owner privileges in Azure tenant
- Terraform/OpenTofu installed locally
- Sufficient Spot VM quota (minimum 40 spot vCPUs)
Integration
The integration method for onboarding Azure to Upwind is via Terraform/OpenTofu infrastructure-as-code. Azure CLI is also required for authentication.