Skip to main content

Azure Cloud

Overview

Azure organizational onboarding enables customers to seamlessly connect their Azure subscriptions to Upwind, providing centralized visibility, control, and protection across all resources. By leveraging Azure's role-based access control (RBAC) and managed identities, this integration streamlines resource management while safeguarding your cloud environment against misconfigurations and threats.

Architecture

Azure organizational onboarding allows the integration of Azure subscriptions with Upwind by provisioning service principals, managed identities, and necessary resources for discovery and security auditing. It designates an orchestrator subscription for deploying scanning infrastructure and configuring cloud scanners. This architecture supports centralized security visibility and management across all Azure subscriptions.

Connecting an Azure subscription involves four key components:

ComponentDescriptionPurpose
Resource GroupCreates upwind-cs-rg-{orgId} containing shared resources for cloud scannersResource Management
Managed IdentitiesThree identities for VMSS, scaler function, and disk encryptionAccess Control
Service PrincipalApplication identity with tenant-wide permissions for deployment operationsAuthentication
RBAC AssignmentsCustom roles and permissions for cloud scanner operationsAuthorization

Prerequisites

  • Owner privileges in Azure tenant
  • Terraform/OpenTofu installed locally
  • Sufficient Spot VM quota (minimum 40 spot vCPUs)

Integration

The integration method for onboarding Azure to Upwind is via Terraform/OpenTofu infrastructure-as-code. Azure CLI is also required for authentication.