Azure connector integration is a powerful tool that allows businesses to streamline their operations and improve efficiency. It enables seamless communication between different systems and applications, making it easier to manage data and workflows.
With Azure connector, you can integrate various services such as Salesforce, Dynamics, and NetSuite, to name a few. This integration enables real-time data synchronization, eliminating the need for manual data entry and reducing errors.
By integrating Azure connector, businesses can also automate workflows and processes, freeing up staff to focus on more strategic tasks. This can lead to significant productivity gains and cost savings.
Azure connector supports a wide range of protocols, including REST, SOAP, and OData, making it a versatile and adaptable solution.
Prerequisites
To get started with the Azure Connector, you'll need to meet some prerequisites. You'll need to have a fully functional Globus Connect Server 5 endpoint, which is a must-have for this process.
You'll also need a Microsoft account, as the registration will be stored under that account. Make sure this account is in the same organization as your Azure storage account.
To begin configuring the Connector, you'll need to create an Azure Application. This is a crucial step that will allow you to obtain the required parameters for the connector's configuration.
You'll also need to grant the Azure Application API permissions, which will enable the Connector to function properly.
Registration
To register your Azure connector, you'll need to follow these steps. First, go to Microsoft Azure App registrations.
You can find the App registrations page by searching for it in the Microsoft Azure portal. Select + New registration to add a new registration.
This will create a new app registration for your Azure connector. Next, select API permissions to configure the permissions required for Azure storage access. This step is not required for service principal authentication.
API permissions will allow you to specify what actions your Azure connector can perform on Azure storage. You can choose from a variety of permissions, such as reading or writing data.
Select Certificates & secrets to create a secret. A secret is a unique string of characters that your Azure connector will use to authenticate with Azure.
You can create a secret by clicking the "New client secret" button. If desired, select Branding to configure additional login screen details.
Branding will allow you to customize the login screen for your Azure connector. You can add a logo, change the background color, or add a custom message.
If desired, select Token configuration to add the optional upn claim to the ID token. This is usually not necessary; See credential mapping.
Token configuration will allow you to customize the claims that are included in the ID token. However, this is typically not needed for Azure storage access.
Finally, select Overview to review your app registration. App registration is complete.
Here's a quick summary of the steps:
- Go to Microsoft Azure App registrations
- Select + New registration
- Select API permissions (if needed)
- Select Certificates & secrets
- Select Branding (if desired)
- Select Token configuration (if desired)
- Select Overview
Configuration
To configure the Azure Connector, you'll need to log in to your Vulcan Cyber dashboard and navigate to the Connectors page. Click on Add a Connector, then select the Azure icon.
You'll need to set up the Connector by loading your Azure subscriptions and testing connectivity. This will ensure that Vulcan Cyber can connect to your Azure instance.
To obtain the required parameters for the connector's configuration, you'll need to obtain the Application (client) ID, Directory (tenant) ID, client secret, and Subscription ID from the Azure portal. These values are used to configure the connector itself.
Here are the required parameters:
- Application (client) ID
- Directory (tenant) ID
- Client Secret
- Subscription ID
Note that you can see the connector’s progress in the Log tab.
Configuration Encryption
Configuration Encryption is a crucial aspect of ensuring the security of your configuration information.
All configuration information is encrypted with a secret key on the node servicing the request before storing it locally.
This encryption key is only available locally to the node, making it a highly secure practice.
Only the node admin has access to the encryption key, which adds an extra layer of security to the configuration encryption process.
Azure Blob secrets and user credential information are also encrypted as part of this process, which further protects sensitive data.
The encrypted configuration information is then stored locally and uploaded to GCS cloud services for distribution to other nodes in the endpoint.
This ensures that configuration information is secure and protected from unauthorized access throughout the entire process.
Obtain Required Configuration Parameters
To configure your connector, you'll need to obtain some essential parameters. First, you'll need the Application (client) ID, which can be found on the Overview page of your new application. This ID is crucial for the connector's configuration.
The Directory (tenant) ID is also required and can be located on the left pane of your application under Certificates & secrets. You'll need to create a new client secret and obtain the client secret key.
You'll also need the Subscription ID, which can be found by searching for Subscriptions in the top search bar and copying the relevant ID.
Here are the parameters you should have by the end of these steps:
- Application (client) ID
- Directory (tenant) ID
- Client Secret
- Subscription ID
With these parameters in hand, you'll be ready to create your connector.
Configure Credentials
To configure credentials, you have two primary options: Specify credentials here or Use the credentials of a specific Harness Delegate.
Specify credentials here requires providing Microsoft Azure app registration details, including the Application (client) ID and Directory (tenant) ID. You can find these values in the App registration Overview or Managed Identity page in Azure.
You'll also need to input the Application (client) ID in the connector's Application Id field and the Directory (tenant) ID in the connector's Tenant Id field.
In addition, you'll need to provide an authentication key for your app, which can be a Secret or Certificate. You can create a secret key by going to App Registrations in Microsoft Entra ID, selecting the app, selecting Certificates & secrets, and then selecting New client secret.
Alternatively, if you have installed a Harness Delegate in your Azure subscription, you can select Use the credentials of a specific Harness Delegate to allow the connector to inherit authentication credentials from the delegate.
To do this, select System Assigned Managed Identity or User Assigned Managed Identity as the authentication method. If you select User Assigned Managed Identity, you'll need to input the Managed Identity's Client Id.
Using HARNESS_KUBE_CONFIG_PATH
Using HARNESS_KUBE_CONFIG_PATH can be a powerful tool in your configuration arsenal. It resolves to the path to a Harness-generated kubeconfig file containing the credentials you provided to Harness.
This file can be used by kubectl commands, which is a command-line tool for managing Kubernetes clusters. To use it, you need to export its value to the KUBECONFIG environment variable.
You can do this in a Harness Run step using a shell script. For example, you could use the following shell script:
```bash
export KUBECONFIG=${HARNESS_KUBE_CONFIG_PATH}
```
However, there are some important considerations to keep in mind. If the Azure connector used in the stage's Infrastructure uses Azure Managed Identity for authentication, then the Shell Script step must use a Delegate Selector for a delegate running in AKS.
On the other hand, if the Azure connector used in the stage's Infrastructure uses Azure Service Principal for authentication, then the Shell Script step can use any delegate.
Details
Configuration details are essential to get right. Azure Connector is a supported product, specifically designed for Azure Virtual Machines.
To ensure seamless integration, it's crucial to understand the supported asset type. The Azure Connector ingests hosts, which is the type of asset it can work with.
The integration type is also important to note. The Azure Connector uses a uni-directional approach, where data is transferred from the Connector to the Vulcan Platform in one direction.
For the latest version and type, the Azure Connector supports SaaS (Software as a Service), which is the latest version available.
Action Result
The result of a configured action is what matters most. The get_groups action result is a JSON array with each record consisting of a single user group.
If you've set $count to true when configuring the action, the Results panel will show a count of imported groups. This can be a helpful way to gauge the success of your action.
The directory_id displayed in the results is the Azure tenant ID, which is something to keep in mind when interpreting your action results.
Setup
To get started with your Azure Connector, you'll need to set up Entra ID integration. This involves allowing outbound connections and granting permissions to Workflows.
Granting permissions to Workflows is a crucial step, as it enables the integration to function correctly.
Allowing outbound connections is also essential, as it allows the Azure Connector to communicate with Microsoft Azure.
Setup
To set up your integration, start by allowing outbound connections, which will enable data to flow between systems.
You'll also need to grant permissions to Workflows, giving them the necessary access to perform tasks on your behalf.
Allowing outbound connections is a crucial step, as it allows your system to communicate with external services.
To do this, you'll need to set up Microsoft Azure for integration with Dynatrace, which involves authorizing a connection to Microsoft Azure.
This connection will enable the exchange of data and ensure a seamless integration process.
Once you've set up the connection, you'll be able to use Workflows to automate tasks and streamline your workflow.
Validate Hosts
To validate hosts, you need to ensure that the same number of assets appear on the Vulcan Platform under Assets > Hosts, filtered by Azure connector. This is a crucial step in setting up your system.
You can do this by checking the Hosts field mapping, which provides a detailed breakdown of how Azure fields are mapped to Vulcan fields. For example, the Azure field "properties.vmId" is mapped to the Vulcan field "Uniqueness criteria".
Here's a table showing some of the key mappings:
You can also use this information to troubleshoot any discrepancies between the two platforms. For instance, if you notice that the "Created date" field is not populating correctly, you can check the Hosts field mapping to see if the Azure field "If the status 'ProvisioningState' exists, the time stamp of this status is retrieved. If not, the time stamp of the status 'instance_view.data.statuses' is retrieved instead." is being correctly mapped to the Vulcan field "Created date".
Frequently Asked Questions
What is a connector in Azure?
A connector in Azure is a connection to an external service or system that enables authentication and access to user accounts. It's a crucial component in Azure Logic Apps, allowing you to integrate with various services and automate workflows.
What is the Azure AD connector?
Azure AD Connect is a tool that links on-premises identity systems to Azure Active Directory, enabling identity management across hybrid cloud and on-premises environments. It synchronizes identities between public cloud and on-premises resources for seamless access and management.
What is Azure activity connector?
Azure Activity Connector is a service that collects and analyzes audit logs from Azure resources, providing valuable insights into system activity. It helps organizations monitor and secure their Azure environment with real-time data analysis.
Sources
- https://docs.globus.org/premium-storage-connectors/v5.4/azure-blob/
- https://help.vulcancyber.com/en/articles/7878279-microsoft-azure-connector-new-revision
- https://developer.harness.io/docs/platform/connectors/cloud-providers/add-a-microsoft-azure-connector/
- https://help.vulcancyber.com/en/articles/3220465-microsoft-azure-connector-previous-revision
- https://docs.dynatrace.com/docs/platform-modules/automations/workflows/actions/microsoft-entra-id
Featured Images: pexels.com