Onboard Azure Subscriptions

This topic describes how to onboard Azure subscriptions to ACE.

Note: Seamless Azure Subscription Onboarding:

  • An early availability feature in ASMS A33.10 is the ability to onboard Azure Subscriptions to both ACE and ASMS simultaneously. This capability streamlines your onboarding process. Once accounts are added to ACE, they are automatically onboarded to ASMS. For more details, refer to our ASMS tech docs Simultaneously onboard Azure subscriptions into ACE and ASMS.

You can choose four onboarding methods to add new Azure subscriptions, management groups, and tenant root groups. The first involves using scripts, while the others do not. The onboarding method you select also determines whether changes made to account resources after onboarding are automatically synced from Azure to your environment.

Note: Depending on which onboarding method you choose, changes to onboarded account resources may be automatically synced every hour.

Onboarding Methods Azure subscriptions, management groups, and tenant root groups

*Automatically syncs changes to subscriptions, management groups, and tenant root groups from Azure to ACE after onboarding.
Onboarding Method Description Automatic sync*
With script (via wizard) Uses scripts to onboard Azure resources Yes
No script Onboard Azure resources without using scripts Yes
API (single account) Onboard a single subscription via API No
Terraform Leverage Terraform, the infrastructure-as-code solution, for onboarding your Azure subscriptions into ACE. Yes

Note: Any changes to Azure subscriptions, managed groups, or tenant root groups after onboarding will automatically sync with ACE once every hour.

Note: For more information about the Azure onboarding script, see Inside the Azure Onboarding Script.

Before you start

Onboarding Azure Subscription

Onboard Azure resources using your preferred method:

Do the following:

Access the onboarding wizard:

Do the following:

  1. In the ACESettings area, click ONBOARDING.

  1. On the Onboarding Management page that opens, click +Onboard Accounts. The Onboard Account wizards opens on the Cloud Provider selection step.

  1. Click the Microsoft Azure button and click Next.

    The Azure Access Permissions step appears.

  1. Enable permissions for policy change:

    Choose which level of permissions are required for the role in Azure.

    • Clear the checkbox to fully support your Azure security policy management, security analysis and recommendations without the ability to perform policy changes

    • Select the checkbox to grant all Read functionalities to fully support your Azure security policy management, security analysis and recommendations PLUS enable advanced policy change capabilities for Azure NSGs. This requires additional Write permissions beyond the base Read permissions.

  1. Select the Azure resource type: Subscription ID, Management Group, or Tenant Root Group.

    Important: To run the script, the user must possess the necessary permissions for creating a service principal on the selected resource.

  2. In the Resource ID field, enter the Subscription ID or Management Group Name of the Azure resource to onboard.

    Note: When Tenant Root Group is the Azure resource type, no additional information is required.

    The Cloud Shell command field is automatically populated based on the resource type and ID / Name.

  3. Complete the onboarding using one of the following methods:

    1. To open a Cloud Shell session directly from the ACE interface, click .

      Note: The Cloud Shell link is copied automatically to your clipboard.

      The Azure editor opens in a new browser tab.

      1. From the dropdown menu select Bash.

      2. Paste the Cloud Shell script from your clipboard and then press Enter.

        The subscription(s) is onboarded into ACE.

    2. (Alternative method) If you don't want to open a Cloud Shell session directly from the wizard, you can run bash locally using a proxy:

      1. Click Copy to copy the Cloud Shell command.

        Note: The command generates an unreadable script. Expand the example below to see the readable version of the script:

        Copy 
        #!/bin/bash

        #Algosec Cloud tenantId
        ALGOSEC_TENANT_ID='<ALGOSEC_TENANT_ID>'

        #Algosec Cloud multi-tenant application
        APP_ID='<ALGOSEC_ONBOARDING_APP_ID>'

        #Algosec Cloud onboarding URL
        ALGOSEC_CLOUD_HOST='https://<HOST>'
        ALGOSEC_CLOUD_ONBOARDING_URL="$ALGOSEC_CLOUD_HOST<ONBOARDING_PATH>"

        #Token
        TOKEN='<ONBOARDING_TOKEN>'
        ADDITIONALS='<ALGOSEC_ADDITIONALS>'

        #Target resource
        TARGET_RESOURCE='<AZURE_TARGET_RESOURCE>'
        TARGET_ID='<AZURE_TARGET_RESOURCE_ID>'

        out=$(az account show)
        az_tenant=$(echo "$out" | jq -r '.tenantId')

        echo "Preparing to onboard the target resource [$TARGET_RESOURCE] of [$az_tenant] tenant"

        echo "Check if service principal already exists for Algosec Cloud AZ-AD Application"
        sp=$(az ad sp list --filter "appId eq '$APP_ID'" | jq length)
        if [ $? -ne 0 ]; then
            echo "ERROR: User does not have permission to view service principals"
            echo "The onboarding process has failed — please ensure you have the required permissions"
            exit 1
        fi

        if [ $sp -eq 0 ];then
            echo "Service Principal not found"
            echo "Onboard Algosec Cloud AZ-AD Application"
            az ad sp create --id $APP_ID
            if [ $? -ne 0 ]; then
                echo "ERROR: Failed to create service principal for Algosec Cloud AZ-AD Application"
                echo "The onboarding process has failed — please ensure you have the required permissions"
                exit 1
            fi
            echo "Service Principal created successfully"
        else
            echo "Service Principal found for Algosec Cloud AZ-AD Application"
        fi

        #Roles
        roles=( <SERVICE_PRINCIPAL_ROLES> )

        for role in "${roles[@]}"; do
            echo "Assign a role to the [$TARGET_RESOURCE]: [$role]"
            az role assignment create --role "$role" --assignee $APP_ID --scope $TARGET_RESOURCE
            if [ $? -ne 0 ]; then
                echo "ERROR: The target resource [$TARGET_RESOURCE] wasn't found or the user has no permission to work with it"
                echo "The onboarding process has failed — please ensure you have the required permissions"
                exit 1
            fi
        done

        #----------------------------------------------------
        #Azure region
        REGION='<AZURE_REGION>'

        #Prevasio host
        PREVASIO_HOST='<PREVASIO_HOST>'

        #Prevasio source code location
        SOURCES_URL='<PREVASIO_SOURCES_URL>'

        declare CURRENT_PREVASIO_RESOURCES_MD5

        rollback_resources() {
            local prevasio_hash=$1
            local subscription_id=$2
            local deploy_group_name=$3
            local role_name=$4
            local assignee_id=$5

            echo "Rolling back resources in [$subscription_id]"

            if [ -n "$assignee_id" ] && [ -n "$role_name" ]; then
                echo "Removing role assignment..."
                az role assignment delete --assignee "$assignee_id" --role "$role_name" --scope "/subscriptions/$subscription_id"
            fi

            if [ -n "$role_name" ]; then
                echo "Deleting custom role definition..."
                delete_role_if_exists "$role_name"
            fi

            if [ -n "$deploy_group_name" ]; then
                echo "Deleting deployment group..."
                az deployment group delete --name "$deploy_group_name" --resource-group "prevasio-$prevasio_hash-resource-group"
            fi

            echo "Deleting resource group..."
            az group delete --name "prevasio-$prevasio_hash-resource-group" --yes --no-wait
        }


        delete_role_assignments(){
          local role_name="$1"
          az role assignment list --role "$role_name" --output json |
          jq -c '.[]' |
          while IFS= read -r role_assignment; do
            id=$(echo "$role_assignment" | jq -r '.id')
            echo "Deleting role assignment: $id"
            az role assignment delete --ids "$id"
          done
        }


        delete_role_if_exists() {
            local role_name="$1"
            get_role_scope() {
                az role definition list --query "[?roleName==\`${role_name}\`].[assignableScopes[0]] | [0]" -o tsv
            }
            role_scope=$(get_role_scope)
            if [ -n "$role_scope" ]; then
                delete_role_assignments "$role_name"
                az role definition delete --name "$role_name" --scope "$role_scope"
                echo "Waiting for role to be deleted..."
                local max_retries=5
                local retries=0
                while true; do
                    sleep 10
                    role_scope=$(get_role_scope)
                    if [ -z "$role_scope" ]; then
                        echo "Role '$role_name' deleted successfully."
                        break
                    else
                        retries=$((retries + 1))
                        echo "Role still exists. Retry $retries/$max_retries..."

                        if [ "$retries" -ge "$max_retries" ]; then
                            echo "Unable to delete role automatically after $max_retries attempts. Please delete manually:"
                            echo "   az role definition delete --name \"$role_name\" --scope \"$role_scope\""
                            break
                        fi
                    fi
                done
            else
                echo "Role '$role_name' does not exist. No deletion needed."
            fi
        }


        delete_kv_if_exists(){
            local kv_name="prevasio-$prevasio_hash-kv"

            if az keyvault show --name "$kv_name" --query "name" --output tsv 2>/dev/null | grep -q "$kv_name"; then
                echo "Purging key vault '$kv_name'..."
                az keyvault purge --name "$kv_name" --location "$REGION" --no-wait
            fi
            if az keyvault show-deleted --name "$kv_name" --query "name" --output tsv 2>/dev/null | grep -q "$kv_name"; then
                echo "Purging key vault '$kv_name'..."
                az keyvault purge --name "$kv_name" --location "$REGION" --no-wait
            fi

        }


        cleanup_existing_resources() {
            local subscription_id="$1"
            az account set --subscription "$subscription_id"

            local rg_name="prevasio-$prevasio_hash-resource-group"


            echo "Checking for existing resources to clean in [$subscription_id]..."

            # Delete resource group if it exists
            if az group exists --name "$rg_name" | grep -q true; then
                echo "Deleting resource group '$rg_name'..."
                az group delete --name "$rg_name" --yes --no-wait
            fi
              delete_kv_if_exists
        }


        check_az_failure() {
            local response="$1"
            local context_message="$2"
            local json_part
            json_part=$(echo "$response" | sed -n '/^{/,$p')
            if ! echo "$json_part" | jq -e . > /dev/null 2>&1; then
                echo "$context_message failed: $response"
                return 1
            fi

            if echo "$json_part" | jq -e 'has("error")' > /dev/null; then
                local error_message
                error_message=$(echo "$json_part" | jq -r '.error.message // "Unknown error"')
                echo "$context_message failed: $error_message"
                return 1
            fi
            return 0
        }


        deploy_code_to_subscription() {
            local subscription_id=$1
            local prevasio_hash="${ALGOSEC_TENANT_ID:0:4}${subscription_id:0:4}"
            az account set --subscription "$subscription_id"
            echo "Deploying resources to [$subscription_id] subscription"
            should_drop_resource_group=false
            local resource_group_name="prevasio-$prevasio_hash-resource-group"
            if [ "$(az group exists --name $resource_group_name)" == "true" ]; then
                resource_group_version=$(az group show --name $resource_group_name --query "tags.version" --output tsv)
                if [ -n "$resource_group_version" ] && [ "$resource_group_version" == "$CURRENT_PREVASIO_RESOURCES_MD5" ]; then
                    echo "The current onboarding in [$subscription_id] subscription is up to date. Skipping the resources creation."
                    return
                fi
                should_drop_resource_group=true
            fi

            if $should_drop_resource_group ; then
                echo "Deleting resource group prevasio-$prevasio_hash-resource-group in [$subscription_id] subscription"
                cleanup_existing_resources "$prevasio_hash" "$subscription_id"
            fi
            echo '{
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {
                        "subscription-id": {
                            "value": "'$subscription_id'"
                        },
                        "tenant-id": {
                            "value": "'$az_tenant'"
                        },
                        "prevasio-hash": {
                            "value": "'$prevasio_hash'"
                        },
                        "prevasio-host": {
                            "value": "'$PREVASIO_HOST'"
                        },
                        "prevasio-additionals": {
                            "value": "'$ADDITIONALS'"
                        },
                        "algosec-cloud-host": {
                            "value": "'$ALGOSEC_CLOUD_HOST'"
                        }
                    }
                }' > parameters.json

            # Deleting Key Vault if it exists
            delete_kv_if_exists
            # Creating Resource Group
            echo "Creating resource group prevasio-$prevasio_hash-resource-group in [$subscription_id] subscription"
            group_response=$(az group create --name prevasio-$prevasio_hash-resource-group --location $REGION --tag version=$CURRENT_PREVASIO_RESOURCES_MD5 2>&1)
            if ! check_az_failure "$group_response" "Resource group creation"; then
              return
            fi

            # Creating Deployment Group and checking if the operation is success
            echo "Creating application resources in [$subscription_id] subscription"
            deploy_group_response=$(az deployment group create --resource-group prevasio-$prevasio_hash-resource-group --template-file template.json --parameters parameters.json 2>&1)
            if ! check_az_failure "$deploy_group_response" "Deployment group creation"; then
              rollback_resources "$prevasio_hash" "$subscription_id"
              return
            fi

            deploy_group_name=$(echo $deploy_group_response | jq -r '.name')

            # Creating and assigning role
            echo "Assigning roles to application in [$subscription_id] subscription"
            role_name="Prevasio Application Role ($prevasio_hash)"
            echo '{
                    "Name": "'"$role_name"'",
                    "IsCustom": true,
                    "Description": "Allows to create EventGrid subscriptions for ACR registries events.",
                    "Actions": [
                      "Microsoft.EventGrid/eventSubscriptions/read",
                      "Microsoft.ContainerRegistry/registries/read",
                      "Microsoft.EventGrid/eventSubscriptions/write",
                      "Microsoft.Web/sites/functions/write"
                    ],
                    "NotActions": [],
                    "DataActions": [],
                    "NotDataActions": [],
                    "AssignableScopes": [
                      "/subscriptions/'$subscription_id'"
                    ]
                  }' > ./role_def.json
            # Delete, if a role with same name already exists.
            delete_role_if_exists "$role_name"

            # Role creation
            role_creation_response=$(az role definition create --role-definition role_def.json 2>&1)
              exit_code=$?
            if [ $exit_code -ne 0 ]; then
              rollback_resources "$prevasio_hash" "$subscription_id" "$deploy_group_name"
              return
            fi
            generated_role_name=$(echo "$role_creation_response" | sed '/^{/,$!d' | jq -r '.name')

            # Role Assignment
            assignee_id=$(az ad sp list --display-name prevasio-$prevasio_hash-app --query [].id --output tsv)
            role_assignment_create_response=$(az role assignment create --assignee $assignee_id --role "$generated_role_name" --scope /subscriptions/$subscription_id 2>&1)
            if ! check_az_failure "$role_assignment_create_response" "Role assignment creation"; then
              rollback_resources "$prevasio_hash" "$subscription_id" "$deploy_group_name" "$generated_role_name"
              return
            fi

            # Creating and deploying function app.
            echo "Deploying application sources in [$subscription_id] subscription"
            functionapp_deploy_response=$(az functionapp deployment source config-zip -g prevasio-$prevasio_hash-resource-group -n prevasio-$prevasio_hash-app --src function.zip --build-remote true 2>&1)
            if ! check_az_failure "$functionapp_deploy_response" "Function app creation/deployment"; then
              rollback_resources "$prevasio_hash" "$subscription_id" "$deploy_group_name" "$generated_role_name" "$assignee_id"
              return
            fi

            echo "Application sources were deployed successfully"
        }

        mkdir -p prevasio-onboarding && rm -rf prevasio-onboarding/*
        cd prevasio-onboarding
        echo "Downloading Prevasio application resources"
        wget -O sources.zip "${SOURCES_URL}?tenant_id=${ALGOSEC_TENANT_ID}"
        if [[ -f "sources.zip" ]]; then
            CURRENT_PREVASIO_RESOURCES_MD5=$(md5sum "sources.zip" | awk '{print $1}')
        else
            CURRENT_PREVASIO_RESOURCES_MD5=0
            echo "Error: Failed to download sources.zip"
            return
        fi
        unzip sources.zip
        echo "Resources were downloaded successfully. Resources version: $CURRENT_PREVASIO_RESOURCES_MD5"

        if [[ $TARGET_RESOURCE == /subscriptions/* ]]; then
            deploy_code_to_subscription $TARGET_ID
        else
            if [[ $TARGET_RESOURCE == '/' ]]; then
                TARGET_ID="/"
            fi
            subscriptions_json=$(az account management-group subscription show-sub-under-mg --name $TARGET_ID)
            for subscription in $(echo "${subscriptions_json}" | jq -r '.[].name'); do
                deploy_code_to_subscription $subscription
            done
        fi

        cd ..
        rm -rf prevasio-onboarding

        #----------------------------------------------------

        response=$(curl -X POST "$ALGOSEC_CLOUD_ONBOARDING_URL" \
                      -H "Content-Type: application/json" \
                      -H "Accept: application/json" \
                      -H "Authorization: $TOKEN" \
                      --silent \
                      -d '{ "azure_tenant":"'"$az_tenant"'", "supportChanges": "<SUPPORT_CHANGES>", "event": { "RequestType": "Create" } }')
         
        status=$(echo $response | jq -r '.initialOnboardResult' | jq -r '.status')
        message=$(echo $response | jq -r '.initialOnboardResult' | jq -r '.message')
        if [ "$status" == 200 ]; then
            echo "The onboarding process is finished: $message"
            echo "Press CTRL+D to close the terminal session"
        else
            echo "ERROR: The onboarding process has failed: $message"
        fi

      2. Paste and run the script in your alternative shell to complete onboarding the subscription(s).

  4. In ACE, click Close to close the onboarding wizard.

Note: It may take up to an hour for Azure to sync with ACE.

You can onboard Azure subscriptions, managed groups, or tenant root groups without using a script if your system does not support using scripts.

Do the following:

  1. Make sure you can access the Azure console as a user with Application Administrator OR Application Developer role.

  2. From the Azure CLI, create an Azure service principal based on the ACE Azure multi-tenant application. You can do this with the following command:

    az ad sp create --id 'f1764d38-8bca-497f-94ae-2ccec598107d'

    The Azure service principal is created.

    The next steps explain how to grant access permission to the service principal to a subscription or management group.

  3. Navigate to the Azure console and select either the subscription or management group you want to assign role permissions.

  4. Click Access control (IAM) from the left menu, and then click +Add.

  5. From the dropdown, select Add role assignment.

    The Add role assignment page appears.

  6. Add the role (permission) you want to assign to the service principal for working with the subscription:

    1. For Cloud Network Security, choose either:

      • Reader: Enable read access only

      • Contributor: Enable read/write access

      • Custom Role – Create a custom role if needed.

        1. In the Azure Console, go to Access Control (IAM).

        2. Click + Add and select Add Custom Role.

        3. On the Create Custom Role screen, open the JSON tab.

        4. Click Edit and add with the following JSON:

          Replace <ASSIGNABLE SCOPE> using the following formats:

          • Management group scope has the format /providers/Microsoft.Management/managementGroups/{managementGroupName}.

          • Subscription scope has the format /subscriptions/{subscriptionId}.

          Copy 
          {
              "properties": {
                  "roleName": "AceCustomRole",
                  "description": "Custom role for Algosec Cloud",
                  "assignableScopes": [
                      "<ASSIGNABLE_SCOPE>"
                  ],
                  "permissions": [
                      {
                          "actions": [
                              "Microsoft.Compute/virtualMachines/read",
                              "Microsoft.Compute/virtualMachineScaleSets/read",
                              "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
                              "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
                              "Microsoft.Insights/diagnosticSettings/read",
                              "Microsoft.Network/applicationSecurityGroups/read",
                              "Microsoft.Network/azurefirewalls/read",
                              "Microsoft.Network/connections/read",
                              "Microsoft.Network/expressRouteCircuits/read",
                              "Microsoft.Network/expressRouteCircuits/peerings/read",
                              "Microsoft.Network/firewallPolicies/read",
                              "Microsoft.Network/firewallPolicies/ruleCollectionGroups/read",
                              "Microsoft.Network/ipGroups/read",
                              "Microsoft.Network/loadBalancers/read",
                              "Microsoft.Network/localnetworkgateways/read",
                              "Microsoft.Network/locations/serviceTags/read",
                              "Microsoft.Network/networkInterfaces/read",
                              "Microsoft.Network/networkSecurityGroups/read",
                              "Microsoft.Network/networkWatchers/flowLogs/read",
                              "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
                              "Microsoft.Network/networkWatchers/read",
                              "Microsoft.Network/publicIPAddresses/read",
                              "Microsoft.Network/routeTables/read",
                              "Microsoft.Network/virtualHubs/effectiveRoutes/action",
                              "Microsoft.Network/virtualHubs/hubRouteTables/read",
                              "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read",
                              "Microsoft.Network/virtualHubs/read",
                              "Microsoft.Network/virtualNetworkGateways/read",
                              "Microsoft.Network/virtualNetworks/read",
                              "Microsoft.Network/virtualWans/read",
                              "Microsoft.Network/vpnGateways/read",
                              "Microsoft.Network/vpnsites/read",
                              "Microsoft.Resources/subscriptions/read",
                              "Microsoft.Storage/storageAccounts/read",
                              "Microsoft.Storage/storageAccounts/listkeys/action",
                              "Microsoft.Web/hostingEnvironments/read"
                          ],
                          "notActions": [],
                          "dataActions": [],
                          "notDataActions": []
                      }
                  ]
              }
          }

        5. Click Save.

        6. Click Review + Create.

        7. Click Create.

    2. For Cloud App Analyzer, add:

      • Log Analytics Reader

      • AcrPull

      • Key Vault Reader

    For details, see Permissions Required for Azure Subscriptions.

  7. For additional optional features:

    1. For Cloud Network Security, to allow ACE to collect NSG resource logs, grant the service principal the additional roles:

      • Network Contributor

      • Storage Account Contributor

    2. For Cloud App Analyzer:

      • Azure Kubernetes Service Cluster User Role

      • AcrPush

    For details, see Permissions Required for Azure Subscriptions.

  8. Click Next.

    The Member tab appears.

  9. Click Select members. From the Select members popup search for and select AlgoSec Cloud Enterprise.

    AlgoSec Cloud Enterprise will move to the Selected members section of the popup.

  10. Click Select.

    The Service Principal is assigned to the specific subscription and role.

  11. Click Review + assign once more to finalize the assignment and allow ACE to access the Azure subscription.

  12. Use this method to manually onboard a CD mitigation deployment using Azure resources and the unified onboarding bundle.

    Do the following:

    1. Download the Azure resources from the URL corresponding to your region.:

    2. Create a resource group with the name: prevasio-${ALGOSEC_TENANT_ID:0:4}${subscription_id:0:4}-resource-group

    3. Prepare the following parameters:

      Copy 
      {
          "parameters": {
              "subscription-id": {
                  "value": "$subscription_id"
              },
              "tenant-id": {
                  "value": "$azure_tenant_id"
              },
              "prevasio-hash": {
                  "value": "${ALGOSEC_TENANT_ID:0:4}${subscription_id:0:4}"
              },
              "prevasio-host": {
                  "value": "<*see values below>"
              },
              "prevasio-additionals": {
                  "value": See instructions below
              },
              "algosec-cloud-host": {
                  "value": "'$ALGOSEC_CLOUD_HOST'"
              }
      }

      * For the value of the prevasio-host, choose your region from the following:

    4. To generate prevasio-additionals:

      1. Create this JSON: {"tenantId":"ALGOSEC_TENANT_ID","clientId":"ALGOSEC_CLIENT_ID","clientSecret":"ALGOSEC_CLIENT_SECRET"}
      2. Convert it to a string
      3. Convert the string to UTF-8 bytes
      4. Base64-encode it using your preferred method
      5. Example (bash):
      Copy 
      tenantId="your-tenant-id"
      clientId="your-client-id"
      clientSecret="your-client-secret"
       
      json=$(printf '{"tenantId":"%s","clientId":"%s","clientSecret":"%s"}' "$tenantId" "$clientId" "$clientSecret")
      encoded=$(echo -n "$json" | base64)
       
      echo "$encoded"

    5. In the Azure Portal, go to "Deploy a custom template" in the search bar

    6. Choose "Build your own template in the editor"

    7. Use the template.json from the downloaded zip

    8. Add the parameters from step c and create the deployment

    9. Assign a custom role with the following permissions:

      Copy 
      {
        "properties": {
          "roleName": "Prevasio Application Role ('${ALGOSEC_TENANT_ID:0:4}${subscription_id:0:4}')",
          "description": "Allows to create EventGrid subscriptions for ACR registries events.",
          "type": "CustomRole",
          "permissions": [
            {
              "actions": [
                "Microsoft.EventGrid/eventSubscriptions/read",
                "Microsoft.ContainerRegistry/registries/read",
                "Microsoft.EventGrid/eventSubscriptions/write",
                "Microsoft.Web/sites/functions/write"
              ],
              "notActions": [],
              "dataActions": [],
              "notDataActions": []
            }
          ],
          "assignableScopes": [
            "/subscriptions/'$subscription_id'"
          ]
        }
      }

      Note: You can also add a custom role via the Azure Console. For example

    10. Assign the role to: prevasio-$ALGOSEC_TENANT_ID[:5]-application.

      You can use the following commands:

      Copy 
      # Get the app display name
      DISPLAY_NAME=$(az ad sp list --display-name prevasio-$ALGOSEC_TENANT_ID[:5]-application --query [].id --output tsv)

      # Assign the role
      az role assignment create --assignee $DISPLAY_NAME --role "$generated_role_name" --scope /subscriptions/$subscription_id

    11. Deploy the app resources using the function.zip from the sources.zip:

      The easiest way is to run the command:

      Copy 
      az functionapp deployment source config-zip -g prevasio-$ALGOSEC_TENANT_ID[:5]-resource-group -n prevasio-$PREVASIO_HASH-application --src function.zip --build-remote true

      Or manually configure WEBSITE_RUN_FROM_PACKAGE pointing to a function.zip with a Blob Storage SAS URL

      Results should look like this, for example:

    12. Before running Azure CLI commands, set the subscription:

      Copy 
      az account set --subscription "$subscription_id"

    13. If running locally, log in first:

      Copy 
      az login

  13. Navigate to Azure Active Directory > Properties > Tenant ID

  14. Click on the copy icon to copy the Tenant ID associated with the subscription or management group.

  1. Open the Onboard Azure Resources API page.

  2. Configure the request:

    • Set the azure_tenant parameter to your Azure Tenant ID.

    • Set the supportChanges parameter to define the permission level:

      • true: Read/Write permissions

      • false: Read-only permissions (default)

    For more information see Optional Feature Permissions for Cloud Network Security.

  3. Run the API call to complete the onboarding process.

You can use API calls to add a single Azure subscription to ACE.

Note: Any changes to a subscription after onboarding are not synced with ACE. To delete one or more subscriptions, see Offboard Azure subscriptions from ACE.

Do the following:

  1. Make sure you can access the Azure console as a user with Application Administrator OR Application Developer role.

  2. From the Azure CLI, create an Azure service principal based on the ACE Azure multi-tenant application. You can do this with the following command:

    az ad sp create --id 'f1764d38-8bca-497f-94ae-2ccec598107d'

    The Azure service principal is created.

    Note: Create your own application + application secret. If you create your own app, auto-discovery won't work.

    The next steps explain how to grant access permission to the service principal to a subscription or management group.

  3. Navigate to the Azure console and select either the subscription or management group you want to assign role permissions.

  4. Click Access control (IAM) from the left menu, and then click +Add.

  5. From the dropdown, select Add role assignment.

    The Add role assignment page appears.

  6. Add the role (permission) you want to assign to the service principal for working with the subscription:

    1. For Cloud Network Security, choose either:

      • Reader: Enable read access only

      • Contributor: Enable read/write access

      • Custom Role – Create a custom role if needed.

        1. In the Azure Console, go to Access Control (IAM).

        2. Click + Add and select Add Custom Role.

        3. On the Create Custom Role screen, open the JSON tab.

        4. Click Edit and add with the following JSON:

          Replace <ASSIGNABLE SCOPE> using the following formats:

          • Management group scope has the format /providers/Microsoft.Management/managementGroups/{managementGroupName}.

          • Subscription scope has the format /subscriptions/{subscriptionId}.

          Copy 
          {
              "properties": {
                  "roleName": "AceCustomRole",
                  "description": "Custom role for Algosec Cloud",
                  "assignableScopes": [
                      "<ASSIGNABLE_SCOPE>"
                  ],
                  "permissions": [
                      {
                          "actions": [
                              "Microsoft.Compute/virtualMachines/read",
                              "Microsoft.Compute/virtualMachineScaleSets/read",
                              "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
                              "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
                              "Microsoft.Insights/diagnosticSettings/read",
                              "Microsoft.Network/applicationSecurityGroups/read",
                              "Microsoft.Network/azurefirewalls/read",
                              "Microsoft.Network/connections/read",
                              "Microsoft.Network/expressRouteCircuits/read",
                              "Microsoft.Network/expressRouteCircuits/peerings/read",
                              "Microsoft.Network/firewallPolicies/read",
                              "Microsoft.Network/firewallPolicies/ruleCollectionGroups/read",
                              "Microsoft.Network/ipGroups/read",
                              "Microsoft.Network/loadBalancers/read",
                              "Microsoft.Network/localnetworkgateways/read",
                              "Microsoft.Network/locations/serviceTags/read",
                              "Microsoft.Network/networkInterfaces/read",
                              "Microsoft.Network/networkSecurityGroups/read",
                              "Microsoft.Network/networkWatchers/flowLogs/read",
                              "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
                              "Microsoft.Network/networkWatchers/read",
                              "Microsoft.Network/publicIPAddresses/read",
                              "Microsoft.Network/routeTables/read",
                              "Microsoft.Network/virtualHubs/effectiveRoutes/action",
                              "Microsoft.Network/virtualHubs/hubRouteTables/read",
                              "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read",
                              "Microsoft.Network/virtualHubs/read",
                              "Microsoft.Network/virtualNetworkGateways/read",
                              "Microsoft.Network/virtualNetworks/read",
                              "Microsoft.Network/virtualWans/read",
                              "Microsoft.Network/vpnGateways/read",
                              "Microsoft.Network/vpnsites/read",
                              "Microsoft.Resources/subscriptions/read",
                              "Microsoft.Storage/storageAccounts/read",
                              "Microsoft.Storage/storageAccounts/listkeys/action",
                              "Microsoft.Web/hostingEnvironments/read"
                          ],
                          "notActions": [],
                          "dataActions": [],
                          "notDataActions": []
                      }
                  ]
              }
          }

        5. Click Save.

        6. Click Review + Create.

        7. Click Create.

    2. For Cloud App Analyzer, add:

      • Log Analytics Reader

      • AcrPull

      • Key Vault Reader

    For details, see Permissions Required for Azure Subscriptions.

  7. For additional optional features:

    1. For Cloud Network Security, to allow ACE to collect NSG resource logs, grant the service principal the additional roles:

      • Network Contributor

      • Storage Account Contributor

    2. For Cloud App Analyzer:

      • Azure Kubernetes Service Cluster User Role

      • AcrPush

    For details, see Permissions Required for Azure Subscriptions.

  8. Click Next.

    The Member tab appears.

  9. Click Select members. From the Select members popup search for and select AlgoSec Cloud Enterprise.

    AlgoSec Cloud Enterprise will move to the Selected members section of the popup.

  10. Click Select.

    The Service Principal is assigned to the specific subscription and role.

  11. Click Review + assign once more to finalize the assignment and allow ACE to access the Azure subscription.

  12. Use this method to manually onboard a CD mitigation deployment using Azure resources and the unified onboarding bundle.

    Do the following:

    1. Download the Azure resources from the URL corresponding to your region.:

    2. Create a resource group with the name: prevasio-${ALGOSEC_TENANT_ID:0:4}${subscription_id:0:4}-resource-group

    3. Prepare the following parameters:

      Copy 
      {
          "parameters": {
              "subscription-id": {
                  "value": "$subscription_id"
              },
              "tenant-id": {
                  "value": "$azure_tenant_id"
              },
              "prevasio-hash": {
                  "value": "${ALGOSEC_TENANT_ID:0:4}${subscription_id:0:4}"
              },
              "prevasio-host": {
                  "value": "<*see values below>"
              },
              "prevasio-additionals": {
                  "value": See instructions below
              },
              "algosec-cloud-host": {
                  "value": "'$ALGOSEC_CLOUD_HOST'"
              }
      }

      * For the value of the prevasio-host, choose your region from the following:

    4. To generate prevasio-additionals:

      1. Create this JSON: {"tenantId":"ALGOSEC_TENANT_ID","clientId":"ALGOSEC_CLIENT_ID","clientSecret":"ALGOSEC_CLIENT_SECRET"}
      2. Convert it to a string
      3. Convert the string to UTF-8 bytes
      4. Base64-encode it using your preferred method
      5. Example (bash):
      Copy 
      tenantId="your-tenant-id"
      clientId="your-client-id"
      clientSecret="your-client-secret"
       
      json=$(printf '{"tenantId":"%s","clientId":"%s","clientSecret":"%s"}' "$tenantId" "$clientId" "$clientSecret")
      encoded=$(echo -n "$json" | base64)
       
      echo "$encoded"

    5. In the Azure Portal, go to "Deploy a custom template" in the search bar

    6. Choose "Build your own template in the editor"

    7. Use the template.json from the downloaded zip

    8. Add the parameters from step c and create the deployment

    9. Assign a custom role with the following permissions:

      Copy 
      {
        "properties": {
          "roleName": "Prevasio Application Role ('${ALGOSEC_TENANT_ID:0:4}${subscription_id:0:4}')",
          "description": "Allows to create EventGrid subscriptions for ACR registries events.",
          "type": "CustomRole",
          "permissions": [
            {
              "actions": [
                "Microsoft.EventGrid/eventSubscriptions/read",
                "Microsoft.ContainerRegistry/registries/read",
                "Microsoft.EventGrid/eventSubscriptions/write",
                "Microsoft.Web/sites/functions/write"
              ],
              "notActions": [],
              "dataActions": [],
              "notDataActions": []
            }
          ],
          "assignableScopes": [
            "/subscriptions/'$subscription_id'"
          ]
        }
      }

      Note: You can also add a custom role via the Azure Console. For example

    10. Assign the role to: prevasio-$ALGOSEC_TENANT_ID[:5]-application.

      You can use the following commands:

      Copy 
      # Get the app display name
      DISPLAY_NAME=$(az ad sp list --display-name prevasio-$ALGOSEC_TENANT_ID[:5]-application --query [].id --output tsv)

      # Assign the role
      az role assignment create --assignee $DISPLAY_NAME --role "$generated_role_name" --scope /subscriptions/$subscription_id

    11. Deploy the app resources using the function.zip from the sources.zip:

      The easiest way is to run the command:

      Copy 
      az functionapp deployment source config-zip -g prevasio-$ALGOSEC_TENANT_ID[:5]-resource-group -n prevasio-$PREVASIO_HASH-application --src function.zip --build-remote true

      Or manually configure WEBSITE_RUN_FROM_PACKAGE pointing to a function.zip with a Blob Storage SAS URL

      Results should look like this, for example:

    12. Before running Azure CLI commands, set the subscription:

      Copy 
      az account set --subscription "$subscription_id"

    13. If running locally, log in first:

      Copy 
      az login

  13. Navigate to Azure Active Directory > Properties > Tenant ID

  14. Click on the copy icon to copy the Tenant ID associated with the subscription or management group.

  15. Go to the ACE API documentation and follow the instructions to onboard a new subscription.

    See Onboard a single Azure subscription API.

    If using your own app, provide the applicationId and applicationSecret parameters.

You can leverage Terraform, the infrastructure-as-code solution, as another option for onboarding your Azure subscriptions into ACE.

Do the following:

  1. Make sure you can access the Azure console as a user with Application Administrator OR Application Developer role.

  2. From the Azure CLI, create an Azure service principal based on the ACE Azure multi-tenant application. You can do this with the following command:

    az ad sp create --id 'f1764d38-8bca-497f-94ae-2ccec598107d'

    The Azure service principal is created.

    The next steps explain how to grant access permission to the service principal to a subscription or management group.

  3. Navigate to the Azure console and select either the subscription or management group you want to assign role permissions.

  4. Click Access control (IAM) from the left menu, and then click +Add.

  5. From the dropdown, select Add role assignment.

    The Add role assignment page appears.

  6. Add the role (permission) you want to assign to the service principal for working with the subscription:

    1. For Cloud Network Security, choose either:

      • Reader: Enable read access only

      • Contributor: Enable read/write access

      • Custom Role – Create a custom role if needed.

        1. In the Azure Console, go to Access Control (IAM).

        2. Click + Add and select Add Custom Role.

        3. On the Create Custom Role screen, open the JSON tab.

        4. Click Edit and add with the following JSON:

          Replace <ASSIGNABLE SCOPE> using the following formats:

          • Management group scope has the format /providers/Microsoft.Management/managementGroups/{managementGroupName}.

          • Subscription scope has the format /subscriptions/{subscriptionId}.

          Copy 
          {
              "properties": {
                  "roleName": "AceCustomRole",
                  "description": "Custom role for Algosec Cloud",
                  "assignableScopes": [
                      "<ASSIGNABLE_SCOPE>"
                  ],
                  "permissions": [
                      {
                          "actions": [
                              "Microsoft.Compute/virtualMachines/read",
                              "Microsoft.Compute/virtualMachineScaleSets/read",
                              "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
                              "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",
                              "Microsoft.Insights/diagnosticSettings/read",
                              "Microsoft.Network/applicationSecurityGroups/read",
                              "Microsoft.Network/azurefirewalls/read",
                              "Microsoft.Network/connections/read",
                              "Microsoft.Network/expressRouteCircuits/read",
                              "Microsoft.Network/expressRouteCircuits/peerings/read",
                              "Microsoft.Network/firewallPolicies/read",
                              "Microsoft.Network/firewallPolicies/ruleCollectionGroups/read",
                              "Microsoft.Network/ipGroups/read",
                              "Microsoft.Network/loadBalancers/read",
                              "Microsoft.Network/localnetworkgateways/read",
                              "Microsoft.Network/locations/serviceTags/read",
                              "Microsoft.Network/networkInterfaces/read",
                              "Microsoft.Network/networkSecurityGroups/read",
                              "Microsoft.Network/networkWatchers/flowLogs/read",
                              "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
                              "Microsoft.Network/networkWatchers/read",
                              "Microsoft.Network/publicIPAddresses/read",
                              "Microsoft.Network/routeTables/read",
                              "Microsoft.Network/virtualHubs/effectiveRoutes/action",
                              "Microsoft.Network/virtualHubs/hubRouteTables/read",
                              "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read",
                              "Microsoft.Network/virtualHubs/read",
                              "Microsoft.Network/virtualNetworkGateways/read",
                              "Microsoft.Network/virtualNetworks/read",
                              "Microsoft.Network/virtualWans/read",
                              "Microsoft.Network/vpnGateways/read",
                              "Microsoft.Network/vpnsites/read",
                              "Microsoft.Resources/subscriptions/read",
                              "Microsoft.Storage/storageAccounts/read",
                              "Microsoft.Storage/storageAccounts/listkeys/action",
                              "Microsoft.Web/hostingEnvironments/read"
                          ],
                          "notActions": [],
                          "dataActions": [],
                          "notDataActions": []
                      }
                  ]
              }
          }

        5. Click Save.

        6. Click Review + Create.

        7. Click Create.

    2. For Cloud App Analyzer, add:

      • Log Analytics Reader

      • AcrPull

      • Key Vault Reader

    For details, see Permissions Required for Azure Subscriptions.

  7. For additional optional features:

    1. For Cloud Network Security, to allow ACE to collect NSG resource logs, grant the service principal the additional roles:

      • Network Contributor

      • Storage Account Contributor

    2. For Cloud App Analyzer:

      • Azure Kubernetes Service Cluster User Role

      • AcrPush

    For details, see Permissions Required for Azure Subscriptions.

  8. Click Next.

    The Member tab appears.

  9. Click Select members. From the Select members popup search for and select AlgoSec Cloud Enterprise.

    AlgoSec Cloud Enterprise will move to the Selected members section of the popup.

  10. Click Select.

    The Service Principal is assigned to the specific subscription and role.

  11. Click Review + assign once more to finalize the assignment and allow ACE to access the Azure subscription.

  12. Use this method to manually onboard a CD mitigation deployment using Azure resources and the unified onboarding bundle.

    Do the following:

    1. Download the Azure resources from the URL corresponding to your region.:

    2. Create a resource group with the name: prevasio-${ALGOSEC_TENANT_ID:0:4}${subscription_id:0:4}-resource-group

    3. Prepare the following parameters:

      Copy 
      {
          "parameters": {
              "subscription-id": {
                  "value": "$subscription_id"
              },
              "tenant-id": {
                  "value": "$azure_tenant_id"
              },
              "prevasio-hash": {
                  "value": "${ALGOSEC_TENANT_ID:0:4}${subscription_id:0:4}"
              },
              "prevasio-host": {
                  "value": "<*see values below>"
              },
              "prevasio-additionals": {
                  "value": See instructions below
              },
              "algosec-cloud-host": {
                  "value": "'$ALGOSEC_CLOUD_HOST'"
              }
      }

      * For the value of the prevasio-host, choose your region from the following:

    4. To generate prevasio-additionals:

      1. Create this JSON: {"tenantId":"ALGOSEC_TENANT_ID","clientId":"ALGOSEC_CLIENT_ID","clientSecret":"ALGOSEC_CLIENT_SECRET"}
      2. Convert it to a string
      3. Convert the string to UTF-8 bytes
      4. Base64-encode it using your preferred method
      5. Example (bash):
      Copy 
      tenantId="your-tenant-id"
      clientId="your-client-id"
      clientSecret="your-client-secret"
       
      json=$(printf '{"tenantId":"%s","clientId":"%s","clientSecret":"%s"}' "$tenantId" "$clientId" "$clientSecret")
      encoded=$(echo -n "$json" | base64)
       
      echo "$encoded"

    5. In the Azure Portal, go to "Deploy a custom template" in the search bar

    6. Choose "Build your own template in the editor"

    7. Use the template.json from the downloaded zip

    8. Add the parameters from step c and create the deployment

    9. Assign a custom role with the following permissions:

      Copy 
      {
        "properties": {
          "roleName": "Prevasio Application Role ('${ALGOSEC_TENANT_ID:0:4}${subscription_id:0:4}')",
          "description": "Allows to create EventGrid subscriptions for ACR registries events.",
          "type": "CustomRole",
          "permissions": [
            {
              "actions": [
                "Microsoft.EventGrid/eventSubscriptions/read",
                "Microsoft.ContainerRegistry/registries/read",
                "Microsoft.EventGrid/eventSubscriptions/write",
                "Microsoft.Web/sites/functions/write"
              ],
              "notActions": [],
              "dataActions": [],
              "notDataActions": []
            }
          ],
          "assignableScopes": [
            "/subscriptions/'$subscription_id'"
          ]
        }
      }

      Note: You can also add a custom role via the Azure Console. For example

    10. Assign the role to: prevasio-$ALGOSEC_TENANT_ID[:5]-application.

      You can use the following commands:

      Copy 
      # Get the app display name
      DISPLAY_NAME=$(az ad sp list --display-name prevasio-$ALGOSEC_TENANT_ID[:5]-application --query [].id --output tsv)

      # Assign the role
      az role assignment create --assignee $DISPLAY_NAME --role "$generated_role_name" --scope /subscriptions/$subscription_id

    11. Deploy the app resources using the function.zip from the sources.zip:

      The easiest way is to run the command:

      Copy 
      az functionapp deployment source config-zip -g prevasio-$ALGOSEC_TENANT_ID[:5]-resource-group -n prevasio-$PREVASIO_HASH-application --src function.zip --build-remote true

      Or manually configure WEBSITE_RUN_FROM_PACKAGE pointing to a function.zip with a Blob Storage SAS URL

      Results should look like this, for example:

    12. Before running Azure CLI commands, set the subscription:

      Copy 
      az account set --subscription "$subscription_id"

    13. If running locally, log in first:

      Copy 
      az login

  13. Navigate to Azure Active Directory > Properties > Tenant ID

  14. Click on the copy icon to copy the Tenant ID associated with the subscription or management group.

  1. Integrate the code below into your Terraform toolkit. Make the following parameter value replacements in the Locals section:

Parameter Description Notes 
auth_url

URL to authorize ACE

  • For US use: 

    https://us.app.algosec.com/api/algosaas/auth/v1/access-keys/login

  • For EMEA use: 

    https://eu.app.algosec.com/api/algosaas/auth/v1/access-keys/login

  • For ANZ use: 

    https://anz.app.algosec.com/api/algosaas/auth/v1/access-keys/login

  • For ME use: 

    https://me.app.algosec.com/api/algosaas/auth/v1/access-keys/login

  • For UAE use: 

    https://uae.app.algosec.com/api/algosaas/auth/v1/access-keys/login

  • For IND use: 

    https://ind.app.algosec.com/api/algosaas/auth/v1/access-keys/login

  • For SGP use: 

  • https://sgp.app.algosec.com/api/algosaas/auth/v1/access-keys/login
 
url

URL to onboard Azure
  • For US use: 
    https://us.app.algosec.com/api/algosaas/onboarding/v1/azure

  • For EMEA use: 

    https://eu.app.algosec.com/api/algosaas/onboarding/v1/azure

  • For ANZ use: 

    https://anz.app.algosec.com/api/algosaas/onboarding/v1/azure

  • For ME use: 

    https://me.app.algosec.com/api/algosaas/onboarding/v1/azure

  • For UAE use: 

    https://uae.app.algosec.com/api/algosaas/onboarding/v1/azure

  • For IND use: 

    https://ind.app.algosec.com/api/algosaas/onboarding/v1/azure

  • For SGP use: 

  • https://sgp.app.algosec.com/api/algosaas/onboarding/v1/azure
 
tenantId

Your ACE Tenant ID

   
clientId

Client ID

 This is part of Access Key details. In ACE, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here. 
clientSecret

Client Secret of the API Access Key

 This is part of Access Key details. In ACE, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.
subscriptionId Azure subscription to be onboarded  
supportChanges Defines the permission level granted to the subscription(s).

  • true: Read/Write permissions

  • false: Read-only permissions (default)
Copy 
locals {
  AuthUrl = "xxxxxxxxxxxxxxxxx"
  Url      = "xxxxxxxxxxxxxxxxx"
  tenantId        = "xxxxxxxxxxxxxxxxxxxxxxxxx"
  clientId          = "xxxxxxxxxxxxxxxxxxxxxxxxx"
  clientSecret    = "xxxxxxxxxxxxxxxxxxxxxxxxx"
  subscriptionId = "xxxxxxxxxxxxxxxxxxxxxxxxx"
  supportChanges = "xxxxxxxxxxxxxxxxxxxxxxxxx"
}

provider "azurerm" {
  subscription_id = local.subscriptionId
  features {}
}


data "azurerm_client_config" "current" {
}

resource "azuread_service_principal" "ace" {
  app_role_assignment_required = false
  client_id                    = "f1764d38-8bca-497f-94ae-2ccec598107d"
  owners                       = [data.azurerm_client_config.current.object_id]
}

resource "azuread_application" "ace" {  
  display_name= "AlgoSec Cloud Enterprise"
}

data "http" "auth" {
  url    = local.AuthUrl
  method = "POST"
  # Optional request headers
  request_headers = {
    Accept = "application/json"
  }
  request_body = jsonencode({ tenantId : local.tenantId, clientId : local.clientId, clientSecret : local.clientSecret })
  lifecycle {
    postcondition {
      condition     = contains([200, 201, 204], self.status_code)
      error_message = "Authorization failed"

    }
  }
}

locals {
  auth_response = jsondecode(data.http.auth.response_body)
  auth_token    = local.auth_response.access_token
}

data "http" "onboard_account" {
  url    = local.Url
  method = "POST"
  # Optional request headers
  request_headers = {
    Accept        = "application/json"
    Authorization = "Bearer ${local.auth_token}"
  }
  request_body = jsonencode({
    azure_tenant : data.azurerm_client_config.current.tenant_id,
    supportChanges: local.supportChanges
  })
  lifecycle {
    postcondition {
      condition     = contains([200, 201, 204], self.status_code)
      error_message = "Authorization failed"
    }
  }
}

######################################################################
# Print the created data to console

output "onboard_status" {
  value = data.http.onboard_account.status_code
}

Enable Azure resource logs for traffic analysis

For each Azure device where resource logs are enabled in your connected subscription, ACE automatically collects resource logs.

The resource logs provide all the details needed to display rule usage data on the risk trigger and network policy pages. On the Network policy pages, ACE users can clean up old or unused NSG / Azure Native Firewall policy rules, supported by the display of this data. For more details, see Last used and Clean Up Policies.

To enable Azure Native Firewall flow logging, do the following:

  1. In the Microsoft Azure portal, select Azure Firewalls.

    The Azure Firewall page appears with a list of Azure Native Firewall instances that span different Azure regions and subscriptions.

  2. From the list, click on the firewall that you want to enable flow logging and select Diagnostic Settings.

    The list of configured diagnostic settings appears.

  3. Click + Add diagnostic setting.

    The page to add diagnostic settings appears.

    1. Enter a Diagnostic setting name.

    2. Under Categories, check the following rules to collect log data:

      1. Azure Firewall Network Rule

      2. Azure Firewall Application Rule

      3. Azure Firewall NAT Rule

        Note: If any of these categories are not checked, ACE displays "Flow logs disabled" when showing details related to flow logs. For more details, see Last used and Clean Up Policies.

    3. Under Destination details, check Archive to a storage account and use the Storage Account dropdown to select the account where the traffic log data is saved.

      Note: We recommend using a storage account located in the same subscription as the Azure Native Firewall.

    4. Click Save.

      Azure Native Firewall flow logs will now be saved to the storage account and automatically appear in ACE after the next data collection cycle.

      Note: It may take up to one hour for log flow data to begin appearing in ACE.

  4. Repeat these steps for each firewall you want to enable flow logging.

Note: Azure has deprecated NSG flow log support. However, existing NSG flow logging configurations will continue to work.

AlgoSec Cloud Enterprise relies on resource log data to identify unused NSG rules. To maintain this functionality for newly onboarded NSGs, follow the steps below to enable resource logging for NSGs:

Do the following:

  1. Configure the required permissions on the ACE ActiveDirectory application using the PowerShell script.

  2. Configure NSG Diagnostic Settings to enable ACE to collect, retrieve and analyze resource logs.

    1. Enable resource logging by either:

      • Add Diagnostic Setting

        Every NSG must have the diagnostic setting NetworkSecurityGroupRuleCounter added for it.

        To add it:

        1. Browse to the subject NSG and click on the Add diagnostic settings in the left navigation.

        2. Click Add diagnostic setting in the main Diagnostic settings workspace that is displayed.

        3. Select the NetworkSecurityGroupRuleCounter option.

        4. In the Storage account dropdown, select the required storage account.

      • This procedure describes how to enable resource logging for multiple Azure NSGs using a PowerShell script provided by ACE.

        Note: Although the script is recommended for enabling resource logging for multiple NSGs, it can also be used to enable resource logging for a single NSG.

        Do the following:

        1. In your Azure subscription, register the microsoft.Insights resource provider. Do the following:

          1. In your Azure subscription, browse to the Resource providers section.

          2. Search for the microsoft.Insights provider and select the row in the grid.

          3. Click the Register button and wait for the registration to complete.

        2. Manually create a CSV file that lists the resource logging details, and save it to a local directory.
          The script that you will download in step 3 will ask for the path to the CSV file and will enable resource logging on all NSGs in each subscription you list in the CSV file.

          The CSV file must have the following headers (horizontally):

          Subscription The Azure subscription ID.
          Region The region for your Azure subscription.
          Storage The Azure storage blob where your resource logs are stored.

          The following table shows a sample CSV file to use when enabling resource logging on multiple NSGs. The ACE script will enable resource logging for all NSGs on each subscription listed.

          Subscription Region Storage
          1c2d1333-1234-4665-aaaa-bc22ccc42323 eastus /subscriptions/1c2d1333-1234-4665-aaaa-bc22ccc42323/resourceGroups/AutoDcExclusive_
          RgA_Base/providers/Microsoft.Storage/
          storageAccounts/EastUS_SA
          1c2d1333-1234-4665-aaaa-bc22ccc42323 centralus /subscriptions/1c2d1333-1234-4665-aaaa-bc22ccc42323/resourceGroups/AutoDcExclusive_
          RgA_Base/providers/Microsoft.Storage/
          storageAccounts/CentralUS_SA
          88855544-abab-4665-8fdf-bc22ccc42c06 eastus /subscriptions/88855544-abab-4665-8fdf-bc22ccc42c06/resourceGroups/2c06_RG1/providers/
          Microsoft.Storage/storageAccounts/EastUS_SA

        3. On the Azure portal Cloud Shell page

          1. Click the PowerShell script upload/download icon (bottom task bar)
          2. Select the upload option
          3. Browse to and select ACE's enableNsgFlowLogs.ps1 script.

          Note: For users logged into ACE, this script is available at https://cloudflow.algosec.com/cloudflow/assets/files/enableNsgFlowLogs.ps1.

        4. Run the enableNsgFlowLogs.ps1 script. When prompted, enter the path to the CSV file you created in step 2.

          As the script runs, it enables resource logging for all NSGs in each Azure subscription you listed in the CSV file, and provides the following feedback:

          • Details about the results for each subscription, as the script runs through them
          • Summary of all actions performed, once the script has run on all subscriptions listed

        5. If you want to manage the retention policy, follow Microsoft's Azure Storage lifecycle managementinstructions.

    2. It is essential to verify that the required diagnostic settings have been made.
      The status Enabled seen in the this image shows you that resource logs have been successfully configured for the NSG named in the same row.

      Check if the diagnostic setting has been configured by looking for indications such as those in the following image. If the diagnostic setting has not been configured, be sure to follow the procedure to enable resource logging for NSGs, above.

  3. ACE administrators can configure the frequency at which logs are collected, or entirely enable or disable the feature, via API.

    Modify the following parameters as needed:

    TRAFFIC_LOG_FREQUENCY_PERIOD_MINUTES

    Determines the frequency, in minutes, at which ACE collects resource logs from Azure NSGs.

    Value: Integer

    Default: 60
    ENABLE_TRAFFIC_LOGS

    Determines whether resource log collection is enabled for Azure NSGs.

    Disabling this parameter will cause ACE to display Flow logs disabled in the Last used column on the risk trigger details pages, even when resource logging is enabled in the Azure NSG itself.

    Value: Boolean

    Default: Enabled
    INACTIVE_RULE_PERIOD

    Determines the number of days for which ACE checks for resource logs.

    Default = 30

    NSG rules where resource logs are enabled but no hits are found during the period defined by this parameter are considered as unused.

    In the Last used column, these rules will be marked as No traffic logged.

    For details, see Last used.

    To modify any of these parameters, contact AlgoSec support.

  4. If the subscription being configured includes a storage account from which resource logs will be collected, network access may require configuration.

    Do the following:

    1. Determine if the storage account's firewall can be configured to allow:

      • Access from all networks, or

      • Access only from selected networks

    2. If you select allowing access from All networks, the default setting, no further configuration is required.

    3. If you select allowing access from Selected networks, to enable ACE to collect resource logs from the storage account:

      1. Copy the Current ACE service IPs for your region, listed below:

        US region

        18.209.205.33

        23.21.89.217

        52.21.25.44

        3.209.54.0

        54.227.108.96

        18.214.35.180

        35.173.194.159

        35.171.119.114

        100.27.77.227

        		 EU region

        3.124.48.17

        3.66.94.197

        52.29.166.50

        3.124.153.26

        18.184.87.109

        3.75.56.9

        52.59.98.60

        3.69.134.56

        52.29.118.194

        ANZ region

        13.237.219.32

        3.24.141.128

        52.62.160.212

        3.105.51.188

        13.211.181.98

        13.54.65.108

        13.238.234.53

        52.65.218.87

        54.153.142.211

        ME region

        157.241.75.15

        16.24.37.180

        16.24.41.212

        157.175.12.203

        157.175.16.203

        16.24.52.115

        16.24.42.118

        16.24.29.104

        15.185.85.1

        UAE region

        51.112.135.86

        51.112.113.39

        51.112.73.196

        40.172.22.39

        51.112.99.112

        51.112.87.113

        3.29.200.208

        51.112.98.9

        3.28.25.184

        IND region

        35.154.132.171

        15.206.226.212

        13.234.86.181

        13.235.251.214

        13.232.123.11

        13.202.116.204

        3.108.144.76

        13.234.15.109

        3.109.35.125

        Singapore region

        47.128.94.17

        13.215.67.101

        13.228.167.214

        18.138.210.100

        54.169.211.39

        18.139.78.46

        3.1.129.153

        13.229.0.222

        3.1.56.162

        		  

      2. Add these ACE service IPs to the Firewall-Address range configuration as shown at the bottom of the figure below.

The resource logs will be created when you run traffic through the subject NSG(s).

Offboard Azure subscriptions from ACE

You can offboard Azure subscriptions from ACE with the following methods:

Do the following:

From the Azure Cloudshell run the following command:

az ad sp delete --id 'f1764d38-8bca-497f-94ae-2ccec598107d'

Note: You need proper permissions to run "az ad sp delete".

For more details on using Azure Cloudshell to offboard a subscription, see az ad sp delete.

Note: Removed subscriptions will automatically sync with ACE once every hour.

Do the following:

  1. In ACE, hover over the SETTINGS icon at the bottom left of the screen. After the panel expands, click ONBOARDING. The ONBOARDING MANAGEMENT page is displayed, with a table showing details for each account defined in ACE.

  2. Select the checkbox to the left of the subscriptions(s) you want to delete. You can click on the checkbox in the column header to select all vendors.

  3. Click Delete.

    A confirmation window appears.

  4. Click Delete again to delete the selected subscription(s).

 

â See also: