Onboard Azure Subscriptions to Cloud Network Security

Before you start

• Make sure you are logged on to Microsoft Azure portal .

Required permissions

To onboard multiple subscriptions in your Azure account, make sure you have the following permissions:

• To onboard subscriptions under a management group:User Access Administrator or Owner permissions .

• To onboard subscriptions under Tenant Root Group, make sure you have access to manage all Azure subscriptions and management groups .

Access the Onboarding wizard

Do the following:

1. In the ACE Settings area, click ONBOARDING.

   On the Onboarding Managment page that opens, click +Onboard.

2. If you are onboarding your first account, click the New Cloud Account button on the welcome page.

3. Otherwise, click the Microsoft Azure button and click Next.

   The Azure Onboarding wizard appears.

   

4. Select your preferred method to onboard using the Select Onboarding Method dropdown.

   *Automatically syncs changes to subscriptions, management groups, and tenant root groups from Azure to ACE after onboarding.

   Onboarding Method	Description	Automatic sync*
   With script	Uses scripts to onboard Azure resources	Yes
   No script	Onboard Azure resources without using scripts	Yes
   API (single account)	Onboard a single subscription via API	No
   Terraform	Onboard Azure resources using Terraform	Yes

5. Onboard Azure resources using your preferred method:

   To onboard Azure resources | With script

   Do the following:

   1. Make sure you can access the Azure console as a user with Application Administrator OR Application Developer role.

   2. In the Onboarding wizard for Azure, from the Select Onboarding Method dropdown, select With script to select the onboarding method using scripts.

   3. Select which level of permissions are required for the role in Azure.

      Note: AlgoSec only needs   READ   permissions to provide support for your Azure security policy management. This requirement ensures you can still receive complete security analysis and recommendations while granting the minimal level of access.

      Write permissions can optionally be added for advanced policy change capabilities.

      Note about permissions: Read access to the account is the minimum permission required to manage Azure Network Security Groups (NSGs). This enables ACE visibility for Vnets, subnets, Azure VMs, network flow logs, tags, and routing tables.

      • Select Read to fully support your Azure security policy management, security analysis and recommendations. For more information, see Permissions Required for Azure Subscriptions.

      • (Optional) Select Read/Write for additional advanced policy change capabilities for Azure NSGs/Native Firewalls. This requires the following permissions:

        • Base Read permissions, as described in Onboard Azure Subscriptions to Cloud Network Security,

        • Additional Write permissions, outlined in Permissions for Changes to Azure Policies.

   4. Select the Azure resource type:

      Important: To run the script, the user must possess the necessary permissions for creating a service principal on the selected resource.

      

   5. Enter the Subscription ID or Management Group of the Azure resource to onboard.

      Note: When Tenant Root Group is the Azure resource type, no additional information is required.

      The Cloud Shell command field is automatically populated based on the resource type and ID / Name.

   6. Complete the onboarding using one of the following methods:

      1. To open a Cloud Shell session directly from the ACE interface, click .

         Note: The Cloud Shell link is copied automatically to you clipboard.

         The Azure editor opens in a new browser tab.

         1. From the dropdown menu select Bash.

            

         2. Paste the Cloud Shell script from your clipboard and then press Enter.

            The subscription(s) is onboarded into ACE.

      2. (Alternative method) If you don't want to open a Cloud Shell session directly from the ACE interface, you can run bash locally using a proxy:

         1. Click Copy to copy the Cloud Shell command.

            

            Note: The command generates an unreadable script. Expand the example below to see the readable version of the script:

            Example of CloudFlare script

            Copy

            #!/bin/bash
            
            #Algosec's multi-tenant application
            APP_ID='<ALGOSEC_ONBOARDING_APP_ID>'
            
            #Algosec's onboarding URL
            CF_ONBOARDING_URL='https://<HOST>/cloudflow/api/admin/v1/onboarding/azure'
            
            #Target resource
            TARGET_RESOURCE='<AZURE_TARGET_RESOURCE>'
            
            out=$(az account show)
            az_tenant=$(echo "$out" | jq -r '.tenantId')
            
            echo "Preparing to onboard the target resource [$TARGET_RESOURCE] of [$az_tenant] tenant"
            
            echo "Onboard Algosec AZ-AD Application"
            out=$(az ad sp create --id $APP_ID 2>/dev/null)
            
            #Roles
            roles=(<AZURE_ROLES>)
            
            for role in "${roles[@]}"; do
            echo "Assign a role to the [$TARGET_RESOURCE]: [$role]"
            out=$(az role assignment create --role "$role" --assignee $APP_ID --scope $TARGET_RESOURCE)
            if [ $? -ne 0 ]; then
            echo "ERROR: The target resource [$TARGET_RESOURCE] wasn't found or the user has no permission to work with it"
            echo "The onboarding process has failed — please ensure you have the required permissions"
            exit 1
            fi
            done
            
            response=$(curl -X POST "$CF_ONBOARDING_URL" \
            -H "Content-Type: application/json" \
            -H "Accept: application/json" \
            -H "Authorization: $TOKEN" \
            --silent \
            -d '{ "azure_tenant":"'$az_tenant'" }')
            
            status=$(echo $response | jq -r '.status')
            message=$(echo $response | jq -r '.message')
            if [ "$status" == 200 ]; then
            echo "The onboarding process is finished: $message"
            echo "Press CTRL+D to close the terminal session"
            else
            echo "ERROR: The onboarding process has failed: $message"
            fi
                                                                

         2. Paste and run the script in your alternative shell to complete onboarding the subscription(s).

   7. In ACE, click Close to close the onboarding wizard.

   Note: It may take up to an hour for Azure to sync with ACE.

   To onboard Azure resources | No script

   You can onboard Azure subscriptions, managed groups, or tenant root groups without using a script if your system does not support using scripts.

   Do the following:

   1. Make sure you can access the Azure console as a user with Application Administrator OR Application Developer role.

   2. From the Azure CLI, create an Azure service principal based on the ACE Azure multi-tenant application. You can do this with the following command:

      az ad sp create --id 'f1764d38-8bca-497f-94ae-2ccec598107d'

      The Azure service principal is created.

      The next steps explain how to grant access permission to the service principal to a subscription or management group.

   3. Navigate to the Azure console and select either the subscription or management group you want to assign role permissions.

      

   4. Click Access control (IAM) from the left menu, and then click +Add.

   5. From the dropdown, select Add role assignment.

      The Add role assignment page appears.

      

   6. Choose the role (permission) you want to grant to the service principal to work with the subscription:

      • Reader: Enable read access only

      • Contributor: Enable read/write access

   7. (Optional) To allow ACE to collect NSG resrouce logs, grant the service principal the additional roles:

      • Network Contributor

      • Storage Account Contributor

   8. Click Next.

      The Member tab appears.

      

   9. Click Select members. From the Select members popup search for and select CloudFlow Onboarding - prod.

      CloudFlow Onboarding - prod will move to the Selected members section of the popup.

      

   10. Click Select.

       The Service Principal is assigned to the specific subscription and role.

       

   11. Click Review + assign.

       The Review + assign screen appears where the user can review the assignment.

   12. Click Review + assign once more to finalize the assignment and allow ACE to access the Azure subscription.

   13. Navigate to Azure Active Directory > Properties > Tenant ID

       

   14. Click on the copy icon to copy Tenant ID associated with the subscription or management group.

   15. From the ACE Azure Onboarding wizard, from the Select Onboarding Method, select No script.

       

   16. Paste the ID into the Azure Tenant ID field.

   17. Click Onboard to complete the onboarding process.

   To onboard Azure resources | API (for single account)

   You can use API calls to add a single Azure subscription to ACE.

   Note: Any changes to a subscription after onboarding are not synced with ACE. To delete one or more subscriptions, see Offboard Azure subscriptions from ACE.

   Do the following:

   1. Go to the page Add a cloud account.

   2. Click on the tab For an Azure subscription.

      

      The instructions for onboarding an Azure subscription using API appears.

   3. Follow the instructions on the page.

   To onboard Azure resources | Terraform

   You can leverage Terraform, the infrastructure-as-code solution, as another option for onboarding your Azure subscriptions into ACE.

   Do the following:

   Integrate the code below into your Terraform toolkit. Make the following parameter value replacements in the Locals section:

   Parameter	Description	Notes
   cf_auth_url	URL to authorize ACE	For US use: https://us.app.algosec.com/api/algosaas/auth/v1/access-keys/login For EMEA use: https://eu.app.algosec.com/api/algosaas/auth/v1/access-keys/login For ANZ use: https://anz.app.algosec.com/api/algosaas/auth/v1/access-keys/login For ME use: https://me.app.algosec.com/api/algosaas/auth/v1/access-keys/login For UAE use: https://uae.app.algosec.com/api/algosaas/auth/v1/access-keys/login For IND use: https://ind.app.algosec.com/api/algosaas/auth/v1/access-keys/login For SGP use: https://sgp.app.algosec.com/api/algosaas/auth/v1/access-keys/login
   cf_url	URL to onboard Azure	For US use: https://api.cloudflow.us.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure For EMEA use: https://api.cloudflow.eu.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure For ANZ use: https://api.cloudflow.anz.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure For ME use: https://api.cloudflow.me.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure For UAE use: https://api.cloudflow.uae.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure For IND use: https://api.cloudflow.ind.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure For SGP use: https://api.cloudflow.sgp.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure For SGP use: https://api.cloudflow.sgp.app.algosec.com/cloudflow/api/admin/v1/onboarding/aws/api
   tenantId	Your ACE Tenant ID
   clientId	Client ID	This is part of Access Key details. In ACE, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.
   clientSecret	Client Secret of the API Access Key	This is part of Access Key details. In ACE, go to Access Management > API ACCESS tab. Create a new API Access Key or use an existing one. See here.
   subscriptionId	Azure subscription to be onboarded

   Copy

   locals {
     cfAuthUrl = "https://stage.app.algosec.com/api/algosaas/auth/v1/access-keys/login"
     cfUrl      = "https://api.cloudflow.stage.app.algosec.com/cloudflow/api/admin/v1/onboarding/azure"
     tenantId        = "xxxxxxxxxxxxxxxxxxxxxxxxx"
     clientId          = "xxxxxxxxxxxxxxxxxxxxxxxxx"
     clientSecret    = "xxxxxxxxxxxxxxxxxxxxxxxxx"
     subscriptionId = "xxxxxxxxxxxxxxxxxxxxxxxxx"
   }
   
   provider "azurerm" {
     subscription_id = local.subscriptionId
     features {}
   }
   
   
   data "azurerm_client_config" "current" {
   }
   
   resource "azuread_service_principal" "cloudflow" {
     app_role_assignment_required = false
     client_id                    = "f1764d38-8bca-497f-94ae-2ccec598107d"
     owners                       = [data.azurerm_client_config.current.object_id]
   }
   
   resource "azuread_application" "cloudflow" {  
     display_name= "Algosec CloudFLow Onboarding"
   }
   
   data "http" "cf_auth" {
     url    = local.cfAuthUrl
     method = "POST"
     # Optional request headers
     request_headers = {
       Accept = "application/json"
     }
     request_body = jsonencode({ tenantId : local.tenantId, clientId : local.clientId, clientSecret : local.clientSecret })
     lifecycle {
       postcondition {
         condition     = contains([200, 201, 204], self.status_code)
         error_message = "Authorization failed"
   
       }
     }
   }
   
   locals {
     auth_response = jsondecode(data.http.cf_auth.response_body)
     auth_token    = local.auth_response.access_token
   }
   
   data "http" "cf_onboard_account" {
     url    = local.cfUrl
     method = "POST"
     # Optional request headers
     request_headers = {
       Accept        = "application/json"
       Authorization = "Bearer ${local.auth_token}"
     }
     request_body = jsonencode({
       azure_tenant : data.azurerm_client_config.current.tenant_id,
       event: {
             RequestType: "Create"
           }
     })
     lifecycle {
       postcondition {
         condition     = contains([200, 201, 204], self.status_code)
         error_message = "Authorization failed"
       }
     }
   }
   
   ######################################################################
   # Print the created data to console
   
   output "onboard_status" {
     value = data.http.cf_onboard_account.status_code
   }
   

Enable Azure resource logs for traffic analysis

For each Azure device where resource logs are enabled in your connected subscription, ACE automatically collects resource logs.

The resource logs provide all the details needed to display rule usage data on the risk trigger and network policy pages. On the Network policy pages, ACE users can clean up old or unused NSG / Azure Native Firewall policy rules, supported by the display of this data. For more details, see Last used and Clean Up Policies.

For Azure Native Firewall

To enable Azure Native Firewall flow logging, do the following:

1. In the Microsoft Azure portal, select Azure Firewalls.

   The Azure Firewall page appears with a list of Azure Native Firewall instances that span different Azure regions and subscriptions.

   

2. From the list, click on the firewall that you want to enable flow logging and select Diagnostic Settings.

   The list of configured diagnostic settings appears.

   

3. Click + Add diagnostic setting.

   The page to add diagnostic settings appears.

   

   1. Enter a Diagnostic setting name.

   2. Under Categories, check the following rules to collect log data:

      1. Azure Firewall Network Rule

      2. Azure Firewall Application Rule

      3. Azure Firewall NAT Rule

         Note: If any of these categories are not checked, ACE displays "Flow logs disabled" when showing details related to flow logs. For more details, see Last used and Clean Up Policies.

   3. Under Destination details, check Archive to a storage account and use the Storage Account dropdown to select the account where the traffic log data is saved.

      Note: We recommend using a storage account located in the same subscription as the Azure Native Firewall.

   4. Click Save.

      Azure Native Firewall flow logs will now be saved to the storage account and automatically appear in ACE after the next data collection cycle.

      Note: It may take up to one hour for log flow data to begin appearing in ACE.

4. Repeat these steps for each firewall you want to enable flow logging.

For Azure NSG

Note: Azure has deprecated NSG flow log support. However, existing NSG flow logging configurations will continue to work.

AlgoSec Cloud Enterprise relies on resource log data to identify unused NSG rules. To maintain this functionality for newly onboarded NSGs, follow the steps below to enable resource logging for NSGs:

Do the following:

1. Configure the required permissions on the ACE ActiveDirectory application using the PowerShell script.

2. Configure NSG Diagnostic Settings to enable ACE to collect, retrieve and analyze resource logs.

   1. Enable resource logging by either:

      • Enable resource logging manually for one NSG

        Add Diagnostic Setting

        Every NSG must have the diagnostic setting NetworkSecurityGroupRuleCounter added for it.

        To add it:
        

        1. Browse to the subject NSG and click on the Add diagnostic settings in the left navigation.

           

        2. Click Add diagnostic setting in the main Diagnostic settings workspace that is displayed.

        3. Select the NetworkSecurityGroupRuleCounter option.
           

        4. In the Storage account dropdown, select the required storage account.
           

           

      • Enable resource logging for multiple NSGs using a PowerShell Script

        This procedure describes how to enable resource logging for multiple Azure NSGs using a PowerShell script provided by ACE.

        Note: Although the script is recommended for enabling resource logging for multiple NSGs, it can also be used to enable resource logging for a single NSG.

        Do the following:

        1. In your Azure subscription, register the microsoft.Insights resource provider. Do the following:

           1. In your Azure subscription, browse to the Resource providers section.

           2. Search for the microsoft.Insights provider and select the row in the grid.

              

           3. Click the Register button and wait for the registration to complete.

        2. Manually create a CSV file that lists the resource logging details, and save it to a local directory.
           The script that you will download in step 3 will ask for the path to the CSV file and will enable resource logging on all NSGs in each subscription you list in the CSV file.

           The CSV file must have the following headers (horizontally):

           Subscription	The Azure subscription ID.
           Region	The region for your Azure subscription.
           Storage	The Azure storage blob where your resource logs are stored.

           Example

           The following table shows a sample CSV file to use when enabling resource logging on multiple NSGs. The ACE script will enable resource logging for all NSGs on each subscription listed.

           Subscription	Region	Storage
           1c2d1333-1234-4665-aaaa-bc22ccc42323	eastus	/subscriptions/1c2d1333-1234-4665-aaaa-bc22ccc42323/resourceGroups/AutoDcExclusive_ RgA_Base/providers/Microsoft.Storage/ storageAccounts/EastUS_SA
           1c2d1333-1234-4665-aaaa-bc22ccc42323	centralus	/subscriptions/1c2d1333-1234-4665-aaaa-bc22ccc42323/resourceGroups/AutoDcExclusive_ RgA_Base/providers/Microsoft.Storage/ storageAccounts/CentralUS_SA
           88855544-abab-4665-8fdf-bc22ccc42c06	eastus	/subscriptions/88855544-abab-4665-8fdf-bc22ccc42c06/resourceGroups/2c06_RG1/providers/ Microsoft.Storage/storageAccounts/EastUS_SA

        3. On the Azure portal Cloud Shell page

           1. Click the PowerShell script upload/download icon (bottom task bar)
           2. Select the upload option
           3. Browse to and select ACE's enableNsgFlowLogs.ps1 script.

           Note: For users logged into ACE, this script is available at https://cloudflow.algosec.com/cloudflow/assets/files/enableNsgFlowLogs.ps1.

        4. Run the enableNsgFlowLogs.ps1 script. When prompted, enter the path to the CSV file you created in step 2.

           As the script runs, it enables resource logging for all NSGs in each Azure subscription you listed in the CSV file, and provides the following feedback:

           • Details about the results for each subscription, as the script runs through them
           • Summary of all actions performed, once the script has run on all subscriptions listed

        5. If you want to manage the retention policy, follow Microsoft's Azure Storage lifecycle managementinstructions.

   2. Verify existence of diagnostic settings for resource logs

      It is essential to verify that the required diagnostic settings have been made.
      The status Enabled seen in the this image shows you that resource logs have been successfully configured for the NSG named in the same row.

      

      Check if the diagnostic setting has been configured by looking for indications such as those in the following image. If the diagnostic setting has not been configured, be sure to follow the procedure to enable resource logging for NSGs, above.

      

      

3. Configure log collection parameters

   For Azure NSG

   ACE administrators can configure the frequency at which logs are collected, or entirely enable or disable the feature, via API.

   Modify the following parameters as needed:

   TRAFFIC_LOG_FREQUENCY_PERIOD_MINUTES	Determines the frequency, in minutes, at which ACE collects resource logs from Azure NSGs. Value: Integer Default: 60
   ENABLE_TRAFFIC_LOGS	Determines whether resource log collection is enabled for Azure NSGs. Disabling this parameter will cause ACE to display Flow logs disabled in the Last used column on the risk trigger details pages, even when resource logging is enabled in the Azure NSG itself. Value: Boolean Default: Enabled
   INACTIVE_RULE_PERIOD	Determines the number of days for which ACE checks for resource logs. Default = 30 NSG rules where resource logs are enabled but no hits are found during the period defined by this parameter are considered as unused. In the Last used column, these rules will be marked as No traffic logged. For details, see Last used.

   To modify any of these parameters, contact AlgoSec support.

4. Configure the Storage Account Firewall (Optional)

   If the subscription being configured includes a storage account from which resource logs will be collected, network access may require configuration.

   Do the following:

   1. Determine if the storage account's firewall can be configured to allow:

      • Access from all networks, or

      • Access only from selected networks

   2. If you select allowing access from All networks, the default setting, no further configuration is required.

      

   3. If you select allowing access from Selected networks, to enable ACE to collect resource logs from the storage account:

      1. Copy the Current ACE service IPs for your region, listed below:

         US region 18.209.205.33 23.21.89.217 52.21.25.44	EU region 3.124.48.17 3.66.94.197 52.29.166.50
         ANZ region 13.237.219.32 3.24.141.128 52.62.160.212	ME region 157.241.75.15 16.24.37.180 16.24.41.212
         UAE region 51.112.135.86 51.112.113.39 51.112.73.196	IND region 35.154.132.171 15.206.226.212 13.234.86.181
         Singapore region 47.128.94.17 13.215.67.101 13.228.167.214

      2. Add these ACE service IPs to the Firewall-Address range configuration as shown at the bottom of the figure below.

         

The resource logs will be created when you run traffic through the subject NSG(s).