Quickstart: Azure

How Fusion integrates to Azure

1. Fusion ingests VNet flow logs from Azure.
2. Fusion ingests asset context from Azure for context enrichment.

Steps to integrate to Azure

Each page in these instructions will walk you through the steps to integrate Azure with Netography Fusion using the az CLI:

• Set your working subscription
• Register Microsoft Insights Provider
• Create a storage account
• Create a flow log
• Add Azure VNet as a new traffic source in Netography Fusion
• Context integration in Azure

Troubleshooting

Network Watcher must be enabled (it is by default)

If you previously chose to opt out of Network Watcher automatic enablement, you must manually enable Network Watcher in each region.

See: Enable or Disable Azure Network Watcher

Azure Policy could restrict actions you take

If Azure Policy is in use, you may be restricted from performing these steps.

A RequestDisallowedByPolicy error means the Global Administrator role is being overridden by Azure Policy.

See: Resolve errors for request disallowed by policy

You need Owner or Contributor role in your Azure subscription to complete these steps

You'll need access to the Azure subscription(s) containing your Virtual Network(s) to be added to Netography Fusion with an Owner or Contributor role, or a custom role with the specific permissions required for each step:

• /register/action operation permissions to register Microsoft Insights provider is included in the Owner and Contributor roles.
• Microsoft.Network/networkWatchers/configureFlowLog/action permission is included in the Owner, Contributor, and Network Contributor roles .
• Microsoft.Storage/storageAccounts/* permission is included in the Owner, Contributor, and Storage account contributor roles.
• /register/action operation permissions is included in the Owner and Contributor roles.

Additional Azure setup options

The Azure quick start guide is for manually configuring your first Azure subscription to integrate into Fusion using the Azure console and az CLI. For additional instructions, see:

• Azure Virtual network (VNet) Flow Log Setup
• Azure NSG Flow Logs Setup
• Azure Context Integration

🤖

Using Terraform to automate onboarding

Access Netography's Terraform automation at our GitHub repo: https://github.com/netography/neto-onboarding. For access to the repo, email your GitHub ID to [email protected].

The instructions linked from this page are suitable for onboarding one or a small number of cloud accounts manually or using as a reference for building automation for larger scale deployment. In addition to these instructions, Netography provides a Terraform project, neto-onboard, that provides Netography Fusion Cloud Onboarding Automation for AWS Organizations, Azure Tenants, and GCP Organizations.

Each cloud has 2 Terraform deployment options - full and simple.

The simple deployment deploys all the resources needed to integrate the cloud to Fusion and perform context enrichment in a deployment. You specify a target set of accounts/subscriptions/projects at deployment-time. You can redeploy the automation to change the scope of monitoring or when you need to onboard new accounts or networks to Fusion. This is suitable for a trial or if you have a relatively static cloud environment or one with a limited number of accounts and networks.

The full deployment provides the following:

• Enables and configure AWS VPC flow logs, Azure VNet flow logs, and GCP VPC flow logs based on a simple policy and tags that defines which VPC/VNet are in scope.
• Deploy all the infrastructure required to integrate to Fusion across multiple accounts (AWS), subscriptions (Azure), and projects (GCP) in a single deployment
• Adds VPCs/VNets configured for flow logging to Netography Fusion as traffic sources.
• Deploys a single AWS Lambda function, Azure Function, or Google Function that provides context enrichment across all the accounts/subscriptions/projects as an outbound push from your cloud to the Fusion API, eliminating the need to add context integrations from the Fusion portal, to grant Netography permissions to directly enumerate resource properties, or to add individual context integrations in Fusion for each cloud account.
• Monitor for VPC/VNet changes and trigger enabling and configuring flow logs, and onboarding to Fusion new VPCs/VNets that are in scope, and offboarding VPCs/VNets that are removed or no longer in scope.