# Quickstart: Azure

### How Fusion integrates to Azure <a href="#how-fusion-integrates-to-azure" id="how-fusion-integrates-to-azure"></a>

1. **Fusion ingests VNet flow logs from Azure.**
2. **Fusion ingests asset context from Azure for context enrichment.**

### Steps to integrate to Azure <a href="#steps-to-integrate-to-azure" id="steps-to-integrate-to-azure"></a>

Each page in these instructions will walk you through the steps to integrate Azure with Netography Fusion using the az CLI:

* Set your working subscription
* Register Microsoft Insights Provider
* Create a storage account
* Create a flow log
* Add Azure VNet as a new traffic source in Netography Fusion
* Context integration in Azure

#### Troubleshooting <a href="#troubleshooting" id="troubleshooting"></a>

**Network Watcher must be enabled (it is by default)**

If you previously chose to opt out of **Network Watcher automatic enablement**, you must manually enable Network Watcher in each region.

See: [Enable or Disable Azure Network Watcher](https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-create?tabs=portal)

**Azure Policy could restrict actions you take**

If **Azure Policy** is in use, you may be restricted from performing these steps.

A **RequestDisallowedByPolicy** error means the Global Administrator role is being overridden by Azure Policy.

See: [Resolve errors for request disallowed by policy](https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-policy-requestdisallowedbypolicy?tabs=azure-cli)

**You need Owner or Contributor role in your Azure subscription to complete these steps**

You'll need access to the Azure subscription(s) containing your Virtual Network(s) to be added to Netography Fusion with an `Owner` or `Contributor` role, or a custom role with the specific permissions required for each step:

* `/register/action` operation permissions to register Microsoft Insights provider is included in the `Owner` and `Contributor` roles.
* `Microsoft.Network/networkWatchers/configureFlowLog/action` permission is included in the `Owner`, `Contributor`, and `Network Contributor` roles .
* `Microsoft.Storage/storageAccounts/*` permission is included in the `Owner`, `Contributor`, and `Storage account contributor` roles.
* `/register/action` operation permissions is included in the `Owner` and `Contributor` roles.

### Additional Azure setup options <a href="#additional-azure-setup-options" id="additional-azure-setup-options"></a>

The Azure quick start guide is for manually configuring your first Azure subscription to integrate into Fusion using the Azure console and az CLI. For additional instructions, see:

* [Azure Virtual network (VNet) Flow Log Setup](https://docs.netography.com/ingest-network-traffic-logs/flow-logs/azure-vnet-flow-log-configuration)
* [Azure NSG Flow Logs Setup](https://docs.netography.com/ingest-network-traffic-logs/flow-logs/azure-network-security-group-flow-logs-azure-console-setup-method)
* [Azure Context Integration](https://docs.netography.com/enrich-traffic-with-context/configure-context-integrations/azure)

{% hint style="info" %}
**🤖Using Terraform to automate onboarding**

Access Netography's Terraform automation at our GitHub repo: <https://github.com/netography/neto-onboarding>. For access to the repo, email [\[email protected\].](https://github.com/iKettles/vectra-gitbook/blob/main/cdn-cgi/l/email-protection/README.md#e3909693938c9197a38d86978c849182938b9acd808c8ecd) with your GitHub ID or with a request for access to the latest release package.

Netography provides a Terraform project, `neto-onboarding,` that provides Netography Fusion Cloud Onboarding Automation for AWS Organizations, Azure Tenants, and GCP Organizations.

This automation provides the following capabilties, which you can use in whole or part:

* Enables and configure AWS VPC flow logs, Azure VNet flow logs, and GCP VPC flow logs based on a simple policy and tags that defines which VPC/VNet are in scope.
* Deploy all the infrastructure required to integrate to Fusion across multiple accounts (AWS), subscriptions (Azure), and projects (GCP) in a single deployment
* Adds VPCs/VNets configured for flow logging to Netography Fusion as traffic sources.
* Deploys a single AWS Lambda function, Azure Function, or Google Function that provides context enrichment across all the accounts/subscriptions/projects as an outbound push from your cloud to the Fusion API, eliminating the need to add context integrations from the Fusion portal, to grant Netography permissions to directly enumerate resource properties, or to add individual context integrations in Fusion for each cloud account.
* Monitor for VPC/VNet changes and trigger enabling and configuring flow logs, and onboarding to Fusion new VPCs/VNets that are in scope, and offboarding VPCs/VNets that are removed or no longer in scope.
  {% endhint %}