BindPlane Documentation

Microsoft Azure Sources

Monitor Microsoft Azure Hosted Sources

Suggest Edits

This setup guide can be used for enabling data collection for all supported Bindplane Azure sources. Use the individual source documentation for specific LPU and connection configuration details.

Metrics are collected via the Azure REST API for most of the Bindplane Azure sources, with the exception of Azure SQL Database source. Azure SQL Database metrics are collected via JDBC from performance database tables.

Network Requirements

For all Bindplane Azure Sources except for SQL Database:

For Azure SQL Database:

  • Port: 1433 (TCP) access to the database server IP address.

Microsoft Azure Data Collection Setup

Overview Reference on the Azure CLI:

Creating custom roles using the Azure CLI:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Assigning roles using the Azure CLI:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Azure CLI

The following steps require the Azure CLI. Ensure you have it installed before continuing. To verify the Azure CLI has been installed, run the az help command. See: Microsoft Azure CLI Troubleshooting Guide for additional information.

Azure Cloud shell

There is an Azure Cloud Shell (CLI), which may be used to instead installing a local CLI. For more information: https://azure.microsoft.com/en-us/features/cloud-shell/

Subscription and Tenant IDs

Subscript and Tenant IDs are required for data collection from all the Azure Sources. One way to find those is using the Azure CLI

To obtain your Subscription ID (id ) Tenant ID (tenantId) Which is required for Source Configuration

Using the Azure CLI

az account list

The output should look similar to the following:
"cloudName": "AzureCloud",
"id": “<SUBSCRIPTION-ID>",
"isDefault": true,
"name": "Pay-As-You-Go",
"state": "Enabled",
"tenantId": “<TENANT-ID>",
"user": {
     "name": "[email protected]",  
     "type": "user"
}

Create a custom RBAC role

This is an example of using the LPU's listed bellow. Use the source specific LPU for what you want to monitor.

To create a custom RBAC role, first you must create a file called azure.json that contains the following configuration. Replace Subscription ID with your ID that found in the above command.

{
  "Name": "Blue Medora Microsoft Azure Monitoring",
  "Description": "Monitor Microsoft Azure Environment by Blue Medora",
  "Actions": [
    "Microsoft.Compute/virtualMachines/*/read",
    "Microsoft.Sql/servers/*/read",
    "Microsoft.Storage/*/read",
    "Microsoft.Insights/metrics/*/read",
    "Microsoft.Authorization/*/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read"
  ],
  "AssignableScopes": [
    "/subscriptions/[Subscription ID]"
  ]
}

Next, create your custom RBAC role by running the following command:

az role definition create --role-definition azure.json

Client Secret: Create an Active Directory Service Principal (and AD App)

The secret is used for configuration of the Azure sources. This is an example of how to define this:

To create an AD Service Principal and assign a role to it, run the following command:

az ad sp create-for-rbac -n bindplane --role "Blue Medora Microsoft Azure Monitoring"

In the output you should find the required information.

Changing "bindplane" to a valid URI of "http://bindplane", which is the required format used for service principal names
Creating a role assignment under the scope of "/subscriptions/myId"
{
  "appId": "myAppId",
  "displayName": "bindplane",
  "name": "http://bindplane",
  "password": myPassword,
  "tenant": "myTenantId"
}

Optional: To check the role assignment

You can execute the following command: NOTE: You may want to have jq installed to assist with JSON readability.

In the output, you should see "Microsoft Azure Monitoring in BindPlane" as the value for Definition.

az role assignment list | jq '.[].properties|{Name:.principalName,Definition:.roleDefinitionName}'

Client ID

After creating your AD Service Principal (and AD App), find your associated Client ID (appId) by running the following command:
NOTE: The appId in the output above is the Client ID 

az ad sp list --filter="displayName eq 'bindplane'"
The output should look similar to the following:
[
  {
    "appId": "<CLIENT-ID>",
    "displayName": "Network Watcher",
    "objectId": "000af6c3-681a-4c76-982e-604a700d86d9",
    "objectType": "ServicePrincipal",
    "servicePrincipalNames": [
      "7c33bfcb-8d33-48d6-8e60-dc6404003489"
    ]

Managing Azure LPUs using the CLI Script

🚧

Microsoft Azure Account Privileges

The Microsoft Azure Account being used to login, in either case below, requires that the account has administrator privileges

Prerequisite

  • Install the jq command line tool
    This is required for the script to run properly

How to acquire the Azure LPU CLI Script

Using the Cloud Shell

  1. Login to your Microsoft Azure Account
    (The account must have administrator privileges)
  2. Navigate to the Cloud Shell
    2a. Use Bash instead of PowerShell with the Cloud Shell
  3. Clone the repository from GitHub to a preferred directory
  4. Start using the Azure LPU CLI Script

Using a Local Shell

  1. Navigate to a command line that uses Bash
  2. Clone the repository from GitHub to a preferred directory
  3. Login to your Microsoft Azure account via the Azure CLI using the az login command
    (The account must have administrator privileges)
  4. Start using the Azure LPU CLI Script

📘

Cloning the repository from GitHub

First, navigate to the following web page using the provided link
Azure LPU CLI

Next, do the following:

  1. Click Clone or download
  2. Copy the URL to clone the repository using HTTPS
  3. Navigate to a preferred directory where the repository will be cloned to
  4. Using the 'git clone' command, clone the repository to the current directory

For more information on cloning a repository from GitHub, please click here

How to use the Azure LPU CLI Script

Understanding the Folder Structure

As per the image below, the main directory contains the scripts titled azure-create-lpu.sh and azure-delete-lpu.sh. Respectively, these scripts are used to create, or delete, an LPU. The output folder contains the individual.txt file and the master.txt file.

The individual.txt file contains individual LPU credentials for each BindPlane source, whereas master.txt contains a single LPU credential that is valid for all BindPlane sources. The template directory contains the master and individual folders. These contain JSON files that are used to create separate individual LPU credentials, or one master LPU credential that can be used for every Azure source in BindPlane.

❗️

Maintaining Credential Security

To maintain the privacy and security of the credentials, the following steps are recommended:

After creating the LPU, copy the contents of individual.txt and master.txt to a secure location (like your secret management system or password manager). Empty the master.txt and individual.txt files for the next run.

652

Azure LPU CLI Script Folder Structure

User Inputs Overview

Subscription ID:
The subscription ID associated with the Azure account

Password:
A user created password that will be associated with the LPU credentials that are created

Random Prefix:
A user created prefix that is used to identify the Custom Role that is being created.

Master or Individual LPU:

  • Choosing Master creates a single LPU for all Azure services that are supported
  • Choosing Individual creates multiple LPUs for each Azure service supported

How to create the Master LPU via the CLI Script

  1. To start, run the following command:
    ./azure-create-lpu.sh
  2. Respond to the prompts that appear on-screen
    2a. Input the Subscription ID
    2b. Input a Password
    2c. Input a Random Prefix for our role
    2d. Choose to create the Master LPU by inputting a 1

How to create an Individual LPU via the CLI Script

  1. To start, run the following command:
    ./azure-create-lpu.sh
  2. Respond to the prompts that appear on-screen
    2a. Input the Subscription ID
    2b. Input a Password
    2c. Input a Random Prefix for the role
    2d. Choose to create the Individual LPU by inputting a 2
1060

Creating the Master LPU

How to delete an Azure LPU via the CLI Script

  1. To start, run the following command:
    ./azure-delete-lpu.sh
  2. Respond to the prompts that follow
    2a. Input the Subscription ID
    2b. Input the Random Prefix for the role
    2c. Choose to delete the Individual LPU or Master LPU by inputting a 1 or 2
1059

Deleting an Azure LPU

Updated almost 4 years ago