Onboard an Azure VNet Environment

Use the following procedure to onboard an Azure VNet for cloud-delivered Firewall Management Center management:

Before you begin

You must have the following completed prior to this onboarding procedure:

  • Cloud-delivered Firewall Management Center is enabled for your tenant.

  • You must have at least one resource group available in your Azure account with an empty Azure VNet instance. If you do not have a resource group to host the virtual device, create one with the Azure portal. See Microsoft Azure's Manage Azure resource groups by using the Azure portal guide for more information.

  • Your resource group in the Azure portal must have a virtual network created for the virtual device. If you do not have one, create one in the Azure portal. See Microsoft Azure's Create a virtual network using the Azure portal quickstart guide for more information.

  • You must register Cisco Defense Orchestrator to your Microsoft account to ensure successful communication between Azure and CDO. See the "Quickstart: Register an application with the Microsoft identity platform" section of the Azure product documentation for more information.

  • You must assign a built-in role, or create a custom role, within the Azure environment and assign it a member or group that will access both Azure and CDO. See the "Azure custom role" section or the "Azure custom roles" of the Azure product documentation for more information.

  • You must enable all of the following permissions in the Azure environment in order to successully communicate with and onboard to CDO:
    "Microsoft.Network/virtualNetworks/write"
"Microsoft.Network/virtualNetworks/join/action"
"Microsoft.Network/virtualNetworks/subnets/read"
"Microsoft.Network/virtualNetworks/subnets/write"
"Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"
"Microsoft.Network/networkSecurityGroups/read"
"Microsoft.Network/networkSecurityGroups/write"
"Microsoft.Network/networkSecurityGroups/join/action"
"Microsoft.Network/networkSecurityGroups/securityRules/write"
"Microsoft.Network/networkSecurityGroups/securityRules/read"
"Microsoft.Network/networkSecurityGroups/securityRules/delete"
"Microsoft.Storage/storageAccounts/write"
"Microsoft.Storage/storageAccounts/read"
"Microsoft.Resources/deployments/write"
"Microsoft.Resources/deployments/read"
"Microsoft.Network/publicIPAddresses/read"
"Microsoft.Network/publicIPAddresses/write"
"Microsoft.Network/routeTables/read"
"Microsoft.Network/routeTables/write"
"Microsoft.Network/networkInterfaces/read"
"Microsoft.Network/networkInterfaces/write"
"Microsoft.Compute/virtualMachines/write"
"Microsoft.Resources/deployments/operationstatuses/read"
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read"
"Microsoft.Network/routeTables/join/action"
"Microsoft.Network/virtualNetworks/subnets/join/action"
"Microsoft.Network/publicIPAddresses/join/action"
"Microsoft.Network/networkInterfaces/join/action"
"Microsoft.Compute/virtualMachines/read"
"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/delete"

Procedure

Step 1

Review the prerequisites listed above. You must register CDO to your Microsoft account, create a user role, and enable all the applicable permissions prior to onboarding a virtual environment.

Step 2

Log in to CDO.

Step 3

In the navigation pane, click Inventory and click the blue plus button.

Step 4

Select the Azure VNet tile.

Step 5

Enter the following credentials to continue with the onboarding wizard, then click Next:

  • Azure Tenant ID (Directory ID) - A directory ID is a unique identifier for the tenant in the world of Microsoft cloud services. There is only one directory ID per tenant. To locate it, log into the Azure portal and navigate to Azure Services > Azure Active Directory and locate the Tenant ID listed on that page.

  • Client ID (Application ID) - An application ID is a unique identifier assigned toCDO by Azure AD when the app was registered. To locate it, log into the Azure portal and navigate to Azure Services > Azure Active Directory > App Registrations and view the application ID in the list of apps. If there is no application ID for CDO, click New Registrations to create one for this onboarding procedure.

  • Client Secret - You must manually request a client secret, although the Azure portal auto-generates a unique string to protect your tenant. To locate it, log into the Azure portal and navigate to Azure Services > Azure Active Directory > App Registrations, then expand the application for CDO. In the panel on the left, click Certificates & secrets. If there is no secret, click New client secret to create one. Copy the Value entry for this onboarding procedure, not the Secret ID entry.

  • Subscription ID - A subscription is a tenant-based agreement to use Microsoft cloud services; in this case, Azure VNet. The subscription ID is the unique code associated between the tenant and this particular cloud service. To locate it, log into the Azure portal and navigate to Azure Services > Subscriptions. If there are no subscriptions available for CDO, click Add to create one.

Step 6

In the CDO onboarding wizard, use the drop-down menu to select the Azure VNet you want to onboard.

Step 7

Enter the Device Name and select Next. This device name is what the Azure VNet is displayed as in the Inventory page.

Step 8

(Optional) Add labels to your device to help sort and filter the Inventory page. Enter a label and select the blue plus button. Labels are applied to the device after it's onboarded to CDO.

What to do next

Onboard a virtual device in CDO with this instance of Azure VNet as the manager. See Deploy a Threat Defense Virtual in Azure for more information.