This guide will cover the following areas needed to add Azure Target to Turbonomic v6.4 or later (click here for steps for earlier versions):
- Registering Application with Azure Active Directory
- Creating Client Secret Key and setting permission
- Obtaining Tenant Name
- Enabling Turbonomic to Access Subscription(s)
- Adding Azure Target in Turbonomic
Note: if you wish to perform these steps using Azure CLI, please visit this article
To Add Microsoft Azure Enterprise Agreement target, please visit this article (Azure EA target is required for managing Azure Reserved VM Instances and to refect negotiated rates in Turbonomic UI)
- Administrator or Co-Administrator Azure Portal (portal.azure.com) - Only required for initial configuration of Azure and not needed by Turbonomic
- Firewall configured to allow Turbonomic to access Azure resources
Turbonomic interacts with Azure targets through an Azure AD Application/Service Principal, during the setup process you will need to assign a permission level through one of the built-in Azure roles. Please review the information below for details before you proceed:
Permission Level for executing actions:
- You can use either the Owner or Contributor role. Contributor Role is the least privileged role which enables Turbonomic to take actions on your Azure environment, including manually or automatically scaling VMs across instance types or automating VM stop and start.
Permission Level for Read-Only:
- The use of a combined 'Reader + Storage Account Contributor' role is the minimum privileged combination required for Turbonomic to discover and access metrics across your Azure environment. The Storage Account Contributor role is required to access the Storage Account keys and establish a connection in order to retrieve VM memory statistics.
- The least-privileged access is the combination of 'Reader' role on the subscription and Storage Account - List Keys permission or 'Reader and Data Access' role on the storage account where the memory metrics are stored - if you wish to use that combination you will need to create the 'Storage Account - List Keys' role using Azure CLI or APIs (You can download this json file, edit it and add your subscription id, save it and then create the role by running the Azure CLI command:
az role definition create --role-definition listkeys.json
Note: another enhanced security option is to create a separate storage account and use it to store the memory metrics - please contact Turbonomic for more details on this model.
Registering Turbonomic with Azure Active Directory
- Login to Microsoft Azure Portal
- Navigate to Azure Active Directory
- Under Manage click on App registrations
- Now click on the New registration button
- In the new blade, enter the required details in the fields and then click Register
- Name: This can be any name you like. In this example: 'Turbonomic'
- Supported Account Types: ensure to select the default option
- Now we have created the App registration. Make a note of the Application (client) ID and the Directory (Tenant) ID, you will need them later when adding the Azure target in Turbonomic
Creating Client Secret Key & Permissions
- Click on the Certificates & Secrets option:
- Click on + New Client secret - in the 'Add a client secret' fill in the required fields to generate a key and then click Add
- Description: Turbonomic (or any other name)
- Expires: Never expires (for POV's you can select 1 or 2 years expiration)
- Make sure to copy the secret, it will not be shown again after you leave this page. The key will be used used in Turbonomic later on under Client Secret Key
- Now click on API Permissions
- Click + Add a permission and select Azure Service Management
- In the next screen select Delegated permission and check the box next to 'use_impersonation' and click add permissions
- In the end, the screen should look like the below:
Enabling Turbonomic to Access the Subscription(s) using Service Principal
The last step is to add the Active Directory Application created in Azure earlier to each and every subscription that you wish Turbonomic to manage - you can assign a different permission level to each subscription if needed (e.g. Service Principal):
- In Azure Portal, search for 'Subscriptions' and click on it when shown
- You should see all the subscriptions under your Tenant (Directory) -- Tip: if you only see a single subscription, ensure to uncheck the box under 'Show only subscriptions selected in the global subscription filter'
- Click on the first subscription you want Turbonomic to manage
- Click on 'Control Access (IAM)'
- Click on 'Add' on the top and then select 'Add role assignment'
- Select the role as either 'Owner' OR 'Contributor' OR a combined role of 'Reader' + 'Storage Account Contributor'
(please refer to the 'Permissions Requirements' section at the beginning of this article for details)
- Under "Select" type in the name of the application you created under 'App Registration' in the previous steps and then click it from the list below
- Click Save
- After you assigned the role to the application you should see it as a User in your Users list as shown in the screenshot below.
- Repeat steps 3 to 8 for every subscription you want Turbonomic to manage
Adding Azure Target in Turbonomic
You should have the following information to enter in Turbonomic.
- Tenant/Directory ID
- Application (Client) ID
- Client Secret Key
To add the target, access your Turbonomic server GUI and click on Settings > Target Configurations > New Target > Cloud Management and select Azure.
Enter the details in the new window as per the below:
After successfully adding an Azure Target, there will be two types of entities in the target page for Azure.
- Azure Service Principal Target - this target includes the IDs provided earlier and it will list all the subscriptions the service principal was assigned to. This target can be edited if needed.
- Azure Target - this object represents the individual subscription discovered by the Azure Service Principal Target. This object cannot be edited.
Next Steps - Enabling Basic Metrics
- consumption.azure.com (for RI and EA)
- Outbound Ports:
- TCP: 443
Please note: where "<StorageAccount>" is specified this can be replaced with "*." so that it matches all of your storage account names.