Cloud API access requirements
The platform that has Cloud Resolver installed must be able to access the following
cloud API endpoints:
- management.azure.com
- login.microsoftonline.com
Note: For more information on Azure API endpoints, refer to https://docs.microsoft.com/en-us/rest/api/virtualnetwork/available-endpoint-services/list.
On-premises deployments
If you are deploying Cloud Resolver on a local host, you must configure the following
components to ensure that Cloud Resolver can provide unidirectional DNS resolution
for on-premises clients to the cloud infrastructure:
- Create a Service Principal (SP) associated with each remote tenant within the tenant's Azure Active Directory (AAD) infrastructure. For more information, refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
- For each SP, assign the following access rights within the tenant AAD:
- Microsoft.Network/privateDnsZones/read
- Microsoft.Network/virtualNetworks/read
- Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read
- Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
- Microsoft.Network/privateDnsZones/ALL/read
- Microsoft.Network/privateDnsZones/recordsets/read
- Microsoft.Network/privateEndpoints/read
Note: If you are storing client secrets in Azure vault, you must also add the following access right:- Microsoft.KeyVault/vaults/keys/read
- For each SP, generate a valid Client Secret for use by Cloud
Resolver.Note: Storage for the Client Secrets can be cloud-based or within another vault application. Currently, Cloud Resolver only supports HashiCorp Vault as a non cloud-based vault.
Microsoft Azure deployments
If you are deploying Cloud Resolver within Azure, you must configure the
following:
- Create a custom AAD role in Azure.
- Assign the following permissions to the AAD role:
- Microsoft.Compute/virtualMachines/read
- Microsoft.Network/virtualNetworks/read
- Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read
- Microsoft.Network/networkInterfaces/read
- Microsoft.Network/privateDnsZones/read
- Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
- Microsoft.Network/privateDnsZones/ALL/read
- Microsoft.Network/privateDnsZones/recordsets/read
- Microsoft.Network/privateEndpoints/read
Note: If you are storing client secrets in Azure vault, you must also add the following access right:- Microsoft.KeyVault/vaults/keys/read
For more information on configuring Managed Identities, refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.
- Add the role assignment to the Managed Identity.
- Assign the Managed Identity to the platform where Cloud Resolver is installed.
- Create an Application Registration for Cloud Resolver in each remote tenant to discover and resolve queries for data located in remote tenants or subscriptions.
- Generate a Client Secret for each Application. The Client Secret will be stored either in Azure Vault or HashiCorp Vault.
- In the remote tenant AAD, create an App Role for the Application with Allowed Member type set to Applications
- In the remote tenant, create a Custom Role for Cloud Resolver with the
following permissions:
- Microsoft.Network/privateDnsZones/read
- Microsoft.Network/virtualNetworks/read
- Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read
- Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
- Microsoft.Network/privateDnsZones/ALL/read
- Microsoft.Network/privateDnsZones/recordsets/read
- Microsoft.Network/privateEndpoints/read
- Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read
- Microsoft.Resources/subscriptions/read
- In the remote tenant, create a Role Assignment for the Service Principal and the Application Role.