Azure requirements - BlueCat Cloud Resolver - 1.3.0

BlueCat Cloud Resolver Administration Guide
Locale
English
Product name
BlueCat Cloud Resolver
Version
1.3.0

Cloud API access requirements

The platform that has Cloud Resolver installed must be able to access the following cloud API endpoints:
  • https://management.azure.com
  • https://login.microsoftonline.com
If you are using Azure Vault to store Cloud Resolver secrets, you must be able to access the following endpoint:
  • https://<vault-name>.vault.azure.net
If you are using Azure Blob to store Cloud Resolver snapshots, you must be able to access the following endpoint:
  • https://<blob-container-name>.blob.core.windows.net
Note: For more information on Azure API endpoints, refer to https://docs.microsoft.com/en-us/rest/api/virtualnetwork/available-endpoint-services/list.

Configuring Managed Identity permissions

The following section can be used to configure Azure access when Cloud Resolver is deployed in the following environment:
  • Cloud Resolver is deployed in Azure
Note: BlueCat recommends configuring Managed Identity permissions if you are running Cloud Resolver in Azure.
To configure Managed Identity permissions:
  1. Create a custom AAD role in Azure.
  2. Assign the following permissions to the AAD role:
    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read
    • Microsoft.Network/networkInterfaces/read
    • Microsoft.Network/privateDnsZones/read
    • Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
    • Microsoft.Network/privateDnsZones/ALL/read
    • Microsoft.Network/privateDnsZones/recordsets/read
    • Microsoft.Network/privateEndpoints/read
    • Microsoft.Resources/subscriptions/providers/read
    • Microsoft.Resources/subscriptions/read
    Note: If you are storing client secrets in Azure Vault, you must also add the following access right:
    • Microsoft.KeyVault/vaults/keys/read
    If you are storing snapshots in Azure Blob, you must also add the following access rights:
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action

    For more information on configuring Managed Identities, refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.

  3. Add the role assignment to the Managed Identity.
  4. Assign the Managed Identity to the platform where Cloud Resolver is installed.

Configuring Service Principal permissions

The following section can be used to configure Azure access when Cloud Resolver is deployed in the following environments:
  • Cloud Resolver is deployed on-premises
  • Cloud Resolver is deployed in Azure
  • Cloud Resolver is deployed in another cloud environment.
To configure Service Principal permissions:
  1. Create a Service Principal (SP) associated with each remote tenant within the tenant's Azure Active Directory (AAD) infrastructure. For more information, refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
  2. For each SP, assign the following access rights within the tenant AAD:
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read
    • Microsoft.Network/privateDnsZones/read
    • Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
    • Microsoft.Network/privateDnsZones/ALL/read
    • Microsoft.Network/privateDnsZones/recordsets/read
    • Microsoft.Network/privateEndpoints/read
    • Microsoft.Resources/subscriptions/providers/read
    • Microsoft.Resources/subscriptions/read
    Note: If you are storing client secrets in Azure Vault, you must also add the following access right:
    • Microsoft.KeyVault/vaults/keys/read
    If you are storing snapshots in Azure Blob, you must also add the following access rights:
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
  3. For each SP, generate a valid Client Secret for use by Cloud Resolver.
    Note: Storage for the Client Secrets can be cloud-based or within another vault application. Currently, Cloud Resolver only supports HashiCorp Vault as a non cloud-based vault.

    You can also store the Client Secrets using the CRS_REMOTE_TENANTS configuration parameter within the cloud-resolver.conf file; however, the Client Secrets will not be encrypted.