Cloud API access requirements
Note: For more information on Azure API endpoints, refer to https://docs.microsoft.com/en-us/rest/api/virtualnetwork/available-endpoint-services/list.
The platform that has Cloud Resolver installed must be able to access the following
cloud API endpoints:
https://management.azure.com
https://login.microsoftonline.com
If you are using Azure Vault to store Cloud Resolver secrets, you must be able to
access the following endpoint:
https://<vault-name>.vault.azure.net
If you are using Azure Blob to store Cloud Resolver snapshots, you must be able to
access the following endpoint:
https://<blob-container-name>.blob.core.windows.net
Government Cloud API access requirements
If you are performing discovery and resolution in Azure Government Cloud, the platform that has Cloud Resolver installed must be able to access the following
Government Cloud API endpoints:
https://management.usgovcloudapi.net
https://login.microsoftonline.us
If you are using Azure Vault to store Cloud Resolver secrets, you must be able to
access the following endpoint:
https://<vault-name>.vault.usgovcloudapi.net
If you are using Azure Blob to store Cloud Resolver snapshots, you must be able to
access the following endpoint:
https://<blob-container-name>.blob.core.usgovcloudapi.net
China Cloud API access requirements
If you are performing discovery and resolution in Azure China Cloud, the platform that has Cloud Resolver installed must be able to access the following
Government Cloud API endpoints:
https://management.chinacloudapi.cn
https://login.partner.microsoftonline.cn
If you are using Azure Vault to store Cloud Resolver secrets, you must be able to
access the following endpoint:
https://<vault-name>.vault.chinacloudapi.net
If you are using Azure Blob to store Cloud Resolver snapshots, you must be able to
access the following endpoint:
https://<blob-container-name>.blob.core.chinacloudapi.net
Configuring Managed Identity permissions
The following section can be used to configure Azure access when Cloud Resolver is
deployed in the following environment:
- Cloud Resolver is deployed in Azure
Note: BlueCat recommends configuring Managed Identity permissions if you are
running Cloud Resolver in Azure.
To configure Managed Identity permissions:
- Create a custom AAD role in Azure.
- Assign the following permissions to the AAD role:
Microsoft.Compute/virtualMachines/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read
Microsoft.Network/networkInterfaces/read
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Network/privateDnsZones/ALL/read
Microsoft.Network/privateDnsZones/recordsets/read
Microsoft.Network/privateEndpoints/read
Microsoft.Resources/subscriptions/providers/read
Microsoft.Resources/subscriptions/read
Note: If you are storing client secrets in Azure Vault, you must also add the following access right:Microsoft.KeyVault/vaults/keys/read
If you are storing snapshots in Azure Blob, you must also add the following access rights:Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
For more information on configuring Managed Identities, refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.
- Add the role assignment to the Managed Identity.
- Assign the Managed Identity to the platform where Cloud Resolver is installed.
Configuring Service Principal permissions
The following section can be used to configure Azure access when Cloud Resolver is
deployed in the following environments:
- Cloud Resolver is deployed on-premises
- Cloud Resolver is deployed in Azure
- Cloud Resolver is deployed in another cloud environment.
To configure Service Principal permissions:
- Create a Service Principal (SP) associated with each remote tenant within the tenant's Azure Active Directory (AAD) infrastructure. For more information, refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
- For each SP, assign the following access rights within the tenant AAD:
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Network/privateDnsZones/ALL/read
Microsoft.Network/privateDnsZones/recordsets/read
Microsoft.Network/privateEndpoints/read
Microsoft.Resources/subscriptions/providers/read
Microsoft.Resources/subscriptions/read
Note: If you are storing client secrets in Azure Vault, you must also add the following access right:Microsoft.KeyVault/vaults/keys/read
If you are storing snapshots in Azure Blob, you must also add the following access rights:Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
- For each SP, generate a valid Client Secret for use by Cloud
Resolver.Note: Storage for the Client Secrets can be cloud-based or within another vault application. Currently, Cloud Resolver only supports HashiCorp Vault as a non cloud-based vault.
You can also store the Client Secrets using the
CRS_REMOTE_TENANTS
configuration parameter within the cloud-resolver.conf file; however, the Client Secrets will not be encrypted.