Creating Azure discovery configurations - BlueCat Edge - Service Point v4.x.x

BlueCat Edge Deployment Guide
ft:locale
en-US
Product name
BlueCat Edge
Version
Service Point v4.x.x
Before proceeding to configure the discovery configuration, you must create secrets in the secrets manager. This ensures that there are credentials that can be used by the discovery configuration to authenticate with the selected environment to discover DNS data. Discovery configurations used to retrieve data from Azure environments must have secrets configured for the following credentials:
  • Azure Client ID
  • Azure Client Secret

For more information, refer to Secrets manager.

Attention: If you are using HashiCorp Vault to store your secrets, you must add the Vault credentials to the secrets manager.
Attention: Azure discovery configurations can only be associated to discovery instances running software version 1.1.0 and deployed on DNS resolver service running software version 4.0.0.

Prerequisites

Cloud API access requirements
Note: For more information on Azure API endpoints, refer to https://docs.microsoft.com/en-us/rest/api/virtualnetwork/available-endpoint-services/list.
The service point that is configured to use the discovery configuration must be able to access the following cloud API endpoints:
  • https://management.azure.com
  • https://login.microsoftonline.com

Government Cloud API access requirements

If you are performing discovery and resolution in Azure Government Cloud, the service point that uses the discovery configuration must be able to access the following Government Cloud API endpoints:
  • https://management.usgovcloudapi.net
  • https://login.microsoftonline.us
China Cloud API access requirements If you are performing discovery and resolution in Azure China Cloud, the service point that uses the discovery configuration must be able to access the following Government Cloud API endpoints:
  • https://management.chinacloudapi.cn
  • https://login.partner.microsoftonline.cn

Configuring Service Principal permissions

  1. Create a Service Principal associated with each remote tenant within the tenant's Azure Active Directory (AAD) infrastructure. For more information, refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
  2. For each SP, assign the following access rights within the tenant AAD:
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/privateDnsZoneLinks/read
    • Microsoft.Network/privateDnsZones/read
    • Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
    • Microsoft.Network/privateDnsZones/ALL/read
    • Microsoft.Network/privateDnsZones/recordsets/read
    • Microsoft.Network/privateEndpoints/read
    • Microsoft.Resources/subscriptions/providers/read
    • Microsoft.Resources/subscriptions/read
  3. For each SP, generate a valid Client Secret for use by the discovery configuration.

Creating the Azure discovery configuration

To configure the Azure discovery configuration

  1. In the top navigation bar, click and select Discovery service > Configurations.
  2. To add a new discovery configuration, click New > Azure.
  3. Enter the name of the discovery configuration.
  4. Under Polling interval, enter the interval at which the source of the DNS data is polled. The minimum value is 60 seconds.
  5. Under Discovery timeout, enter the maximum length of time that the Discovery Instance attempts to discover DNS data for the configuration before it times out, in seconds. The default value is 1800 seconds (30 minutes).
  6. Under On discovery failure, select one of the following options to determine how the global discovery configuration handles failures to retrieve data:
    • Keep last data (safe)—the discovery configuration uses the last successfully retrieved set of DNS data.
    • Overwrite last data—the discovery configuration overwrites the DNS data from the last successful retrieval.
  7. Under Cloud type, select the type of Azure cloud environment that you would like to discover resources in. The cloud type can be one of the following:
    • Public—for Azure public, commercial cloud. This is the default value.
    • US Government—for Azure US Government Cloud.
    • China—for Azure China Cloud.
  8. Select Generate reverse zones to automatically generate reverse zones for cloud discovered network space.
  9. Under HCV authentication, enter the following information to use HashiCorp Vault (HCV) authentication.
    • Use HashiCorp Vault for retrieving credentials—select this checkbox to use secret credentials stored in HashiCorp Vault.
    • Host—the base URL of HashiCorp Vault server where the secrets are stored.
    • Port—the port used to retrieve credentials stored in the HashiCorp Vault server.
    • Namespace (required if using HashiCorp Vault namespaces)— If you are using a namespace, the value is the namespace where the user's secrets are stored in the vault. For more information, refer to https://developer.hashicorp.com/vault/docs/enterprise/namespaces.
    • Role ID—select the ID of the role that you would like to use to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#read-approle-role-id.
    • Secret ID—select the secret ID generated from the role ID that is used to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#generate-new-secret-id.
    • Secret Path—the path where you have stored the secrets within the HashiCorp Vault server. You can enter the path to locations where BlueCat Edge credentials and discovery secrets are stored.

      The discovery configuration uses the HashiCorp Vault API to look up secrets. You must prefix paths with /v1/. For example, if secrets are stored within the secret/data/edgeresolver path, the Secret Path value would be /v1/secret/data/edgeresolver.

  10. Under Accounts, specify one or more Azure configurations to discover DNS data from:
    • Tenant ID: enter Azure tenant ID.
    • Client ID: select the Azure Client ID stored in secrets manager that will be used to discover the DNS data.
      Note: If you are using credentials from HashiCorp Vault, enter the key name for the Client ID stored in HashiCorp Vault.
    • Client Secret: select the Azure Client secret stored in secrets manager that will be used to discover the DNS data.
      Note: If you are using credentials from HashiCorp Vault, enter the key name for the Client secret stored in HashiCorp Vault.
    • On discovery failure: select one of the following options to determine how the discovery configuration handles failures to retrieve data from this Azure configuration:
      • Keep last data (safe): the discovery configuration uses the last successfully retrieved set of DNS data.
      • Overwrite last data: the discovery configuration overwrites the DNS data from the last successful retrieval.
      Note: The discovery failure options configured per Azure configuration override the discovery option failures configured at the global level. This field is optional.
    • Under Cloud type, select the type of Azure cloud environment that you would like to discover resources in. The cloud type can be one of the following:
      • Public—for Azure public, commercial cloud. This is the default value.
      • US Government—for Azure US Government Cloud.
      • China—for Azure China Cloud.
      • Use configuration default—uses the default Azure cloud type defined under the Setup section.
    • Click to add the Azure configurations.
  11. Click Save.