Before proceeding to configure the discovery configuration, you must ensure that there
are credentials that can be used by the discovery configuration to authenticate with the
selected environment to discover DNS data. This can be done by either entering them in
the Edge secrets manager or, if deployed to a cloud environment, by selecting the
Use VM assigned role for authentication. Discovery
configurations used to retrieve data from Azure environments must have secrets
configured for the following credentials:
- Azure Client ID
- Azure Client Secret
For more information, refer to Secrets manager.
Attention:
- If you are using Azure managed identities for discovery by selecting the Use VM assigned role for authentication option, the Azure Client ID and Azure Client Secret do not need to be configured unless you would like to add additional Azure account configurations other than the one assigned to the VM. When enabled, the Azure configurations assigned to the VM using the discovery instance and discovery configuration are used.
- If you are using HashiCorp Vault to store your secrets, you must add the Vault credentials to the secrets manager.
- Azure discovery configurations can only be associated to discovery instances running software version 1.1.0 and deployed on DNS resolver service running software version 4.0.0.
Prerequisites
Cloud API access requirements
Note: For more information
on Azure API endpoints, refer to https://docs.microsoft.com/en-us/rest/api/virtualnetwork/available-endpoint-services/list.
The service point that is configured to use the discovery configuration must be able
to access the following cloud API endpoints:
https://management.azure.comhttps://login.microsoftonline.com
Government Cloud API access requirements
If you are performing discovery and resolution in Azure Government Cloud, the service
point that uses the discovery configuration must be able to access the following
Government Cloud API endpoints:
https://management.usgovcloudapi.nethttps://login.microsoftonline.us
China Cloud API access requirements If you are performing discovery and
resolution in Azure China Cloud, the service point that uses the discovery
configuration must be able to access the following Government Cloud API
endpoints:
https://management.chinacloudapi.cnhttps://login.partner.microsoftonline.cn
Configuring Service Principal permissions
- Create a Service Principal associated with each remote tenant within the tenant's Azure Active Directory (AAD) infrastructure. For more information, refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
- For each SP, assign the following access rights within the tenant AAD:
Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/privateDnsZoneLinks/readMicrosoft.Network/privateDnsZones/readMicrosoft.Network/privateDnsZones/virtualNetworkLinks/readMicrosoft.Network/privateDnsZones/ALL/readMicrosoft.Network/privateDnsZones/recordsets/readMicrosoft.Network/privateEndpoints/readMicrosoft.Resources/subscriptions/providers/readMicrosoft.Resources/subscriptions/read
- For each SP, generate a valid Client Secret for use by the discovery configuration.
Creating the Azure discovery configuration
To configure the Azure discovery configuration
- In the top navigation bar, click
and select . - To add a new discovery configuration, click .
- Enter the name of the discovery configuration.
- Under Polling interval, enter the interval at which the source of the DNS data is polled. The minimum value is 60 seconds.
- Under Discovery timeout, enter the maximum length of time that the Discovery Instance attempts to discover DNS data for the configuration before it times out, in seconds. The default value is 1800 seconds (30 minutes).
- Under On discovery failure, select one of the following
options to determine how the global discovery configuration handles failures to
retrieve data:
- Keep last data (safe)—the discovery configuration uses the last successfully retrieved set of DNS data.
- Overwrite last data—the discovery configuration overwrites the DNS data from the last successful retrieval.
- Under Cloud type, select the type of Azure cloud
environment that you would like to discover resources in. The cloud type can be
one of the following:
- Public—for Azure public, commercial cloud. This is the default value.
- US Government—for Azure US Government Cloud.
- China—for Azure China Cloud.
- Select Generate reverse zones to automatically generate reverse zones for cloud discovered network space.
- If the service point used for Edge Resolver service is deployed in Azure, select
Use VM assigned role for authentication to use the
Azure configurations and access rights assigned to the service point VM for
authentication for discovery.Attention: The Use VM assigned role for authentication option can only be configured with Discovery Instance v25.3.0. If you select this option and the discovery instance using this discovery configuration is running version 1.2.0 or earlier, the discovery instance fails to use the discovery configuration.Note: If you select Use VM assigned role for authentication, the discovery configuration uses the account information assigned to the VM role to discover DNS data and for Azure Key Vault credentials, if you select Azure Key Vault as the authentication method. You do not need to enter an Azure account configuration unless you would like to add additional Azure account configure or configure different Azure Key Vault key names.
- Under External vault, select one of the following options
for authentication:
- HashiCorp Vault—uses HashiCorp Vault (HCV) for
authentication. When selected, the following additional options
appear:
- Host—the base URL of HashiCorp Vault server where the secrets are stored.
- Port—the port used to retrieve credentials stored in the HashiCorp Vault server.
- Namespace (required if using HashiCorp Vault namespaces)— If you are using a namespace, the value is the namespace where the user's secrets are stored in the vault. For more information, refer to https://developer.hashicorp.com/vault/docs/enterprise/namespaces.
- Role ID—select the ID of the role that you would like to use to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#read-approle-role-id.
- Secret ID—select the secret ID generated from the role ID that is used to authenticate against HashiCorp Vault. For more information, refer to https://developer.hashicorp.com/vault/api-docs/auth/approle#generate-new-secret-id.
- Version—enter the HashiCorp Vault secret version.
- Secret Path—the path where you have
stored the secrets within the HashiCorp Vault server. You can
enter the path to locations where BlueCat Edge credentials and
discovery secrets are stored.
The discovery configuration uses the HashiCorp Vault API to look up secrets. You must prefix paths with
/v1/. For example, if secrets are stored within the secret/data/edgeresolver path, the Secret Path value would be /v1/secret/data/edgeresolver.
- Edge secrets manager—uses credentials stored in Edge secrets manager for authentication.
- Azure Key Vault—uses credentials stored in Azure
Key Vault for authentication.Attention: This option only appears when you select Use VM assigned role for authentication.
- HashiCorp Vault—uses HashiCorp Vault (HCV) for
authentication. When selected, the following additional options
appear:
- Under Accounts, specify one or more Azure configurations
to discover DNS data from:Note: If you select Use VM assigned role for authentication, the discovery configuration uses the account information assigned to the VM role to discover DNS data and for Azure Key Vault credentials, if you select Azure Key Vault as the authentication method. You do not need to enter an Azure account configuration unless you would like to add additional Azure account configurations or configure Azure Key Vault.
- Tenant ID—enter Azure tenant ID.
- Client ID—select the Azure Client ID stored in
secrets manager that will be used to discover the DNS data.Note:
- If you are using credentials from HashiCorp Vault, enter the key name for the Client ID stored in HashiCorp Vault.
- If you are using credentials from Azure Key Vault, enter the
Secret Identifier URI of the of the Client ID stored in
Azure Key Vault. For example,
https://<vault_name>.vault.azure.net/secrets/<secret_name>
- Client Secret—select the Azure Client secret
stored in secrets manager that will be used to discover the DNS
data.Note:
- If you are using credentials from HashiCorp Vault, enter the key name for the Client Secret stored in HashiCorp Vault.
- If you are using credentials from Azure Key Vault, enter the
Secret Identifier URI of the Client Secret stored in Azure
Key Vault. For example,
https://<vault_name>.vault.azure.net/secrets/<secret_name>
- On discovery failure—select one of the following
options to determine how the discovery configuration handles failures to
retrieve data from this Azure configuration:
- Keep last data (safe)—the discovery configuration uses the last successfully retrieved set of DNS data.
- Overwrite last data—the discovery configuration overwrites the DNS data from the last successful retrieval.
- Use configuration default—the discovery configuration uses the default option defined under the Setup section.
Note: The discovery failure options configured per Azure configuration override the discovery option failures configured at the global level. This field is optional. - Under Cloud type, select the type of Azure cloud
environment that you would like to discover resources in. The cloud type
can be one of the following:
- Public—for Azure public, commercial cloud. This is the default value.
- US Government—for Azure US Government Cloud.
- China—for Azure China Cloud.
- Use configuration default—uses the default Azure cloud type defined under the Setup section.
- Click
to add the
Azure configurations.
- Click Save.