Connect to Azure Subscriptions

Appranix protects your cloud application environment in Azure and ensures cloud application resilience. This document explains how to allow Appranix to enable cloud application resilience to your Azure cloud infrastructure and the list of permissions required for the same.

Pre-requisites

For onboarding Azure subscriptions, Appranix needs to be registered as an enterprise application under the Azure tenant with specific roles and permissions enabled. The onboarding user requires the listed permissions in the Azure tenant,

  • Owner
  • User Access Administrator

To add a new Azure Cloud Connection in Appranix, follow the below steps:

  1. Navigate to "Cloud Connections", click "Add Cloud Connection," and choose "Azure Cloud"
  2. Fill in the Name and Description for the connection
  3. Provide the required authentication details from the Azure account to register Appranix Enter the “Tenant Id” and click “REGISTER” to register the AppranixARS

      In the new window, 
       -   Select the “Accept” option to approve the permissions requested for the AppranixARS application to be registered as an Enterprise Application in the given Azure tenant
       -   Once the request is approved to register in the tenant, *AppranixARS* application will be displayed as an Enterprise application in the given Azure tenant
    
  4. In the Appranix Cloud Connection, provide the Azure authentication details, Azure account’s “Subscription ID”, and “Object ID” of the registered Appranix Application
  5. Select the operational regions where your protection and recovery operations need to be done
  6. Add the Azure services by choosing “ADD SERVICES” and click “NEXT“

Apply IAM Permissions

  1. From the “Instant” tab, run the given command in the Azure portal bash cloud shell to grant the required permissions in a single step
  2. Or, select the “Manual” tab and click either the “DOWNLOAD ARM TEMPLATE “option or run the curl command to download the template
  3. An ARM template that will assign the necessary roles to the Appranix application will be downloaded
  4. In your Azure console, run the given command with the downloaded template file path
  5. Select the confirmation message to grant the permissions and click “FINISH”

If you have technical challenges in the above steps, you may have problems with one or more of the following items

  1. Permission to register Appranix as an enterprise app
  2. You don't have permission to assign roles to Appranix enterprise app
  3. The assigned role is removed or blocked before the discovery process
  4. There is a network outage or Azure response delay that causes the discovery to delay longer due to Exponential Backoff

Cloud Connection Dashboard and Actions:

After successfully completing the Cloud Connection discovery process, all selected operational region resources will be listed at the bottom of your Cloud Connection summary page.

Additionally, the following options can be accessed under the Cloud Connection Actions button,

Edit: This option allows users to refine their Cloud Connection settings with flexibility. Users can update the Cloud Connection name, add new operational regions, and modify the selection of cloud services to be discovered.

Manage Azure Permissions: This feature grants users to effortlessly update Cloud Connection permissions as required.

Recovery Profile This option enables user to create a cloud connection-based recovery profile, which can be utilized in all the cloud assembly recovery created under this cloud connection. Click here to configure.

Disable With the disable option, users gain control over their Cloud Connection discovery process. This functionality enables users to temporarily suspend Cloud Connection discovery and reactivate it when needed.

Download Report: Enhancing visibility and insights, this option generates a comprehensive summary report file detailing Cloud Connection resources, regions, and additional relevant details.

Delete: Users can utilize the delete option to permanently remove selected Cloud Connections.

Sync Now: This option triggers immediate Cloud Connection discovery when needed.

Azure IAM Permissions

Operation Appranix Azure Role Name
Discovery Appranix ARS Discovery Resource Group Default Access
Appranix ARS Discovery Storage Default Access
Appranix ARS Discovery Compute Default Access
Appranix ARS Discovery Network Default Access
Appranix ARS Discovery Load balancer Default Access
Appranix ARS Discovery MySql Default Access
Appranix ARS Discovery Mssql Default Access
Appranix ARS Discovery Postgress Default Access
Appranix ARS Discovery PGSQL Flexible Server Default Access
Appranix ARS Discovery MYSQL Flexible Server Default Access
Appranix ARS Discovery SQL Managed Instance Default Access
Appranix ARS Discovery NO SQL Server Default Access
Appranix ARS Discovery Redis Cache Server Default Access
Appranix ARS Discovery WCF Relay Default Access
Appranix ARS Discovery Event Hub Default Access
Appranix ARS Discovery Service Bus Default Access
Appranix ARS Discovery Application Gateway Default Access
Appranix ARS Discovery Proximity Placement Group Default Access
Appranix ARS Discovery Private Endpoint Default Access
Protection Appranix ARS Protection Resource Group Default Access
Appranix ARS Protection Storage Default Access
Appranix ARS Replication Storage Default Access
Appranix ARS Retention Storage Default Access
Recovery Appranix ARS Recovery Resource Group Default Access
Appranix ARS Recovery Storage Default Access
Appranix ARS Recovery Compute Default Access
Appranix ARS Recovery Network Default Access
Appranix ARS Recovery Deployment Manager Default Access
Appranix ARS Recovery Load balancer Default Access
Appranix ARS Recovery MySql Default Access
Appranix ARS Recovery Postgress Default Access
Appranix ARS Recovery Mssql Default Access
Appranix ARS Recovery Application Gateway Default Access
Appranix ARS Recovery Proximity Placement Group Default Access
Appranix ARS Recovery Private Endpoint Default Access
Appranix ARS Recovery Shared gallery Default Access
Appranix ARS Recovery Shared gallery image definition Default Access
Appranix ARS Recovery Shared gallery image version Default Access
Reset Appranix ARS Reset Resource Group Default Access
Appranix ARS Reset Storage Default Access
Appranix ARS Reset Compute Default Access
Appranix ARS Reset Network Default Access
Appranix ARS Reset Load balancer Default Access
Appranix ARS Reset MySql Default Access
Appranix ARS Reset Postgress Default Access
Appranix ARS Reset Mssql Default Access
Appranix ARS Reset Application Gateway Default Access
Appranix ARS reset Proximity Placement Group Default Access
Appranix ARS Reset Private Endpoint Default Access
Appranix ARS Reset Shared gallery Default Access
Appranix ARS Reset Shared gallery image definition Default Access
Appranix ARS Reset Shared gallery image version Default Access

NOTE: When a particular role's permission is revoked manually in the Azure portal, the set of operations associated with that role will fail.

Appranix ARS Discovery Resource Group Default Access
  permissions:
  - Microsoft.Resources/subscriptions/resourceGroups/read
  - Microsoft.Resources/subscriptions/resourceGroups/write
  - Microsoft.Resources/subscriptions/resourceGroups/resources/read
Appranix ARS Discovery Storage Default Access
  permissions:
  - Microsoft.Storage/storageAccounts/read
  - Microsoft.Storage/storageAccounts/write
  - Microsoft.Storage/storageAccounts/blobServices/containers/read
  - Microsoft.Storage/storageAccounts/blobServices/containers/write
  - Microsoft.Compute/disks/beginGetAccess/action
  - Microsoft.Compute/disks/endGetAccess/action
  - Microsoft.Storage/storageAccounts/listKeys/action
  - Microsoft.Compute/disks/read
  dataPermissions:
  - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Appranix ARS Discovery Compute Default Access
 permissions:
 - Microsoft.Compute/virtualMachines/read
 - Microsoft.Compute/virtualMachineScaleSets/read
 - Microsoft.Compute/virtualMachineScaleSets/skus/read
 - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
 - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read
 - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read
 - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read
 - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
 - Microsoft.Compute/sshPublicKeys/read
 - Microsoft.Compute/availabilitySets/read
 - Microsoft.Compute/proximityPlacementGroups/read
Appranix ARS Discovery Network Default Access
 permissions:
 - Microsoft.Network/networkInterfaces/read
 - Microsoft.Network/publicIPAddresses/read
 - Microsoft.Network/virtualNetworks/read
 - Microsoft.Network/networkSecurityGroups/read
 - Microsoft.Network/virtualNetworks/subnets/read
Appranix ARS Discovery Load balancer Default Access
 permissions:
 - Microsoft.Network/loadBalancers/backendAddressPools/backendPoolAddresses/read
 - Microsoft.Network/loadBalancers/backendAddressPools/join/action
 - Microsoft.Network/loadBalancers/backendAddressPools/read
 - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/read
 - Microsoft.Network/loadBalancers/inboundNatPools/join/action
 - Microsoft.Network/loadBalancers/inboundNatPools/read
 - Microsoft.Network/loadBalancers/inboundNatRules/read
 - Microsoft.Network/loadBalancers/loadBalancingRules/read
 - Microsoft.Network/loadBalancers/networkInterfaces/read
 - Microsoft.Network/loadBalancers/outboundRules/read
 - Microsoft.Network/loadBalancers/probes/read
 - Microsoft.Network/loadBalancers/read
 - Microsoft.Network/loadBalancers/virtualMachines/read
Appranix ARS Protection Resource Group Default Access
 permissions:
 - Microsoft.Resources/subscriptions/resourceGroups/read
 - Microsoft.Resources/subscriptions/resourceGroups/write
 - Microsoft.Resources/subscriptions/resourceGroups/resources/read
Appranix ARS Protection Storage Default Access
 permissions:
 - Microsoft.Storage/storageAccounts/write
 - Microsoft.Storage/storageAccounts/blobServices/containers/write
 - Microsoft.Compute/snapshots/beginGetAccess/action
 - Microsoft.Compute/snapshots/read
 - Microsoft.Compute/snapshots/write
 dataPermissions:
 - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
 - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Replication Storage Default Access
 permissions:
 - Microsoft.Compute/snapshots/beginGetAccess/action
 - Microsoft.Compute/snapshots/endGetAccess/action
 dataPermissions:
 - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
 - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Appranix ARS Retention Storage Default Access
 permissions:
 - Microsoft.Compute/snapshots/delete
 dataPermissions:
 - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Recovery Resource Group Default Access
 permissions:
 - Microsoft.Resources/subscriptions/resourceGroups/read
 - Microsoft.Resources/subscriptions/resourceGroups/write
Appranix ARS Recovery Storage Default Access
 permissions:
 - Microsoft.Compute/disks/write
 - Microsoft.Storage/storageAccounts/write
 - Microsoft.Storage/storageAccounts/blobServices/containers/write
 dataPermissions:
 - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Appranix ARS Recovery Compute Default Access
 permissions:
 - Microsoft.Compute/virtualMachines/write
 - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write
 - Microsoft.Compute/virtualMachineScaleSets/write
 - Microsoft.Compute/sshPublicKeys/write
 - Microsoft.Compute/images/write
 - Microsoft.Compute/images/read
 - Microsoft.Compute/availabilitySets/write
 - Microsoft.Compute/proximityPlacementGroups/write
Appranix ARS Recovery Network Default Access
 permissions:
 - Microsoft.Network/networkInterfaces/join/action
 - Microsoft.Network/networkInterfaces/write
 - Microsoft.Network/publicIPAddresses/join/action
 - Microsoft.Network/publicIPAddresses/write
 - Microsoft.Network/virtualNetworks/write
 - Microsoft.Network/networkSecurityGroups/join/action
 - Microsoft.Network/networkSecurityGroups/write
 - Microsoft.Network/virtualNetworks/subnets/join/action
 - Microsoft.Network/virtualNetworks/subnets/write
 - Microsoft.Network/networkSecurityGroups/securityRules/write
Appranix ARS Recovery Load balancer Default Access
 permissions:
 - Microsoft.Network/loadBalancers/backendAddressPools/join/action
 - Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action
 - Microsoft.Network/virtualNetworks/joinLoadBalancer/action
 - Microsoft.Network/loadBalancers/backendAddressPools/write
 - Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action
 - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/join/action
 - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/write
 - Microsoft.Network/loadBalancers/inboundNatPools/join/action
 - Microsoft.Network/loadBalancers/inboundNatRules/join/action
 - Microsoft.Network/loadBalancers/inboundNatRules/write
 - Microsoft.Network/loadBalancers/probes/join/action
 - Microsoft.Network/loadBalancers/providers/Microsoft.Insights/diagnosticSettings/write
 - Microsoft.Network/loadBalancers/write
 - Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses/action
Appranix ARS Recovery Deployment Manager Default Access
 permissions:
 - Microsoft.Resources/deployments/read
 - Microsoft.Resources/deployments/write
 - Microsoft.Resources/deployments/operationStatuses/read
 - Microsoft.Resources/deployments/operations/read
Appranix ARS Reset Resource Group Default Access
 permissions:
 - Microsoft.Resources/subscriptions/resourceGroups/delete
Appranix ARS Reset Storage Default Access
 permissions:
 - Microsoft.Storage/storageAccounts/delete
 - Microsoft.Storage/storageAccounts/blobServices/containers/delete
 - Microsoft.Compute/disks/delete
 dataPermissions:
 - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Reset Compute Default Access
 permissions:
 - Microsoft.Compute/virtualMachines/delete
 - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete
 - Microsoft.Compute/virtualMachineScaleSets/delete
 - Microsoft.Compute/sshPublicKeys/delete
 - Microsoft.Compute/images/delete
 - Microsoft.Compute/availabilitySets/delete
 - Microsoft.Compute/proximityPlacementGroups/delete
Appranix ARS Reset Network Default Access
 permissions:
 - Microsoft.Network/networkInterfaces/delete
 - Microsoft.Network/networkSecurityGroups/delete
 - Microsoft.Network/publicIPAddresses/delete
 - Microsoft.Network/virtualNetworks/delete
 - Microsoft.Network/virtualNetworks/subnets/delete
 - Microsoft.Network/networkSecurityGroups/securityRules/delete
Appranix ARS Reset Load balancer Default Access
 permissions:
 - Microsoft.Network/loadBalancers/backendAddressPools/delete
 - Microsoft.Network/loadBalancers/backendAddressPools/delete
 - Microsoft.Network/loadBalancers/delete
 - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/delete
 - Microsoft.Network/loadBalancers/inboundNatRules/delete
Appranix ARS Discovery MySql Default Access
 permissions:
 - Microsoft.DBforMySQL/servers/privateEndpointConnectionProxies/read
 - Microsoft.DBforMySQL/servers/privateEndpointConnections/read
 - Microsoft.DBforMySQL/servers/read
 - Microsoft.DBforMySQL/locations/azureAsyncOperation/read
Appranix ARS Recovery MySql Default Access
 permissions:
 - Microsoft.DBforMySQL/servers/write
 - Microsoft.DBforMySQL/servers/privateEndpointConnectionsApproval/action
Appranix ARS Reset MySql Default Access
 permissions:
 - Microsoft.DBforMySQL/servers/delete
Appranix ARS Discovery Mssql Default Access
 permissions:
 - Microsoft.Sql/servers/read
 - Microsoft.Sql/servers/databases/read
Appranix ARS Recovery Mssql Default Access
  permissions:
  - Microsoft.Sql/servers/write
  - Microsoft.Sql/servers/databases/write
Appranix ARS Reset Mssql Default Access
  permissions:
  - Microsoft.Sql/servers/delete
Appranix ARS Discovery Postgress Default Access
  permissions:
  - Microsoft.DBforPostgreSQL/servers/privateEndpointConnections/read
  - Microsoft.DBforPostgreSQL/servers/read
Appranix ARS Recovery Postgress Default Access
  permissions:
  - Microsoft.DBforPostgreSQL/servers/write
  - Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionsApproval/action
Appranix ARS Reset Postgress Default Access
  permissions:
  - Microsoft.DBforPostgreSQL/servers/delete
Appranix ARS Discovery Pqsql Flexible Server Default Access
  permissions:
  - Microsoft.DBforPostgreSQL/flexibleServers/read
Appranix ARS Discovery Mysql Flexible Server Default Access
  permissions:
  - Microsoft.DBforMySQL/flexibleServers/read
Appranix ARS Discovery Sql Managed Instance Default Access
  permissions:
  - Microsoft.Sql/managedInstances/read
Appranix ARS Discovery No Sql Server Default Access
  permissions:
  - Microsoft.DocumentDB/databaseAccounts/read
  - Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read
Appranix ARS Discovery Redis Cache Default Access
  permissions:
  - Microsoft.Cache/redis/read
Appranix ARS Discovery Wcf Relay Default Access
  permissions:
  - Microsoft.Relay/namespaces/read 
  - Microsoft.Relay/namespaces/WcfRelays/read
Appranix ARS Discovery Service Bus Default Access
  permissions:
  - Microsoft.ServiceBus/namespaces/read 
  - Microsoft.ServiceBus/namespaces/topics/read
  - Microsoft.ServiceBus/namespaces/queues/read
Appranix ARS Discovery Event Hub Default Access
  permissions:
  - Microsoft.EventHub/namespaces/read 
  - Microsoft.EventHub/namespaces/eventhubs/read
Appranix ARS Discovery Application Gateway Default Access
  permissions:
  - Microsoft.Network/applicationGateways/read
  - Microsoft.Network/applicationGateways/privateEndpointConnections/read
Appranix ARS Recovery Application Gateway Default Access
  permissions:
  - Microsoft.Network/applicationGateways/write
  - Microsoft.Network/applicationGateways/backendAddressPools/join/action
Appranix ARS Reset Application Gateway Default Access
  permissions:
 - Microsoft.Network/applicationGateways/delete
Appranix ARS Discovery Proximity Placement Group Default Access
  permissions:
  - Microsoft.Compute/proximityPlacementGroups/read
Appranix ARS Recovery Proximity Placement Group Default Access
  permissions:
  - Microsoft.Compute/proximityPlacementGroups/write
Appranix ARS Reset Proximity Placement Group Default Access
  permissions:
  - Microsoft.Compute/proximityPlacementGroups/delete
Appranix ARS Discovery Private Endpoint Default Access
  permissions:
  - Microsoft.Network/privateEndpoints/read
Appranix ARS Recovery Private Endpoint Default Access
  permissions:
  - Microsoft.Network/privateEndpoints/write
Appranix ARS Reset Private Endpoint Default Access
  permissions:
  - Microsoft.Network/privateEndpoints/delete
  permissions:
  - Microsoft.Compute/galleries/read
  - Microsoft.Compute/galleries/write
  - Microsoft.Compute/galleries/share/action
  permissions:
  - Microsoft.Compute/galleries/delete
  permissions:
  - Microsoft.Compute/galleries/images/read
  - Microsoft.Compute/galleries/images/write
  permissions:
  - Microsoft.Compute/galleries/images/delete
  permissions:
  - Microsoft.Compute/galleries/images/versions/read
  - Microsoft.Compute/galleries/images/versions/write
  permissions:
   - Microsoft.Compute/galleries/images/versions/delete

NOTE: This list of permissions may increase as Appranix adds more services for protection.

Need more help? Submit a ticket