Connect to Azure Subscriptions

Appranix protects your cloud application environment in Azure and ensures cloud application resilience. This document explains how to allow Appranix to enable cloud application resilience to your Azure cloud infrastructure and the list of permissions required for the same.

Prerequisite: "Owner" or "User Access Administrator" privilege is mandatory to register Appranix Enterprise Application as a service principal.

To add a new Azure Cloud Connection in Appranix, follow the below steps:

  1. Navigate to “Cloud Connections” and click “Add Cloud Connection”
  2. Fill in the Name and Description for the connection, choose Azure as the cloud provider
  3. Provide the Azure account “Tenant Id” and click “REGISTER” to register the Appranix application

      In the new window, 
       -   Select the “Accept” option to approve the permission requested for the Appranix application to be registered as an Enterprise Application in the given Azure tenant
       -   Once the request is approved to register in the tenant, the Appranix application will be displayed as an Enterprise application in the given Azure tenant
    
  4. In the Appranix Cloud Connection, provide the Azure authentication details, Azure account’s “Subscription ID”, and “Object ID” of the registered Appranix Application
  5. Select the primary region. Switch on the toggle button if you want to allow cross-region recovery
  6. Select the required recovery regions from the provided list of regions
  7. Add the Azure services by choosing “ADD SERVICES” and click “CONNECT CLOUD“

      In the new window,
       -   From the “Instant” tab, run the given command in the terminal to grant the required permissions in a single step.
       -   Or, select the “Manual” tab and click either the “DOWNLOAD ARM TEMPLATE “option or run the curl command to download the template. 
           An ARM template that will assign the necessary roles to the Appranix application will be downloaded
       -   In your Azure console, run the given command with the downloaded template file path
       -   Select the confirmation message to grant the permissions and click “OK”
    
  8. Wait for the Cloud Connection discovery sync to complete to see the discovered resources

Azure IAM Permissions

Operation Appranix Azure Role Name
Discovery Appranix ARS Discovery Resource Group Default Access
Appranix ARS Discovery Storage Default Access
Appranix ARS Discovery Compute Default Access
Appranix ARS Discovery Network Default Access
Protection Appranix ARS Protection Resource Group Default Access
Appranix ARS Protection Storage Default Access
Appranix ARS Replication Storage Default Access
Appranix ARS Retention Storage Default Access
Recovery Appranix ARS Recovery Resource Group Default Access
Appranix ARS Recovery Storage Default Access
Appranix ARS Recovery Compute Default Access
Appranix ARS Recovery Network Default Access
Appranix ARS Recovery Deployment Manager Default Access
Reset Appranix ARS Reset Resource Group Default Access
Appranix ARS Reset Storage Default Access
Appranix ARS Reset Compute Default Access
Appranix ARS Reset Network Default Access

NOTE: When a particular role's permission is revoked manually in the Azure portal, the set of operations associated with that role will fail.

Appranix ARS Discovery Resource Group Default Access
  permissions:
  - Microsoft.Resources/subscriptions/resourceGroups/read
  - Microsoft.Resources/subscriptions/resourceGroups/write
  - Microsoft.Resources/subscriptions/resourceGroups/resources/read
Appranix ARS Protection Resource Group Default Access
  permissions:
  - Microsoft.Resources/subscriptions/resourceGroups/read
  - Microsoft.Resources/subscriptions/resourceGroups/write
  - Microsoft.Resources/subscriptions/resourceGroups/resources/read
Appranix ARS Recovery Resource Group Default Access
  permissions:
  - Microsoft.Resources/subscriptions/resourceGroups/read
  - Microsoft.Resources/subscriptions/resourceGroups/write
Appranix ARS Reset Resource Group Default Access
  permissions:
  - Microsoft.Resources/subscriptions/resourceGroups/delete
Appranix ARS Discovery Storage Default Access
  permissions:
  - Microsoft.Storage/storageAccounts/read
  - Microsoft.Storage/storageAccounts/write
  - Microsoft.Storage/storageAccounts/blobServices/containers/read
  - Microsoft.Storage/storageAccounts/blobServices/containers/write
  - Microsoft.Compute/disks/beginGetAccess/action
  - Microsoft.Compute/disks/endGetAccess/action
  - Microsoft.Storage/storageAccounts/listKeys/action
  - Microsoft.Compute/disks/read
  dataPermissions:
  - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Appranix ARS Protection Storage Default Access
  permissions:
  - Microsoft.Storage/storageAccounts/write
  - Microsoft.Storage/storageAccounts/blobServices/containers/write
  - Microsoft.Compute/snapshots/beginGetAccess/action
  - Microsoft.Compute/snapshots/read
  - Microsoft.Compute/snapshots/write
  dataPermissions:
  - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
  - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Replication Storage Default Access
  permissions:
  - Microsoft.Compute/snapshots/beginGetAccess/action
  - Microsoft.Compute/snapshots/endGetAccess/action
  dataPermissions:
  - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
  - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Appranix ARS Retention Storage Default Access
  permissions:
  - Microsoft.Compute/snapshots/delete
  dataPermissions:
  - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Recovery Storage Default Access
  permissions:
  - Microsoft.Compute/disks/write
  - Microsoft.Storage/storageAccounts/write
  - Microsoft.Storage/storageAccounts/blobServices/containers/write
  dataPermissions:
  - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Appranix ARS Reset Storage Default Access
  permissions:
  - Microsoft.Storage/storageAccounts/delete
  - Microsoft.Storage/storageAccounts/blobServices/containers/delete
  - Microsoft.Compute/disks/delete
  dataPermissions:
  - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Discovery Compute Default Access
  permissions:
  - Microsoft.Compute/virtualMachines/read
  - Microsoft.Compute/virtualMachineScaleSets/read
  - Microsoft.Compute/virtualMachineScaleSets/skus/read
  - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
  - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read
  - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read
  - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read
  - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
  - Microsoft.Compute/sshPublicKeys/read
Appranix ARS Discovery Network Default Access
  permissions:
  - Microsoft.Network/networkInterfaces/read
  - Microsoft.Network/publicIPAddresses/read
  - Microsoft.Network/virtualNetworks/read
  - Microsoft.Network/networkSecurityGroups/read
  - Microsoft.Network/virtualNetworks/subnets/read
Appranix ARS Recovery Compute Default Access
  permissions:
  - Microsoft.Compute/virtualMachines/write
  - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write
  - Microsoft.Compute/virtualMachineScaleSets/write
  - Microsoft.Compute/sshPublicKeys/write
  - Microsoft.Compute/images/write
  - Microsoft.Compute/images/read
Appranix ARS Recovery Network Default Access
  permissions:
  - Microsoft.Network/networkInterfaces/join/action
  - Microsoft.Network/networkInterfaces/write
  - Microsoft.Network/publicIPAddresses/join/action
  - Microsoft.Network/publicIPAddresses/write
  - Microsoft.Network/virtualNetworks/write
  - Microsoft.Network/networkSecurityGroups/join/action
  - Microsoft.Network/networkSecurityGroups/write
  - Microsoft.Network/virtualNetworks/subnets/join/action
  - Microsoft.Network/virtualNetworks/subnets/write
Appranix ARS Reset Compute Default Access
  permissions:
  - Microsoft.Compute/virtualMachines/delete
  - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete
  - Microsoft.Compute/virtualMachineScaleSets/delete
  - Microsoft.Compute/sshPublicKeys/delete
  - Microsoft.Compute/images/delete
Appranix ARS Reset Network Default Access
  permissions:
  - Microsoft.Network/networkInterfaces/delete
  - Microsoft.Network/networkSecurityGroups/delete
  - Microsoft.Network/publicIPAddresses/delete
  - Microsoft.Network/virtualNetworks/delete
  - Microsoft.Network/virtualNetworks/subnets/delete
Appranix ARS Discovery Load balancer Default Access
  permissions:
  - Microsoft.Network/loadBalancers/backendAddressPools/backendPoolAddresses/read
  - Microsoft.Network/loadBalancers/backendAddressPools/join/action
  - Microsoft.Network/loadBalancers/backendAddressPools/read
  - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/read
  - Microsoft.Network/loadBalancers/inboundNatPools/join/action
  - Microsoft.Network/loadBalancers/inboundNatPools/read
  - Microsoft.Network/loadBalancers/inboundNatRules/read
  - Microsoft.Network/loadBalancers/loadBalancingRules/read
  - Microsoft.Network/loadBalancers/networkInterfaces/read
  - Microsoft.Network/loadBalancers/outboundRules/read
  - Microsoft.Network/loadBalancers/probes/read
  - Microsoft.Network/loadBalancers/read
  - Microsoft.Network/loadBalancers/virtualMachines/read
Appranix ARS Recovery Load balancer Default Access
  permissions:
  - Microsoft.Network/loadBalancers/backendAddressPools/join/action
  - Microsoft.Network/loadBalancers/backendAddressPools/write
  - Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action
  - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/join/action
  - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/write
  - Microsoft.Network/loadBalancers/inboundNatPools/join/action
  - Microsoft.Network/loadBalancers/inboundNatRules/join/action
  - Microsoft.Network/loadBalancers/inboundNatRules/write
  - Microsoft.Network/loadBalancers/probes/join/action
  - Microsoft.Network/loadBalancers/providers/Microsoft.Insights/diagnosticSettings/write
  - Microsoft.Network/loadBalancers/write
  - Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses/action
  - Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action
  - Microsoft.Network/virtualNetworks/joinLoadBalancer/action
Appranix ARS Reset Load balancer Default Access
  permissions:
  - Microsoft.Network/loadBalancers/backendAddressPools/delete
  - Microsoft.Network/loadBalancers/backendAddressPools/delete
  - Microsoft.Network/loadBalancers/delete
  - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/delete
  - Microsoft.Network/loadBalancers/inboundNatRules/delete
Appranix ARS Recovery Deployment Manager Default Access
  permissions:
  - Microsoft.Resources/deployments/read
  - Microsoft.Resources/deployments/write

NOTE: This list of permissions may increase as Appranix adds more services for protection.