Connect to Azure Subscriptions
Appranix protects your cloud application environment in Azure and ensures cloud application resilience. This document explains how to allow Appranix to enable cloud application resilience to your Azure cloud infrastructure and the list of permissions required for the same.
Prerequisite: "Owner" or "User Access Administrator" privilege is mandatory to register Appranix Enterprise Application as a service principal.
To add a new Azure Cloud Connection in Appranix, follow the below steps:
- Navigate to “Cloud Connections” and click “Add Cloud Connection”
- Fill in the Name and Description for the connection, choose Azure as the cloud provider
-
Provide the required authentication details from the Azure account to register Appranix. Enter the “Tenant Id” and click “REGISTER” to register the AppranixARS
In the new window, - Select the “Accept” option to approve the permissions requested for the AppranixARS application to be registered as an Enterprise Application in the given Azure tenant - Once the request is approved to register in the tenant, *AppranixARS* application will be displayed as an Enterprise application in the given Azure tenant - In the Appranix Cloud Connection, provide the Azure authentication details, Azure account’s “Subscription ID”, and “Object ID” of the registered Appranix Application
- Select the primary region. Switch on the toggle button if you want to allow cross-region recovery
- Select the required recovery regions from the provided list of regions
- Add the Azure services by choosing “ADD SERVICES” and click “NEXT“
Apply IAM Permissions
- From the “Instant” tab, run the given command in the Azure portal bash cloud shell to grant the required permissions in a single step.
- Or, select the “Manual” tab and click either the “DOWNLOAD ARM TEMPLATE “option or run the curl command to download the template.
- An ARM template that will assign the necessary roles to the Appranix application will be downloaded
- In your Azure console, run the given command with the downloaded template file path
- Select the confirmation message to grant the permissions and click “NEXT”
Resource Group Details
- Specify the Resource Group details of the primary region.
- Click "CONNECT CLOUD" and wait for the Cloud Connection discovery sync to complete to see the discovered resources
Azure IAM Permissions
NOTE: When a particular role's permission is revoked manually in the Azure portal, the set of operations associated with that role will fail.
Appranix ARS Discovery Resource Group Default Access
permissions: - Microsoft.Resources/subscriptions/resourceGroups/read - Microsoft.Resources/subscriptions/resourceGroups/write - Microsoft.Resources/subscriptions/resourceGroups/resources/read
Appranix ARS Discovery Storage Default Access
permissions: - Microsoft.Storage/storageAccounts/read - Microsoft.Storage/storageAccounts/write - Microsoft.Storage/storageAccounts/blobServices/containers/read - Microsoft.Storage/storageAccounts/blobServices/containers/write - Microsoft.Compute/disks/beginGetAccess/action - Microsoft.Compute/disks/endGetAccess/action - Microsoft.Storage/storageAccounts/listKeys/action - Microsoft.Compute/disks/read dataPermissions: - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Appranix ARS Discovery Compute Default Access
permissions: - Microsoft.Compute/virtualMachines/read - Microsoft.Compute/virtualMachineScaleSets/read - Microsoft.Compute/virtualMachineScaleSets/skus/read - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read - Microsoft.Compute/sshPublicKeys/read - Microsoft.Compute/availabilitySets/read - Microsoft.Compute/proximityPlacementGroups/read
Appranix ARS Discovery Network Default Access
permissions: - Microsoft.Network/networkInterfaces/read - Microsoft.Network/publicIPAddresses/read - Microsoft.Network/virtualNetworks/read - Microsoft.Network/networkSecurityGroups/read - Microsoft.Network/virtualNetworks/subnets/read
Appranix ARS Discovery Load balancer Default Access
permissions: - Microsoft.Network/loadBalancers/backendAddressPools/backendPoolAddresses/read - Microsoft.Network/loadBalancers/backendAddressPools/join/action - Microsoft.Network/loadBalancers/backendAddressPools/read - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/read - Microsoft.Network/loadBalancers/inboundNatPools/join/action - Microsoft.Network/loadBalancers/inboundNatPools/read - Microsoft.Network/loadBalancers/inboundNatRules/read - Microsoft.Network/loadBalancers/loadBalancingRules/read - Microsoft.Network/loadBalancers/networkInterfaces/read - Microsoft.Network/loadBalancers/outboundRules/read - Microsoft.Network/loadBalancers/probes/read - Microsoft.Network/loadBalancers/read - Microsoft.Network/loadBalancers/virtualMachines/read
Appranix ARS Protection Resource Group Default Access
permissions: - Microsoft.Resources/subscriptions/resourceGroups/read - Microsoft.Resources/subscriptions/resourceGroups/write - Microsoft.Resources/subscriptions/resourceGroups/resources/read
Appranix ARS Protection Storage Default Access
permissions: - Microsoft.Storage/storageAccounts/write - Microsoft.Storage/storageAccounts/blobServices/containers/write - Microsoft.Compute/snapshots/beginGetAccess/action - Microsoft.Compute/snapshots/read - Microsoft.Compute/snapshots/write dataPermissions: - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Replication Storage Default Access
permissions: - Microsoft.Compute/snapshots/beginGetAccess/action - Microsoft.Compute/snapshots/endGetAccess/action dataPermissions: - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Appranix ARS Retention Storage Default Access
permissions: - Microsoft.Compute/snapshots/delete dataPermissions: - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Recovery Resource Group Default Access
permissions: - Microsoft.Resources/subscriptions/resourceGroups/read - Microsoft.Resources/subscriptions/resourceGroups/write
Appranix ARS Recovery Storage Default Access
permissions: - Microsoft.Compute/disks/write - Microsoft.Storage/storageAccounts/write - Microsoft.Storage/storageAccounts/blobServices/containers/write dataPermissions: - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Appranix ARS Recovery Compute Default Access
permissions: - Microsoft.Compute/virtualMachines/write - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write - Microsoft.Compute/virtualMachineScaleSets/write - Microsoft.Compute/sshPublicKeys/write - Microsoft.Compute/images/write - Microsoft.Compute/images/read - Microsoft.Compute/availabilitySets/write - Microsoft.Compute/proximityPlacementGroups/write
Appranix ARS Recovery Network Default Access
permissions: - Microsoft.Network/networkInterfaces/join/action - Microsoft.Network/networkInterfaces/write - Microsoft.Network/publicIPAddresses/join/action - Microsoft.Network/publicIPAddresses/write - Microsoft.Network/virtualNetworks/write - Microsoft.Network/networkSecurityGroups/join/action - Microsoft.Network/networkSecurityGroups/write - Microsoft.Network/virtualNetworks/subnets/join/action - Microsoft.Network/virtualNetworks/subnets/write - Microsoft.Network/networkSecurityGroups/securityRules/write
Appranix ARS Recovery Load balancer Default Access
permissions: - Microsoft.Network/loadBalancers/backendAddressPools/join/action - Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action - Microsoft.Network/virtualNetworks/joinLoadBalancer/action - Microsoft.Network/loadBalancers/backendAddressPools/write - Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/join/action - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/write - Microsoft.Network/loadBalancers/inboundNatPools/join/action - Microsoft.Network/loadBalancers/inboundNatRules/join/action - Microsoft.Network/loadBalancers/inboundNatRules/write - Microsoft.Network/loadBalancers/probes/join/action - Microsoft.Network/loadBalancers/providers/Microsoft.Insights/diagnosticSettings/write - Microsoft.Network/loadBalancers/write - Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses/action
Appranix ARS Recovery Deployment Manager Default Access
permissions: - Microsoft.Resources/deployments/read - Microsoft.Resources/deployments/write - Microsoft.Resources/deployments/operationStatuses/read - Microsoft.Resources/deployments/operations/read
Appranix ARS Reset Resource Group Default Access
permissions: - Microsoft.Resources/subscriptions/resourceGroups/delete
Appranix ARS Reset Storage Default Access
permissions: - Microsoft.Storage/storageAccounts/delete - Microsoft.Storage/storageAccounts/blobServices/containers/delete - Microsoft.Compute/disks/delete dataPermissions: - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Reset Compute Default Access
permissions: - Microsoft.Compute/virtualMachines/delete - Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete - Microsoft.Compute/virtualMachineScaleSets/delete - Microsoft.Compute/sshPublicKeys/delete - Microsoft.Compute/images/delete - Microsoft.Compute/availabilitySets/delete - Microsoft.Compute/proximityPlacementGroups/delete
Appranix ARS Reset Network Default Access
permissions: - Microsoft.Network/networkInterfaces/delete - Microsoft.Network/networkSecurityGroups/delete - Microsoft.Network/publicIPAddresses/delete - Microsoft.Network/virtualNetworks/delete - Microsoft.Network/virtualNetworks/subnets/delete - Microsoft.Network/networkSecurityGroups/securityRules/delete
Appranix ARS Reset Load balancer Default Access
permissions: - Microsoft.Network/loadBalancers/backendAddressPools/delete - Microsoft.Network/loadBalancers/backendAddressPools/delete - Microsoft.Network/loadBalancers/delete - Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/delete - Microsoft.Network/loadBalancers/inboundNatRules/delete
Appranix ARS Discovery MySql Default Access
permissions: - Microsoft.DBforMySQL/servers/privateEndpointConnectionProxies/read - Microsoft.DBforMySQL/servers/privateEndpointConnections/read - Microsoft.DBforMySQL/servers/read - Microsoft.DBforMySQL/locations/azureAsyncOperation/read
Appranix ARS Recovery MySql Default Access
permissions: - Microsoft.DBforMySQL/servers/write - Microsoft.DBforMySQL/servers/privateEndpointConnectionsApproval/action
Appranix ARS Reset MySql Default Access
permissions: - Microsoft.DBforMySQL/servers/delete
Appranix ARS Discovery Mssql Default Access
permissions: - Microsoft.Sql/servers/read - Microsoft.Sql/servers/databases/read
Appranix ARS Recovery Mssql Default Access
permissions: - Microsoft.Sql/servers/write - Microsoft.Sql/servers/databases/write
Appranix ARS Reset Mssql Default Access
permissions: - Microsoft.Sql/servers/delete
Appranix ARS Discovery Postgress Default Access
permissions: - Microsoft.DBforPostgreSQL/servers/privateEndpointConnections/read - Microsoft.DBforPostgreSQL/servers/read
Appranix ARS Recovery Postgress Default Access
permissions: - Microsoft.DBforPostgreSQL/servers/write - Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionsApproval/action
Appranix ARS Reset Postgress Default Access
permissions: - Microsoft.DBforPostgreSQL/servers/delete
Appranix ARS Discovery Application Gateway Default Access
permissions: - Microsoft.Network/applicationGateways/read - Microsoft.Network/applicationGateways/privateEndpointConnections/read
Appranix ARS Recovery Application Gateway Default Access
permissions: - Microsoft.Network/applicationGateways/write - Microsoft.Network/applicationGateways/backendAddressPools/join/action
Appranix ARS Reset Application Gateway Default Access
permissions: - Microsoft.Network/applicationGateways/delete
Appranix ARS Discovery Proximity Placement Group Default Access
permissions: - Microsoft.Compute/proximityPlacementGroups/read
Appranix ARS Recovery Proximity Placement Group Default Access
permissions: - Microsoft.Compute/proximityPlacementGroups/write
Appranix ARS Reset Proximity Placement Group Default Access
permissions: - Microsoft.Compute/proximityPlacementGroups/delete
Appranix ARS Discovery Private Endpoint Default Access
permissions: - Microsoft.Network/privateEndpoints/read
Appranix ARS Recovery Private Endpoint Default Access
permissions: - Microsoft.Network/privateEndpoints/write
Appranix ARS Reset Private Endpoint Default Access
permissions: - Microsoft.Network/privateEndpoints/delete
Appranix ARS Recovery Shared gallery Default Access
permissions: - Microsoft.Compute/galleries/read - Microsoft.Compute/galleries/write - Microsoft.Compute/galleries/share/action
Appranix ARS Reset Shared gallery Default Access
permissions: - Microsoft.Compute/galleries/delete
Appranix ARS Recovery Shared gallery image definition Default Access
permissions: - Microsoft.Compute/galleries/images/read - Microsoft.Compute/galleries/images/write
Appranix ARS Reset Shared gallery image definition Default Access
permissions: - Microsoft.Compute/galleries/images/delete
Appranix ARS Recovery Shared gallery image version Default Access
permissions: - Microsoft.Compute/galleries/images/versions/read - Microsoft.Compute/galleries/images/versions/write
Appranix ARS Reset Shared gallery image version Default Access
permissions: - Microsoft.Compute/galleries/images/versions/delete
NOTE: This list of permissions may increase as Appranix adds more services for protection.
Need more help?
Submit a ticket