Register my Azure Account to CONS3RT

Follow these instructions to register your Azure account to CONS3RT.

Step 1: Set up your local environment

If you would like to work with the Azure CLI, this is a good time to install it on your local workstation.

If you cannot install applications on your local workstation, you can use a virtual machine in CONS3RT! Here are some community assets you can use for HmC:

Azure Government

If you are connecting tools to Azure Government, each tool has a different way of setting its environment for Azure Government, consult the documentation for the specific tools.

To configure the Azure CLI for Azure Government, run the following command before logging in, click here for more info:

az cloud set --name AzureUSGovernment

Then log in:

az login
Step 1: Gather Information

In order to register your Azure account you will need to collect:

  • Subscription ID
  • Azure Active Directory Tenant ID

Via Azure Dashboard:

  • Log in to Azure or Azure Government with your admin account
  • Retrieve the Subscription ID under All Services and Subscriptions
  • Retrieve the Azure Active Directory Tenant ID under Azure Active Directory, then Default Directory - Properties

Via Azure CLI:

az account list --output yaml
  • The id is the Subscription ID
  • The tenantId is the Active Directory Tenant ID

You may need to set the subscription if you have multiple:

az account set --subscription <subscription ID>
Step 2: Create an App Registration

The Azure App will be the API account CONS3RT uses to log into Azure, allocate a cloudspace and deploy resources. To create an Azure App:

Via Azure Dashboard:

  • Click App Registrations
  • Click + New application registration
  • For Name enter something like "HmC" or "CONS3RT"
  • For Application type select "Web app / API"
  • For Sign-on URL enter something like https://hmc.hpc.mil or https://cons3rt.com
  • Click Create
  • Once creation completes, get the Application ID

Via Azure CLI, set parameters as desired, here is an example:

az ad app create --display-name "HmC" --homepage "http://hmc.hpc.mil"

To retreieve the App ID later:

az ad app list --display-name "HmC" --output yaml | grep "appId"
Step 3: Create a Secret Password

Next, create a secret password for the App Registration that CONS3RT will use to connect to the Azure API.

Via Azure Dashboard:

  • Under App Registrations select the app registration that you just created
  • Click Certificates & Secrets
  • Click New client secret
  • Add a description, and select an expiration date (e.g. "HmC Secret Password")
  • Retrieve the Value of the secret access key

Via Azure CLI, create a Service Principal:

az ad sp create --id REPLACE_APP_REGISTRATION_ID --output yaml
az ad sp credential reset --name REPLACE_APP_REGISTRATION_ID --credential-description "CONS3RT Login" --output table

Retrieve the Password value from the output

Step 4: Set Roles & Permissions

In this step we will assign the proper role and permissions for our App Registration. We will give the app registration "Contributor" access at the subscription level.

Via Azure Dashboard:

  • Click on Subscriptions
  • Click on the Access Control (IAM) blade
  • Click Role Assignments
  • Click + Add and select Add Role Assignment
  • For the Role select Contributor
  • For Assign access to leave "Azure AD user, group, or service principal
  • For Select browse and select the name of the App Registration created in the earlier steps
  • Click Save

Via Azure CLI:

az role assignment create --assignee REPLACE_APP_REGISTRATION_ID --scope /subscriptions/REPLACE_SUBSCRIPTION_ID --role Contributor
Step 5: Create Public IP Addresses

CONS3RT assigns trusted Azure public IP addresses to the cons3rt-net NAT virtual machine for each Azure cloudspace. These IPs are used for firewalls and access control lists. So, be sure to create a public IP address for each Azure cloudspace you plan to allocate. To create public IP addresses:

Via Azure Dashboard:

  • From the dashboard, select Resource Groups
  • Click + Add
  • Select the Subscription
  • Add a name for the resource group (e.g. cons3rt-REGION-resources)
  • Select the desired Region
  • From the dashboard, select Public IP addresses
  • Add a Name
  • For SKU select Basic
  • For IP address assignment select Static
  • For Subscription select the desired subscription
  • For Resource group select the group created above
  • For Location select the desired Azure region
  • Click on the new public IP address and retrieve the IP address that was allocated

Via Azure CLI:

  • First get a list of regions, and retrieve the "Name" of the region you are using with:
az account list-locations --output table
  • Next, create a resource group to house public IPs in the region:
az group create --name "cons3rt-REPLACE_REGION_NAME-resources" --location "REPLACE_REGION_NAME"
  • Next create public IPs in that region and resource group, use names as desired:
az network public-ip create --name "cons3rt1" --resource-group "REPLACE_RESOURCE_GROUP" --allocation-method "Static" --sku "Basic"
  • When enough IP addresses have been created, retrieve them with:
az network public-ip list --resource-group "REPLACE_RESOURCE_GROUP" --output table
Step 6: Register your Azure Cloud in CONS3RT

If you are a Team Manager you can register your Azure account as a CONS3RT Cloud. If you need to become team manager, contact your current team manager who can add you.

  • Click Add next to Clouds
  • Select Microsoft Azure as the cloud type
  • The Owning Team should be your team
  • Add a Name for your cloud
  • Select the Impact Level, consult the Azure documentation for more info
  • Click Next
  • Select Yes I want to connect this cloud and click Next
  • For the Environment select Azure for commercial Azure, or Azure Government as needed
  • Select the Region that you plan to deploy resources into
  • Under Connection Credentials, set the follow values created in the previous steps:
    • Application ID set to the App Registration ID
    • Subscription ID
    • Secret Key set to the password created for the App Registration / Service Principal
    • Tenant Name set to the Azure Acitve Directory Tenant ID
  • Leave the Container URL blank
  • For External IP Addresses add the list of public IP addresses created in the previous steps
  • Leave the Linux Repository URL blank
  • Click Test Connection to verify connectivity
  • Click Next
Add a Network: user-net

On the network page you can customize what networks you would like created for you when you allocate a Cloudspace into your Azure account. This example sets up a typical "user-net". This user-net is a good default for most use cases, it allows outbound Internet connectivity, and allows intra-machine communication within your cloudsapces. The preexisting cons3rt-net is required.

  • Click Add
  • For Name type user-net
  • For CIDR Block enter 172.16.11.0/24
  • Check the Allow traffic from this network to be routed externally checkbox
  • Under Firewall Rules:
    • Click the + button
    • From Sources enter internal
    • To Destinatinos enter external and -1 in the last box
    • Click Edit Port, and under Customer Port select TCP, enter -1, and click Done
    • Click the + button again and repeat the steps above, switching the protocol to UDP
  • Click Save
  • Click Next
Allocate a Cloudspace!

At this step you have the option to allocate a new cloudspace into your Azure account. CONS3RT automatically creates a resource group and the associated resources described in the cloudspace security article. Once you have a cloudspace, you can securely deploy virtual machines into Azure with CONS3RT!

Cloudspaces include NAT virtual machines that have an associated Azure cost. You may skip this step by clicking Next to create cloudspaces later.

  • Click Create Cloudspace to allocate your an Azure cloudspace into your account!
  • Add a Cloudspace Name
  • Leave the Access Point blank, this will be select from the public
  • For CIDR enter 172.16.0.0/16
  • Under the NAT instance information, set:
    • Image Reference to RHEL 6.8 by RedHat
    • Instance Size to BasicA0 (should be good enough for most cloudspaces, but you can set larger as desired)
  • Click Next

You will receive an email when your cloudspace allocation has completed!

Final Steps
  • Congrats, your CONS3RT Azure cloud registration is complete!

Now that you have registered an Azure account:

  • Allocate a cloudspace
  • Manage your cloudspaces including:
    • Assign projects to cloudspaces
    • Set VM limits
    • Enable/Disable remote access
    • Set cloudspaces active/inactive
    • Unregister and deallocate cloudspaces that are no longer needed