Azure
Which minimum Azure IAM permissions NetBrain requires for API Server Setup
Refer to NetBrain Required Azure Minimum IAM Permissions.
Why NetBrain needs StorageAccount related IAM permissions
Some customers have questions why NetBrain needs the StorageAccount related IAM permissions below.
- Microsoft.Storage/storageAccounts/read
- Microsoft.Storage/storageAccounts/blobServices/read
- Microsoft.Storage/storageAccounts/blobServices/containers/read
- Microsoft.Storage/storageAccounts/regeneratekey/action
- Microsoft.Storage/storageAccounts/listAccountSas/action
First, they are related to downloading files from Azure. To be more specific, the storage account IAM permissions "Microsoft.Storage/storageAccounts/*" are only used for downloading VWAN-VHUB VPNSiteConfig, or building the VPN tunnels from the VWAN/VHUB VPN Gateway. Other objects or operations won't need those IAM permissions. In other words, if you do not have a VPN tunnel from your VWAN/VHUB VPN Gateway, or if you do not want to build those VPN tunnels, you can skip granting those IAM permissions "Microsoft.Storage/storageAccounts/*".
Which StorageAccount will NetBrain use?
There is no explicit answer because they have some random names generated by Azure. But here is the logic:
- When you try to download vhub vpn site-to-site configuration, Azure will automatically generate a storage account that has "Kind==BlobStorage" for your geographic location. There will be a container called "vpnsiteconfig" in the storage account, which is also auto-generated by Azure, and is to be used for storing the vpnsiteconfig for further downloads.
- If your Azure admin team wants to limit the access to the storage account, they can first try to click and download the Vhub's site-to-site VPN config on the Azure web portal to make sure the storage account is generated (see the screenshot below). Then they can find all the storage account (Kind=BlobStorage), which have the container called "vpnsiteconfig" (see the screenshot below).
The workflow/underlying logic about the StorageAccount and generation of the AccountSasToken (regenerate key)
Microsoft Azure requires the clients to provide a shared access signature (SAS) URL and token in order to download data from Azure storage account in a secure and delegated way. The permissions of "regeneratekey/action" and "listaccountsas/action" are all for that.
To download vhub vpn site-to-site config, you need to do the followings. The underlying workflow is the same whether from Rest APIs, or from Azure CLI, or from Azure Web Portal.
- List all Storage Account, find the storage account which Kind is BlobStorage. Refer to API doc.
- Find a Storage Account which has the container called "vpnsiteconfig".
- ListAccountSas for this Storage Account, call API to get "accountSasToken". This step will need to two permissions of "regeratekey/action" and "listaccountsas/action". Refer to the documents below:
- Append the "accountSasToken" (URI) to the URL of the storage account and container, to generate a SAS URL, which is used to pass as a parameter to the API to download the vpnsiteconfig. Refer to the Azure API, and pay attention to the param "outputBlobSasUrl".
Why NetBrain needs action IAM permissions
All the "/action" related permissions are required by Microsoft when you want to view or download some resources from Azure. You can find it by analyzing the API requests sent when you load the routes table.
Take Azure Web Portal loading vnic's effective routes as an example.
Why NetBrain needs following Action IAM permissions
Code |
"Microsoft.Network/virtualnetworkgateways/supportedvpndevices/action", |
Azure platform provides only one method to retrieve Virtual Network Gateway BGP learned routes, BGP advertised routes and BPG peer status via POST API and must use action to get the basic data. NetBrain follows Azure platform design and only retrieve the routes table via API. NetBrain will not edit or remove any customer data.
