Onboarding for Azure
Introduction
When working with Azure, it's essential to ensure the isolation of your various environments (e.g., development, testing, production) for better security, governance, and billing separation. To achieve this, we recommend creating a separate Azure subscription for each environment and using Service Principals (SPs) to manage access. SPs grant controlled access to resources within each subscription.
Why Use Separate Subscriptions?
Using separate Azure subscriptions for different environments offers several benefits:
- Isolation: Each environment is sandboxed, reducing the risk of affecting other environments.
- Billing Separation: Costs are isolated per subscription, simplifying cost tracking and allocation.
- Resource Governance: Granular control and management of resources in each environment.
Creating Service Principals
To manage access to your Azure subscriptions and resources, we recommend creating a Service Principal (SP) for each subscription. The SP should have the following roles across the subscription:
- Contributor: Allows managing resources within the subscription.
- Key Vault Administrator: Grants access to manage Azure Key Vaults.
- User Access Administrator: Provides control over user access to the subscription.
Step-by-Step Guide
- Create a Service Principal with Contributor role:
az ad sp create-for-rbac -n <YourSPName> --role Contributor --scope /subscriptions/<YourSubscriptionID>`
Replace YourSPName with the desired Service Principal name, and YourSubscriptionID with the target subscription's ID
The command will return a output similar to below, so please make sure to save them securely as the password cannot be retrieved again:
{
"appId": "abcde123-4567-890f-12ab-34cd56789ef0",
"displayName": "myserviceprincipal",
"password": "mysecretclientsecret123",
"tenant": "12345678-abcd-1234-ef12-123456789abc"
}
- Assign Key Vault Administrator role:
az role assignment create --assignee <appId> --role "Key Vault Administrator" --scope /subscriptions/<YourSubscriptionID>
Replace appId with the appId obtained from the Service Principal creation step, and YourSubscriptionID with the target subscription's ID.
- Assign User Access Administrator role:
az role assignment create --assignee <appId> --role "User Access Administrator" --scope /subscriptions/<YourSubscriptionID>
Again, replace appId with the Service Principal's appId and YourSubscriptionID with the target subscription's ID.
By following these commands, you can create a Service Principal with Contributor access and then assign the Key Vault Administrator and User Access Administrator roles to it for your Azure subscription.
Setting Up Azure Environments Using BOS Templates
We aim to simplify the process of setting up Azure environments. We understand that managing multiple Azure environments can be complex, and we've created templates to streamline the process. These templates allow you to configure your Azure environments quickly and accurately.
Step 1: Choose the Appropriate Template
We offer a set of templates for different Azure environments. Please choose the template that corresponds to your desired environment setup.
- Azure AKS Deploy
- Azure Windows IIS Stack
- Azure AKS APP Stack Global
Step 2: Use the selected Template:
Once you've selected the template, you can now use this template to set up your Azure environment by clicking on the Validate and then + Resources buttons.
How to Configure your Azure account to export Billing Data
To begin using BOS with Azure, the initial onboarding step requires setting up a Service Principal (SP) for authentication. This SP is granted the following roles within the Azure subscription:
- Contributor
- Key Vault Administrator
- User Access Administrator
These roles provide the necessary permissions for BOS to access and export Billing Data from the subscription.
Note: It's worth mentioning that subscriptions under Azure Enterprise Agreements have an added requirement. Specifically, you need to activate the 'AO View Charges' permission within the enrollment on the Enterprise portal.