Onboard an Azure VNet Environment
Use the following procedure to onboard an Azure VNet for cloud-delivered Firewall Management Center management:
Before you begin
You must have the following completed prior to this onboarding procedure:
-
Cloud-delivered Firewall Management Center is enabled for your tenant.
-
You must have at least one resource group available in your Azure account with an empty Azure VNet instance. If you do not have a resource group to host the virtual device, create one with the Azure portal. See Microsoft Azure's Manage Azure resource groups by using the Azure portal guide for more information.
-
Your resource group in the Azure portal must have a virtual network created for the virtual device. If you do not have one, create one in the Azure portal. See Microsoft Azure's Create a virtual network using the Azure portal quickstart guide for more information.
-
You must register Cisco Security Cloud Control to your Microsoft account to ensure successful communication between Azure and Security Cloud Control. See the "Quickstart: Register an application with the Microsoft identity platform" section of the Azure product documentation for more information.
-
You must assign a built-in role, or create a custom role, within the Azure environment and assign it a member or group that will access both Azure and Security Cloud Control. See the "Azure custom role" section or the "Azure custom roles" of the Azure product documentation for more information.
-
You must enable all of the following permissions in the Azure environment in order to successully communicate with and onboard to Security Cloud Control:
"Microsoft.Network/virtualNetworks/write" "Microsoft.Network/virtualNetworks/join/action" "Microsoft.Network/virtualNetworks/subnets/read" "Microsoft.Network/virtualNetworks/subnets/write" "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action" "Microsoft.Network/networkSecurityGroups/read" "Microsoft.Network/networkSecurityGroups/write" "Microsoft.Network/networkSecurityGroups/join/action" "Microsoft.Network/networkSecurityGroups/securityRules/write" "Microsoft.Network/networkSecurityGroups/securityRules/read" "Microsoft.Network/networkSecurityGroups/securityRules/delete" "Microsoft.Storage/storageAccounts/write" "Microsoft.Storage/storageAccounts/read" "Microsoft.Resources/deployments/write" "Microsoft.Resources/deployments/read" "Microsoft.Network/publicIPAddresses/read" "Microsoft.Network/publicIPAddresses/write" "Microsoft.Network/routeTables/read" "Microsoft.Network/routeTables/write" "Microsoft.Network/networkInterfaces/read" "Microsoft.Network/networkInterfaces/write" "Microsoft.Compute/virtualMachines/write" "Microsoft.Resources/deployments/operationstatuses/read" "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read" "Microsoft.Network/routeTables/join/action" "Microsoft.Network/virtualNetworks/subnets/join/action" "Microsoft.Network/publicIPAddresses/join/action" "Microsoft.Network/networkInterfaces/join/action" "Microsoft.Compute/virtualMachines/read" "Microsoft.Resources/subscriptions/resourceGroups/write" "Microsoft.Resources/subscriptions/resourceGroups/delete"
Procedure
Step 1 | Review the prerequisites listed above. You must register Security Cloud Control to your Microsoft account, create a user role, and enable all the applicable permissions prior to onboarding a virtual environment. |
Step 2 | Log in to Security Cloud Control. |
Step 3 | In the navigation pane, click Inventory and click the blue plus button. |
Step 4 | Select the Azure VNet tile. |
Step 5 | Enter the following credentials to continue with the onboarding wizard, then click Next:
|
Step 6 | In the Security Cloud Control onboarding wizard, use the drop-down menu to select the Azure VNet you want to onboard. |
Step 7 | Enter the Device Name and select Next. This device name is what the Azure VNet is displayed as in the Inventory page. |
Step 8 | (Optional) Add labels to your device to help sort and filter the Inventory page. Enter a label and select the blue plus button. Labels are applied to the device after it's onboarded to Security Cloud Control. |
What to do next
Onboard a virtual device in Security Cloud Control with this instance of Azure VNet as the manager. See Deploy a Threat Defense Virtual in Azure for more information.