Create an Azure Connector
Procedure
| 1 |
From the navigation pane, choose . |
||||||||||||||||||||
| 2 |
Click Azure Connector. |
||||||||||||||||||||
| 3 |
Click Configure your New Connector. Generate a Azure Resource Manager template with the roles and policies required for the capabilities you wish to enable, and then upload the template to Azure. Note that without this step, you will not be able to create an Azure Connector Configuration. |
||||||||||||||||||||
| 4 |
Configuration Settings:
|
||||||||||||||||||||
| 5 |
Click either of the below options to create a new Azure connector:
|
||||||||||||||||||||
| 6 |
Get Started Guide: Use this option to gather labels and flow data from Azure to enforce segmentation policy using cloud-native constructs, and or to gather labels from EKS clusters. Before you configure this connector, see:
|
||||||||||||||||||||
| 7 |
Click Get Started and under Settings, configure the new connector. For more information, see Edit a New Azure Connector section. |
||||||||||||||||||||
| 8 |
Click Generate Templates. Cisco Secure Workload requires relevant permissions to access and read flow logs settings and perform policy enforcement. Choose the desired capabilities and based on the capabilities selected, CloudFormation Template (CFT) is generated. Use the generated CFT template in your AWS CloudFormation to create the policy for the User or Role. Select activities to be performed with Cisco Secure Workload on your AWS Resources.
|
||||||||||||||||||||
| 9 |
Click Next and read the information on the configuration page. |
||||||||||||||||||||
| 10 |
Configure settings:
|
||||||||||||||||||||
| 11 |
Your subscription must have the required privileges before you can continue to the next page in the wizard. To use the provided Azure Resource Manager (ARM) template to assign required permissions for the connector:
This template has the IAM permissions required for the capabilities that you selected in the previous step. If you enabled the Kubernetes managed services option, you must separately configure permissions for AKS. For more information, see Managed Kubernetes Services Running on Azure (AKS). |
||||||||||||||||||||
| 12 |
Click Next. |
||||||||||||||||||||
| 13 |
The next page displays a Resource Tree where the user can expands to view various region and inside the region you can select or unselect the resource check boxes to obtain the list of VNets and AKS clusters from Azure. |
||||||||||||||||||||
| 14 |
From the list of VNets and AKS clusters for each VNet, choose the VNets and AKS clusters for which you want to enable your selected capabilities. Generally, you should enable flow ingestion as soon as possible, so that Secure Workload can begin to collect enough data to suggest accurate policies. Note that since AKS only supports Gather Labels capability, no explicit capability selection has been provided. Selecting an AKS cluster will implicitly enable the supported capability. Upload the client certificate and key for each cluster for which you enable this functionality. Generally, you should not choose Enable Segmentation during initial configuration. Later, when you are ready to enforce segmentation policy for specific VNets, you can edit the connector and enable segmentation for those VNets. For more information, see Best Practices When Enforcing Segmentation Policy for Azure Inventory. |
||||||||||||||||||||
| 15 |
Once your selections are complete, click Create and wait a few minutes for the validation check to complete. The View Groups page shows all VNets that you enabled for any functionality on the previous page, grouped by region. Each region, and each VNet in each region, is a new scope. |
||||||||||||||||||||
| 16 |
(Optional) Choose the parent scope under which to add the new set of scopes. If you have not yet defined any scopes, your only option is the default scope. |
||||||||||||||||||||
| 17 |
(Optional) To accept all settings configured in the wizard, including the hierarchical scope tree, click Save. To accept all settings, except the hierarchical scope tree, click Skip this step. You can manually create or edit the scope tree later, under . |
What to do next
If you have enabled gathering labels, ingesting flows data, and or segmentation:
-
If you enabled flow ingestion, it may take up to 25 minutes for flows to begin appearing on the page.
-
(Optional) For richer flow data and other benefits including visibility into host vulnerabilities (CVEs), install the appropriate agent for your operating system on your VNet-based workloads. For requirements and details, see the agent installation chapter.
-
After you have successfully configured the Azure connector to gather labels and ingest flows, follow the standard process for building segmentation policies. For example: Allow Secure Workload to gather sufficient flow data to generate reliable policies; define or modify scopes (typically one for each VNet); create a workspace for each scope; automatically discover policies based on your flow data, and/or manually create policies; analyze and refine your policies; ensure that your policies meet the guidelines and best practices below; and then, when you are ready, approve and enforce those policies in the workspace. When you are ready to enforce segmentation policy for a particular VNet, return to the connector configuration to enable segmentation for the VNet. For details, see Best Practices When Enforcing Segmentation Policy for Azure Inventory.
If you have enabled the Kubernetes managed services (AKS) option:
Install Kubernetes agents on your container-based workloads. For details, see Install Kubernetes or OpenShift Agents for Deep Visibility and Enforcement.Event Log:
The event logs can be used to know significant events happening per connector from different capabilities. We can filter them using various attributes like Component, Namespace, Messages and Timestamp.