Cisco
Login
Search
Software Secure Workload
Activity Configure

Configure and Manage Connectors for Secure Workload Cloud Connectors Azure Connector Create a New Azure Connector

Last updated: Jun 09, 2025

Create a New Azure Connector

Procedure

1

From the navigation pane, choose Manage > Connectors.
2

Click Azure Connector.
3

Click Enable for the first connector (in a root scope) or Enable Another for additional connectors in the same root scope.
4

Understand and meet requirements and prerequisites in the Requirements and Prerequisites section, then click Get Started.
5

Name the connector and choose desired capabilities:

Selections you make on this page are used only to determine the privileges included in the Azure Resource Manager (ARM) template that will be generated in the next step, and to display the settings that you will need to configure.

In order to enable segmentation, you must also enable Gather Labels.

Enabling Segmentation on this page does not in itself enable policy enforcement or affect existing network security groups. Policy enforcement and deletion of existing security groups occurs only if you enable Segmentation for individual VNets later in the wizard. You can return to this wizard later to enable segmentation policy enforcement for individual VNets.
6

Click Next and read the information on the configuration page.
7

Your subscription must have the required privileges before you can continue to the next page in the wizard.

To use the provided Azure Resource Manager (ARM) template to assign required permissions for the connector:

  1. Download the ARM template from the wizard.

  2. Edit the template text to replace subscription_ID with your subscription ID.


     

    For a connector, you can create multiple subscription IDs in the Azure account.

    You can enter multiple subscription IDs where the credentials belong to the same subscription ID.

  3. In Azure, create a custom role in the applicable subscription.

  4. In the custom role form, for the Baseline permissions, choose Start from scratch.

  5. In the JSON tab of the custom role creation form, paste the text from the edited file you downloaded from the connector wizard.

  6. Save the custom role.

  7. Attach the custom role to the application you configured in the prerequisites for this procedure.

This template has the IAM permissions required for the capabilities that you selected in the previous step.

If you enabled the Kubernetes managed services option, you must separately configure permissions for AKS. For more information, see Managed Kubernetes Services Running on Azure (AKS).
8

Configure settings:

Attribute

Description

SubscriptionID

The ID of the Azure subscription that you are associating with this connector.

ClientID

The Application (client) ID from the application that you created in Azure for this connector.

TenantID

The Directory (tenant) ID from the application that you created in Azure for this connector.

Client Secret or Client Certificate

For authentication, you can use either a client secret or a client certificate and key. Obtain either from the Client credentials link in the application that you created in Azure for this connector. If you use a certificate: The certificate should be unencrypted. Only RSA certificates are supported. Private keys can be either PKCS1 or PKCS8.

HTTP Proxy

Proxy required for Secure Workload to reach Azure. Supported proxy ports: 80, 8080, 443, and 3128.

Full Scan Interval

Frequency with which Secure Workload refreshes complete inventory data from Azure. Default and minimum is 3600 seconds.

Delta Scan Interval

Frequency with which Secure Workload fetches incremental changes in inventory data from Azure. Default and minimum is 600 seconds.
9

Click Next. It may take a few minutes for the system to obtain the list of VNets and AKS clusters from Azure.
10

From the list of VNets and AKS clusters for each VNet, choose the VNets and AKS clusters for which you want to enable your selected capabilities.

Generally, you should enable flow ingestion as soon as possible, so that Secure Workload can begin to collect enough data to suggest accurate policies.

Note that since AKS only supports Gather Labels capability, no explicit capability selection has been provided. Selecting an AKS cluster will implicitly enable the supported capability. Upload the client certificate and key for each cluster for which you enable this functionality.

Generally, you should not choose Enable Segmentation during initial configuration. Later, when you are ready to enforce segmentation policy for specific VNets, you can edit the connector and enable segmentation for those VNets. See Best Practices When Enforcing Segmentation Policy for Azure Inventory.
11

Once your selections are complete, click Create and wait a few minutes for the validation check to complete.

The View Groups page shows all VNets that you enabled for any functionality on the previous page, grouped by region. Each region, and each VNet in each region, is a new scope.
12

(Optional) Choose the parent scope under which to add the new set of scopes. If you have not yet defined any scopes, your only option is the default scope.
13

(Optional) To accept all settings configured in the wizard including the hierarchical scope tree, click Save.

To accept all settings, except the hierarchical scope tree, click Skip this step.

You can manually create or edit the scope tree later, under Organize > Scopes and Inventory.

What to do next

If you have enabled gathering labels, ingesting flows data, and or segmentation:

  • If you enabled flow ingestion, it may take up to 25 minutes for flows to begin appearing on the Investigate > Traffic page.

  • (Optional) For richer flow data and other benefits including visibility into host vulnerabilities (CVEs), install the appropriate agent for your operating system on your VNet-based workloads. For requirements and details, see the agent installation chapter.

  • After you have successfully configured the Azure connector to gather labels and ingest flows, follow the standard process for building segmentation policies. For example: Allow Secure Workload to gather sufficient flow data to generate reliable policies; define or modify scopes (typically one for each VNet); create a workspace for each scope; automatically discover policies based on your flow data, and/or manually create policies; analyze and refine your policies; ensure that your policies meet the guidelines and best practices below; and then, when you are ready, approve and enforce those policies in the workspace. When you are ready to enforce segmentation policy for a particular VNet, return to the connector configuration to enable segmentation for the VNet. For more information, see Best Practices When Enforcing Segmentation Policy for Azure Inventory.

If you have enabled the Kubernetes managed services (AKS) option:

Event Log:

The event logs can be used to know significant events happening per connector from different capabilities. We can filter them using various attributes like Component, Namespace, Messages and Timestamp.

Previous topic Create an Azure Connector Next topic Edit an Azure Connector