Apono Connector for Azure
Learn how to deploy a connector in an Azure environment
The Apono connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximum security.
Once the connector has been installed in an Azure environment, you can use Apono to automate permission management in Azure.
Prerequisites
Item | Description |
---|---|
Apono Token | Account-specific Apono authentication value Follow these steps to obtain your token:
|
Command Line Interface (CLI) | Tool that enables interacting with Azure services using your command-line shell:
|
Resource Group Name | Name of the Azure resource group |
Subscription ID | Identifier for the Azure subscription |
User Access Administrator Role | Azure subscription role that enables managing user access to Azure resources |
User Administrator Role | Microsoft Entra role that enables the following tasks:
|
Install a new connector
Apono supports the following installation approaches:
Azure CLI
Follow these steps to set up a new connector:
- At the shell prompt, set the
APONO_CONNECTOR_ID
environment variable toapono-connector
.export APONO_CONNECTOR_ID=apono-connector
- Set the
APONO_TOKEN
environment variable to your account token.export APONO_TOKEN=<APONO_TOKEN>
- Set the
SUBSCRIPTION_ID
environment variable to the Azure subscription ID.export SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
- Set the
RESOURCE_GROUP_NAME
environment variable to the Azure resource group name.export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
- Set the
REGION
environment variable.export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv)
- Run the following command to deploy the connector on the Azure Container Instance service.
export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:v1.5.3 --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)
- Add the User Access Administrator role to the connector in the subscription scope.
az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID
- Add the Director Readers role to the connector for Azure AD.
az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'
- On the Connectors page, verify that the connector has been updated.
PowerShell | Windows PowerShell
Follow these steps to set up a new connector:
-
At the shell prompt, set the
APONO_CONNECTOR_ID
environment variable toapono-connector
.$APONO_CONNECTOR_ID=apono-connector
-
Set the
APONO_TOKEN
environment variable to your account token.$APONO_TOKEN=<APONO_TOKEN>
-
Set the
SUBSCRIPTION_ID
environment variable to the Azure subscription ID.$SUBSCRIPTION_ID=<AZURE_SUBSCRIPTION_ID>
-
Set the
RESOURCE_GROUP_NAME
environment variable to the Azure resource group name.$RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
-
Set the
REGION
environment variable.$REGION=$(Get-AzResourceGroup -Name $RESOURCE_GROUP_NAME).Location
-
Run the following commands to deploy the connector on the Azure Container Instance service.
$port = New-AzContainerInstancePortObject -Port 80 -Protocol TCP $env_var1 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_CONNECTOR_ID" -Value $APONO_CONNECTOR_ID $env_var2 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_TOKEN" -Value $APONO_TOKEN $env_var3 = New-AzContainerInstanceEnvironmentVariableObject -Name "APONO_URL" -Value "api.apono.io" $jsonValue = @{ cloud_provider = "AZURE" subscription_id = $SUBSCRIPTION_ID resource_group = $RESOURCE_GROUP_NAME region = $REGION is_azure_admin = $true } | ConvertTo-Json -Compress $env_var4 = New-AzContainerInstanceEnvironmentVariableObject -Name "CONNECTOR_METADATA" -Value $jsonValue $container = New-AzContainerInstanceObject -Image registry.apono.io/apono-connector:v1.5.3 -Name $APONO_CONNECTOR_ID -Port @($port) -EnvironmentVariable @($env_var1, $env_var2, $env_var3, $env_var4) -RequestCpu 1 -RequestMemoryInGb 1.5 $imageRegistryCredential = New-AzContainerGroupImageRegistryCredentialObject -Server "registry.apono.io" -Username "apono" -Password (ConvertTo-SecureString $APONO_TOKEN -AsPlainText -Force) $PRINCIPAL_ID=$(New-AzContainerGroup -SubscriptionId $SUBSCRIPTION_ID -ResourceGroupName $RESOURCE_GROUP_NAME -Name $APONO_CONNECTOR_ID -Container $container -OsType Linux -ImageRegistryCredential $imageRegistryCredential -Location $REGION -IdentityType "SystemAssigned").IdentityPrincipalId
-
Add the User Access Administrator role to the connector in the subscription scope.
New-AzRoleAssignment -ObjectId $PRINCIPAL_ID -ObjectType "ServicePrincipal" -RoleDefinitionName "User Access Administrator" -Scope /subscriptions/$SUBSCRIPTION_ID
-
Add the Director Readers role to the connector for Azure AD.
$payload = @{principalId=$PRINCIPAL_ID; roleDefinitionId="88d8e3e3-8f55-4a1e-953a-9b9898b8876b"; directoryScopeId="/"} | ConvertTo-Json -Depth 3 Invoke-AzRestMethod -Method POST -Uri https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments -Payload $payload
-
On the Connectors page, verify that the connector has been updated.
Terraform CLI
Follow these steps to set up a new connector:
-
At the shell prompt, set the
APONO_TOKEN
environment variable to your account token.export APONO_TOKEN=<APONO_TOKEN>
-
Set the
RESOURCE_GROUP_NAME
environment variable to the Azure resource group name.export RESOURCE_GROUP_NAME=<AZURE_RESOURCE_GROUP_NAME>
-
Set the
SUBNET_ID
environment variable to the Azure resource group name.export SUBNET_ID=[<SUBNET_ID>]
-
In a new or existing Terraform (.tf) file, add the following provider and module information to create a connector with permissions or without permissions:
-
With permissions: Enables installing the connector in the cloud environment and managing access to resources
module "connector" { source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector" aponoToken = $APONO_TOKEN resourceGroup = $AZURE_RESOURCE_GROUP ipAddressType = // "Private" or "None" subnetIds = [$SUBNET_ID] }
-
Without permissions: Enables installing the connector in the cloud environment but managing access to non-Azure resources, such as self-hosted databases
module "connector" { source = "github.com/apono-io/terraform-modules/azure/connector-without-permissions/stacks/apono-connector" aponoToken = $APONO_TOKEN resourceGroup = $AZURE_RESOURCE_GROUP ipAddressType = // "Private" or "None" subnetIds = [$SUBNET_ID] }
-
-
At the Terraform CLI, download and install the provider plugin and module.
terraform init
-
Apply the Terraform changes. The proposed changes and a confirmation prompt will be listed.
terraform apply
-
Enter yes to confirm deploying the changes to your Azure account.
-
On the Connectors page, verify that the connector has been deployed.
Updated 12 days ago