Overview

To integrate with Azure start managing JIT access to Azure cloud resources, you must first install a connector in your Azure environment.

This is can be done by one of the following methods:

Using Terraform
Using Azure CLI

📘
What's a connector? What makes it so secure?
The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.
Read more about the recommended Azure Installation Architecture.

How to install the Connector

Using Terraform

Prerequisites

Required CLI: terraform
Administrator permission on the subscription you want to connect
Administrator permissions on AzureAD
Azure Container Instances service

Step 1 - Create a Connector

From the Integration Catalog, select Azure
Pick Subscription and then +Add new connector
Pick Terraform (Container Instance)
Copy the Token

Important: before you start, copy the connector Terraform params and export them in the terminal.

Step 2 - Install Apono Connector Module

module "connector" {
    source = "github.com/apono-io/terraform-modules/azure/connector-with-permissions/stacks/apono-connector"
    aponoToken = $APONO_TOKEN
    resourceGroup = $AZURE_RESOURCE_GROUP
    ipAddressType = // "Private" or "None"
    subnetIds = [$SUBNET_ID]
}

Run terraform init to validate it works

Validate the Connector is Connected

You can validate that the Connector is installed in the Connector status page.

Results

In the Apono app, you will see the connector was found and a green checkmark indication.

👍
You can now integrate an Azure Subscription

Using Azure CLI

Prerequisites

Required CLI: azure-cli
Administrator permission on the subscription you want to connect
Administrator permissions on AzureAD

Step 1 - Create a Connector

From the Integration Catalog, select Azure
Pick Subscription and then +Add new connector
Pick CLI (Container Instance)
Copy the Token

Step 2 - Install Apono Connector Module

Fill and enter the following environment variables:

export APONO_CONNECTOR_ID=apono-connector
export APONO_TOKEN=

export SUBSCRIPTION_ID=
export RESOURCE_GROUP_NAME=

export REGION=$(az group show --name $RESOURCE_GROUP_NAME --query location --output tsv)

Run the following command to deploy the connector on the Azure Container Instance service:

export PRINCIPAL_ID=$(az container create --subscription $SUBSCRIPTION_ID --resource-group $RESOURCE_GROUP_NAME --name $APONO_CONNECTOR_ID --ports 80 --os-type linux --image registry.apono.io/apono-connector:<<connectorVersion>> --environment-variables APONO_CONNECTOR_ID=$APONO_CONNECTOR_ID APONO_TOKEN=$APONO_TOKEN APONO_URL=api.apono.io CONNECTOR_METADATA='{"cloud_provider":"AZURE","subscription_id":"'"$SUBSCRIPTION_ID"'","resource_group":"'"$RESOURCE_GROUP_NAME"'","region":"'"$REGION"'","is_azure_admin":true}' --cpu 1 --memory 1.5 --registry-login-server registry.apono.io --registry-username apono --registry-password $APONO_TOKEN --location $REGION --assign-identity --query identity.principalId --output tsv)

Add the "User Access Administrator" role to the connector in the subscription scope:

az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --role "User Access Administrator" --scope /subscriptions/$SUBSCRIPTION_ID

Add the "Directory Readers" role to the connector for Azure AD:

az rest --method POST --uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments' --body '{"principalId": "'"$PRINCIPAL_ID"'", "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", "directoryScopeId": "/"}'

Validate the Connector is Connected

You can validate that the Connector is installed in the Connector status page.

Results

In the Apono app, you will see the connector was found and a green checkmark indication.

👍
You can now integrate an Azure Subscription