Microsoft Azure, formerly known as Windows Azure, is Microsoft’s public cloud computing platform. It provides a range of cloud services, including compute, analytics, storage and networking. Users can pick and choose from these services to develop and scale new applications, or run existing applications in the public cloud.
Account Types Supported
Microsoft offers multiple ways by which one can buy Azure subscriptions. At a high level there are three channels:
- Enterprise Agreement – For medium to large enterprises looking at making a pre-commit on the amount of Azure resource consumption. This is typically a Pre-Paid annual payment.The following diagram illustrates simple Azure EA hierarchies:
CoreStack currently manages the EA subscriptions similar to that of Pay-As-You-Go model. However, in the upcoming releases, we will be supporting the EA subscription management through CoreStack similar to the capability that we provide for CSP subscription today.
- Pay-As-You-Go – For small and medium organizations who would choose to use a Pay-As-You-Go model. Credits can be added through activation of open license key bought from Microsoft resellers. Also available through web direct options, purchased through Microsoft websites.
- CSP Partners – For small and medium organizations who would choose to use a post-paid Pay-As-You-Go model. This is available through Cloud Solutions Providers – CSP Partners. There are different tiers of CSP Partners available for Microsoft. Only CSP Direct (Tier-1) is supported.
Note: Customers using CSP Partner subscription will not have direct access to the billing details. The billing details can only be obtained through the Partner center portal. CoreStack requires the CSP parent account to be added to show the end customers billing and usage data in the Cost analytics section.
Azure Services Supported
The following table describes the Azure Services coverage for various features available in CoreStack:
|Compute||Virtual Machines||Virtual Machines|
|Azure Kubernetes Service||Cluster|
|Databases||Cosmos DB||Database Accounts|
|Integration||API Management||Service List|
|Web||App Services||Web Apps|
|Container Instances||Container Groups|
|Container Services||Container Services|
|Network||Express Route||Express Route Circuits|
|Virtual Networks||Traffic Manager Profiles|
|Virtual Networks||Network Interface|
|Virtual Networks||Public IP Address|
|Virtual Networks||Virtual Network|
|Virtual Networks||Network Security Group|
|Load Balancers||Load Balancer|
|Application Gateway||Application Gateway|
Permissions Required with reasons
CoreStack requires Contributor access to the following Service Providers, however the account owner can restrict access to specific services that will only be managed through CoreStack.
Following table explains the need for access to the service with the rationale:
|Azure Provider||Product/Category||Reader Access (For Discovery)||Contributor Access (For Actions)||Remarks|
||Mandatory||Mandatory||CoreStack creates a Storage account for the Self-Service Module to use.|
|Microsoft.PolicyInsights(Resource Policy Contributor)||Policy Creation||Mandatory||Mandatory|
||Mandatory||Mandatory||Only in case of SSO|
|Microsoft.Billing||Cost Management||Mandatory||Mandatory||Cost Analytics|
Preferred: This means that required access is not mandatory however some of the features will be not functional without the required access.
Optional: Not mandatory, similar to that of Preferred, core features will continue to work. Some low-level actions will have an Impact.
Mandatory: Non-negotiable, even to on-board account with read-only permissions these access details would be needed.
Impact on the Azure Subscription
As part of the on-boarding process, CoreStack creates resources and applies some configurations in Azure.
A new resource group with pre-fix “CS-“will be created to store all alerts and activity rules created by CoreStack.
All Self-service provisioned resources would be created under this group if no resource group is selected during ordering.
Alert Rules and Alert Action:
Alert rules will be created if the thresholds are configured during on-boarding.
A new alert action will be added to the created rules to invoke CoreStack notification webhook when threshold alert is triggered.
CoreStack will create the Policy Definitions and Assignments based on the governance rules selected during on-boarding of the account.
CoreStack will enable the Free-tier or Standard Tier for the resources based on the selection during on-boarding. (Enabling Standard Tier has cost implications, please exercise caution during configuration)
Billing Impact due to CoreStack onboarding
There is no billing impact as such in configuring your account with CoreStack until certain services are consumed through CoreStack. Following are the few areas where there might be cost implications:
|Feature||Free Units Included||Price||CS Remarks|
|Alert Notifications||100,000 web hooks
|$0.60/1,000,000 web hooks|
|Dynamic Thresholds||None||$0.10 per dynamic threshold per month||CoreStack doesn’t create Dynamic Thresholds as part of account on-boarding. However, you can configure through Operations template|
|Azure Security Centre||Free Tier||Pricing varies per resource type. Please see here||Standard Tier if opted will have higher cost impact|
|Monitoring Metrics||10 monitored metric time-series per month||$0.10 per metric time-series monitored per month|
Pre-Requisite Set-up in Azure:
CoreStack uses Daemon Application scenario with Client Credentials flow for OAut2.0 flow and grant type as depicted here. Client Credential flow requires a valid Application registration to be created for a specific Azure subscription to successfully allow access to the required Azure resources.
To onboard your subscription into CoreStack, you will require the following values. The instructions to get these 4 values from your Azure subscription in provided below.
- Tenant ID
- Application ID
- Application Secret
- Subscription Info
As you retrieve each of these values, keep them ready in a notepad to be able to copy paste into CoreStack while onboarding.
Step-1: Fetch Tenant ID
Login to Azure Portal(https://portal.azure.com).
1. Go to Azure Active Directory. You can either select it from the Left Navigation Menu or simply use the search bar at the top to search for it.
2. Once the Azure Active Directory service is opened, you will find the Tenant ID in the overview page as shown below:
3. You can click on the copy icon to copy the Tenant ID to clipboard and paste it into your notepad. Stay right on the same page to continue with Step-2.
Step-2: Fetch Application ID
1. Now within the Azure Active Directory look for “App Registrations” in the Left Navigation Menu. Alternatively, you can also directly search for “App Registrations” in the search bar.
2. You need to create a new app registration, unless you already have an app that you intend to use for onboarding into CoreStack. Click on “New registration” at the top to start.
3. Provide a Name for the App, such as “CoreStack.App”. You can leave the other options in default (Supported account types can be Single Tenant and Redirect URI can be blank)
4. Click on “Register” button below to complete the process.
5. Once the App is created, select the app from the applications list to view the details as below
6. Copy the Application (Client) ID and paste it into your notepad. The Directory (Tenant) ID is same as what you copied already in Step-1.
Step-3: Fetch Application Secret
Application Secret is the password or key that you need to provide for the specific app that was just created. You can create one from the same App page
1. Look for “Certificates & Secrets” on the left menu while staying in the CoreStack.App page. Click on it to go to that blade.
2. Look for the section “Client secrets” in the right panel and click on the button “New client secret”
3. Provide a Name or Description and click on Add. You can leave the duration at the default value of 1 year. You can revoke this anytime later if required.
4. You can see that the secret is now added and there is an expiry date and a key value for the same. You must copy the key value and keep it in your notepad.
Step-4: Fetch Subscription
1. Navigate to Subscriptions page by searching from the search bar at the top. You can also use the “Cost Management and Billing” option from the Left Navigation menu.
2. Once at the Subscriptions page, you will see the list of Subscriptions under the selected AD Tenant
3. Select the subscription that you plan to onboard into CoreStack to load details about that Subscription. You will find the details of the subscription in the “Overview” page.
4. Copy the Subscription ID and the Subscription Name from here and keep them in your notepad. Stay right on the same page to continue with Step-5.
Step-5: IAM Access for App
The app that we created above in Step-2 must have the required access within the subscription that you plan to onboard into CoreStack. To provide the access, please follow the below steps.
1. Within the Subscription page look for “Access Control (IAM)” on the left menu. Click on that.
2. Once you are in the IAM page, click on “+ Add” option at the top and select “Add Role Assignment” option.
3. You will see a right panel for Add role assignment. Start by selecting the Role from the dropdown. Select
the value “Contributor”
4. The next field “Assign access to” can remain with default value “Azure AD user, group, or service principal”
5. In the user selection, search for the app name – in this example “CoreStack.App” and click on it
6. Click on Save button to complete the process. Once saved, you will see the Role Assignments listed as below:
7. Repeat the steps 2 to 6 above with the Role as “Resource Policy Contributor” and everything else remaining the same. Once completed, you will see the role assignments as below:
You are now all set to being the on-boarding process into CoreStack. Happy On-boarding!
To start setting up Azure account, follow the below steps:
- Navigate to Settings > Cloud Accounts from top right
2. From the Cloud Accounts page, select “Azure” from the different clouds on the left side
3. Once on Azure onboarding page, click on “New Account” button at the top right and select “Single
This will initiate the onboarding process. It has 4 tabs as part of the workflow which are explained in detail in the sub-sections below.
This section requires the info that we collected as part of setting up the pre-requisites in the Azure account. And also some more information to help CoreStack understand how to govern this subscription.
The fields in the Authentication page are explained in the table below:
|Account Name||Enter the name of the Account. You can choose any meaningful name to help you recognize this account. It is recommended to have the account type, name and environment as part of the name. Ex: CSP_Azure_Finance_Dev|
|Description||Provide a short description about the account.|
|Settings||Here, you can select the configuration settings for your cloud account. There are 3 options to choose from – None, Express and Custom.
|Environment||Select the appropriate environment for your cloud account as it determines the governance settings. The Environment list consists of – Production, Staging, QA and Development.
For example, if the cloud account is used for development, then select that from the list.
|Scope||Select the scope for your account. That is:
|Tenant ID||This is the unique identifier of the Azure Active Directory instance. Refer the
Pre-Requisites section to know how to fetch this value.
|Application ID||This identifier while creating an App Registration in the Azure Active Directory.
Refer the Pre-Requisites section to know how to fetch this value.
|Application Secret||This is the secret key Seq will use when communicating with Azure Active Directory. Refer the Pre-Requisites section to know how to fetch this value.|
|Subscription||Select a subscription option from the drop down list that appears. This list will contain the subscriptions within the Active Directory Tenant that is provided. The Application ID must have IAM access for the selected subscription to be able to proceed.|
|Subscription Type||Select the subscription type from the options – Pay As You Go, CSP, EA. For descriptions about these account types, please refer Azure Account Types section above.|
|Currency||Select the currency used for billing for this account. Currently supported values include US Dollars (USD), Indian Rupees (INR) and Swedish Krona (SEK)
Note: Currency value cannot be changed after onboarding. You will have delete and re-onboard the account if you need to change the currency. This is because all billing history is stored in the selected currency and it is not possible to go back and modify that data.
In the Activation section you can select the Compute, Storage, Network, Database, and Web cloud resource types that can be managed by CoreStack.
Cloud Products that can be added to be monitored/managed through CoreStack are:
Under Configuration, we can provide the requisite settings to manage the 4Cs of governance – CloudOps, Compliance, Consumption and Cost.
This section handles all the configuration settings associated with alerts, notifications and reports.
CoreStack issues alerts in the situation where set threshold limits are exceeded for the associated cloud account. The alerts set here appear in the CloudOps Dashboard under the Threshold Alerts section. Let us take the example of CPU alert under Compute – Virtual Machines. You can set an alert stating that a CPU Utilization above a threshold limit of say, 90%, is to be flagged. This alert will be sent as an email as well as flash in the CloudOps Dashboard.
|Threshold||This is where the numerical value can be provided.|
|Operator||Greater than, Greater than or equal, Lesser than or equal, Lesser than|
|Aggregation||This section determines how the actual performance value should be compared with the threshold for example. That is, should the average monthly CPU utilization be compared to the threshold or the maximum value hit at a specific time be compared to the threshold.|
|Window Size||The time interval to check if the actual metric is crossing the threshold set. For example, the comparison should be made every 30 minutes or every 4 hours or every day. The value is shown as PT1H45M, where:
PT stands for Period Time
1H stands for 1 hour
45M stands for 45 minutes
|Resolve Alert||Alert created for the resource based on the metric configured can be resolved with selected actions.|
You can select the activities for which notifications should be sent as an email to you. The activity list is populated based on the Environment selected in the Authentication section.
This section enables you to add the email and webhook using which notifications can be sent to you. Enter a valid email address and webhook in the respective fields.
Here, you can select the reports that will be sent to the user account at the end of the day. The two reports available are:
- Daily Cost by Cloud Accounts
This shows breakup of daily costs incurred by the cloud account.
- Template Execution Summary
This report shows the number of templates executed during the day, how many of them were successful and how many failed.
Compliance is one of the pillars of good cloud governance. It is vital to configure the requisite settings right at the start to ensure compliance. This section is split into two sections: Governance Rules and Schedules.
Tags help to organize Azure cloud resources, and simplify the billing process.
|Append Tags||Using CoreStack, you can add tags and the corresponding values will be appended for all the resources provisioned hereafter either through the Azure portal or through CoreStack.|
|Enforced Tags||Enforced tags refer to those tags, the resources associated with which will be actively monitored and any non-compliance be reported in the Compliance dashboard.|
Resource Lock will enable Termination protection at Resource Group level.
Here, select the policies that you want to be applicable for your cloud account. There are different types of policies you can select from – Standards, Security, Cost Optimization and Availability.
This is to provide rules for scheduling auto shutdown of the virtual machine associated with the cloud account.
The options available are:
|Shutdown Details||The frequency of the shutdown must be mentioned here. For example, Daily.|
|Shutdown Time||Select the time at which the VM shutdown must be initiated.|
|Restart Time||Select the time at which the VM should get restarted.|
|Applicable Tags||Add tags to specify which VMs should be auto showdown.|
|Exclude Resource Groups||Select Resource Groups, the VMs tagged to which should not be auto shutdown.|
This section highlights the settings for VMs specific to this cloud account in the Self Service Catalog. Here you can select the Operating Systems, Resource Groups, Preferred Regions and Compute Sizes for VMs.
Fill these fields:
|Operating System||Select the Operating Systems that will be made available as Self Service catalog option for your CoreStack account.|
|Resource Group||Resource Group is referred by CoreStack for any configuration and storage account required to store the monitoring and insight data temporarily. Resource Group names only allow alphanumeric characters, underscores, hyphens and parentheses. You can also use periods, but you cannot end the name with it.|
|Preferred Region||Provide the list regions that would be allowed for the users while ordering for the resources through Self-Service catalog.|
|Preferred Compute Size||Provide the list of Compute Sizes that should be allowed for the users in your account while creating a Self Service Order.|
You can configure the budget for this specific cloud account in this section. The budget displayed here is taken into account when computing the cost analytics and display accordingly in the Cost Analytics Dashboard. You can specify the Daily, Weekly and Monthly budget here.
User can define their own budget and enter it in User Defined Section manually.
Auto Calculated Cost which is suggested is derived by the system based on the usage trends of the account currently reviewed.
This is the last step in the onboarding process. The list of Roles in CoreStack for this Tenant will be displayed. You need to select the Roles that can have access to this coud account. However the level of access will depend on the role.
After selecting the roles, you can click on the “Finish” button to complete the process.
Manage Onboarded Accounts
You can come back and view/edit the settings of the Jira account from the same page: Settings > Cloud Accounts > Azure.
Click on the account to view the settings already provided. You will see the details of the account as shown below:
All the configurations done during the onboarding can be viewed here. You can also view the status of the onboarding in the left bottom of this page:
If you need to modify the settings, click on the 3 dots menu at right end to select “Edit” and modify any of the settings. The process is very similar to the onboarding steps explained above.