Microsoft Azure, formerly known as Windows Azure, is Microsoft’s public cloud computing platform. It provides a range of cloud services, including compute, analytics, storage and networking. Users can pick and choose from these services to develop and scale new applications, or run existing applications in the public cloud.

Account Types Supported

Microsoft offers multiple ways by which one can buy Azure subscriptions. At a high level there are three channels:

  • Enterprise Agreement – For medium to large enterprises looking at making a pre-commit on the amount of Azure resource consumption. This is typically a Pre-Paid annual payment.The following diagram illustrates simple Azure EA hierarchies:
    CoreStack currently manages the EA subscriptions similar to that of Pay-As-You-Go model. However, in the upcoming releases, we will be supporting the EA subscription management through CoreStack similar to the capability that we provide for CSP subscription today.
  • Pay-As-You-Go – For small and medium organizations who would choose to use a Pay-As-You-Go model. Credits can be added through activation of open license key bought from Microsoft resellers. Also available through web direct options, purchased through Microsoft websites.
  • CSP Partners – For small and medium organizations who would choose to use a post-paid Pay-As-You-Go model. This is available through Cloud Solutions Providers – CSP Partners. There are different tiers of CSP Partners available for Microsoft. Only CSP Direct (Tier-1) is supported.

Note: Customers using CSP Partner subscription will not have direct access to the billing details. The billing details can only be obtained through the Partner center portal. CoreStack requires the CSP parent account to be added to show the end customers billing and usage data in the Cost analytics section.

Azure Services Supported

The following table describes the Azure Services coverage for various features available in CoreStack:

Category Resource Type Resource
Compute Virtual Machines Virtual Machines
Azure Kubernetes Service Cluster
Others Availability Sets
Storage Recovery Services Vaults
Storage Disks Disks
Accounts Storage Accounts
Databases Cosmos DB Database Accounts
Servers MySQL
Servers PGSQL
Servers MSSQL
Integration API Management Service List
Logic Apps Workflows
Web App Services Web Apps
Container Container Registry Registry
Container Instances Container Groups
Container Services Container Services
Analytics Data Factory Factories
Network Express Route Express Route Circuits
Virtual Networks Traffic Manager Profiles
Virtual Networks Network Interface
Virtual Networks Public IP Address
Virtual Networks Virtual Network
Virtual Networks Network Security Group
Load Balancers Load Balancer
Application Gateway Application Gateway
Route Route Table

Permissions Required with reasons

CoreStack requires Contributor access to the following Service Providers, however the account owner can restrict access to specific services that will only be managed through CoreStack.

Following table explains the need for access to the service with the rationale:

Azure Provider Product/Category Reader Access (For Discovery) Contributor Access (For Actions) Remarks
Microsoft.Compute
  • Virtual Machines
  • Virtual Machines Scale Sets
  • Virtual Machines Sizes
  • Availability Sets
  • Image Publishers
  • Images
  • Disks
Preferred Optional
Microsoft.ContainerInstance Container Groups Preferred Optional
Microsoft.ContainerRegistry Container Registry Preferred Optional
Microsoft.ContainerService
  • Container Service
  • Kubernetes
Preferred Optional
Microsoft.Storage
  • Storage accounts
  • Storage Snapshots
Mandatory Mandatory CoreStack creates a Storage account for the Self-Service Module to use.
Microsoft.RecoveryServices Recovery Vault Preferred Optional
Microsoft.Network
  • Route Tables
  • Network Security Group
  • Virtual Networks
  • Public IP Address
  • Traffic Manager Profiles
  • Load Balancer
  • Express Routes
  • Application Gateway
  • Application Gateway
    Available SSL Policy
Preferred Optional
Microsoft.Sql SQL Preferred Optional
Microsoft.DBforPostgreSQL PGSQL Preferred Optional
Microsoft.DBforMySQL Mysql Preferred Optional
Microsoft.Web Sites Preferred Optional
Microsoft.ApiManagement ServiceList Mandatory Mandatory Auth Validation
Microsoft.Logic Logic Services Preferred Optional
Microsoft.DataFactory DataFactories Preferred Optional
Microsoft.Commerce Finance Mandatory Mandatory Cost Analytics
Microsoft.OperationalInsights
  • Alerts
  • Utilization
Mandatory Mandatory
Microsoft.PolicyInsights(Resource Policy Contributor) Policy Creation Mandatory Mandatory
Microsoft.Authorization Auth Service Mandatory Mandatory
Microsoft.Insights
  • Metrics
  • Activity logs
Mandatory Mandatory
Microsoft.AzureActiveDirectory
  • ListRoles
  • List Users
  • Users Basic Profile
Mandatory Mandatory Only in case of SSO
Microsoft.Security
  • Azure Security Center
  • Azure Threat Management
Preferred Optional
Microsoft.DevTestLab Auto Shutdown Optional Optional
Microsoft.Billing Cost Management Mandatory Mandatory Cost Analytics
Azure Policy

Preferred: This means that required access is not mandatory however some of the features will be not functional without the required access.

Optional: Not mandatory, similar to that of Preferred, core features will continue to work. Some low-level actions will have an Impact.

Mandatory: Non-negotiable, even to on-board account with read-only permissions these access details would be needed.

Impact on the Azure Subscription

As part of the on-boarding process, CoreStack creates resources and applies some configurations in Azure.

Resource Group:
A new resource group with pre-fix “CS-“will be created to store all alerts and activity rules created by CoreStack.
All Self-service provisioned resources would be created under this group if no resource group is selected during ordering.

Alert Rules and Alert Action:
Alert rules will be created if the thresholds are configured during on-boarding.
A new alert action will be added to the created rules to invoke CoreStack notification webhook when threshold alert is triggered.

Azure Policy
CoreStack will create the Policy Definitions and Assignments based on the governance rules selected during on-boarding of the account.

Security Centre
CoreStack will enable the Free-tier or Standard Tier for the resources based on the selection during on-boarding. (Enabling Standard Tier has cost implications, please exercise caution during configuration)

Billing Impact due to CoreStack onboarding

There is no billing impact as such in configuring your account with CoreStack until certain services are consumed through CoreStack. Following are the few areas where there might be cost implications:

Feature Free Units Included Price CS Remarks
Alert Notifications 100,000 web hooks
per month
$0.60/1,000,000 web hooks
Dynamic Thresholds None $0.10 per dynamic threshold per month CoreStack doesn’t create Dynamic Thresholds as part of account on-boarding. However, you can configure through Operations template
Azure Security Centre Free Tier Pricing varies per resource type. Please see here Standard Tier if opted will have higher cost impact
Monitoring Metrics 10 monitored metric time-series per month $0.10 per metric time-series monitored per month

Pre-Requisite Set-up in Azure:

CoreStack uses Daemon Application scenario with Client Credentials flow for OAut2.0 flow and grant type as depicted here. Client Credential flow requires a valid Application registration to be created for a specific Azure subscription to successfully allow access to the required Azure resources.

To onboard your subscription into CoreStack, you will require the following values. The instructions to get these 4 values from your Azure subscription in provided below.

  1. Tenant ID
  2. Application ID
  3. Application Secret
  4. Subscription Info

As you retrieve each of these values, keep them ready in a notepad to be able to copy paste into CoreStack while onboarding.

Step-1: Fetch Tenant ID

Login to Azure Portal(https://portal.azure.com).

1. Go to Azure Active Directory. You can either select it from the Left Navigation Menu or simply use the search bar at the top to search for it.


2. Once the Azure Active Directory service is opened, you will find the Tenant ID in the overview page as shown below:

3. You can click on the copy icon to copy the Tenant ID to clipboard and paste it into your notepad. Stay right on the same page to continue with Step-2.

Step-2: Fetch Application ID

1. Now within the Azure Active Directory look for “App Registrations” in the Left Navigation Menu. Alternatively, you can also directly search for “App Registrations” in the search bar.

2. You need to create a new app registration, unless you already have an app that you intend to use for onboarding into CoreStack. Click on “New registration” at the top to start.

3. Provide a Name for the App, such as “CoreStack.App”. You can leave the other options in default (Supported account types can be Single Tenant and Redirect URI can be blank)

4. Click on “Register” button below to complete the process.
5. Once the App is created, select the app from the applications list to view the details as below

6. Copy the Application (Client) ID and paste it into your notepad. The Directory (Tenant) ID is same as what you copied already in Step-1.

Step-3: Fetch Application Secret

Application Secret is the password or key that you need to provide for the specific app that was just created. You can create one from the same App page

1. Look for “Certificates & Secrets” on the left menu while staying in the CoreStack.App page. Click on it to go to that blade.

2. Look for the section “Client secrets” in the right panel and click on the button “New client secret”
3. Provide a Name or Description and click on Add. You can leave the duration at the default value of 1 year. You can revoke this anytime later if required.


4. You can see that the secret is now added and there is an expiry date and a key value for the same. You must copy the key value and keep it in your notepad.

Step-4: Fetch Subscription

1. Navigate to Subscriptions page by searching from the search bar at the top. You can also use the “Cost Management and Billing” option from the Left Navigation menu.

2. Once at the Subscriptions page, you will see the list of Subscriptions under the selected AD Tenant

3. Select the subscription that you plan to onboard into CoreStack to load details about that Subscription. You will find the details of the subscription in the “Overview” page.


4. Copy the Subscription ID and the Subscription Name from here and keep them in your notepad. Stay right on the same page to continue with Step-5.

Step-5: IAM Access for App

The app that we created above in Step-2 must have the required access within the subscription that you plan to onboard into CoreStack. To provide the access, please follow the below steps.

1. Within the Subscription page look for “Access Control (IAM)” on the left menu. Click on that.

2. Once you are in the IAM page, click on “+ Add” option at the top and select “Add Role Assignment”  option.

3. You will see a right panel for Add role assignment. Start by selecting the Role from the dropdown. Select
the value “Contributor”

4. The next field “Assign access to” can remain with default value “Azure AD user, group, or service principal”

5. In the user selection, search for the app name – in this example “CoreStack.App” and click on it

6. Click on Save button to complete the process. Once saved, you will see the Role Assignments listed as below:


7. Repeat the steps 2 to 6 above with the Role as “Resource Policy Contributor” and everything else remaining the same. Once completed, you will see the role assignments as below:

You are now all set to being the on-boarding process into CoreStack. Happy On-boarding!

Onboarding Process

To start setting up Azure account, follow the below steps:

  1. Navigate to Settings > Cloud Accounts from top right

2. From the Cloud Accounts page, select “Azure” from the different clouds on the left side

3. Once on Azure onboarding page, click on “New Account” button at the top right and select “Single
Account”

This will initiate the onboarding process. It has 4 tabs as part of the workflow which are explained in detail in the sub-sections below.

Authentication

This section requires the info that we collected as part of setting up the pre-requisites in the Azure account. And also some more information to help CoreStack understand how to govern this subscription.

The fields in the Authentication page are explained in the table below:

Field Description
Account Name Enter the name of the Account. You can choose any meaningful name to help you recognize this account. It is recommended to have the account type, name and environment as part of the name. Ex: CSP_Azure_Finance_Dev
Description Provide a short description about the account.
Settings Here, you can select the configuration settings for your cloud account. There are 3 options to choose from – None, Express and Custom.

  1. None – Select None if you do not want any governance automation for this cloud account. This is a read-only access which will only pull the data for Cost analytics dashboard, Inventory discovery will be on-demand.
  2. Express – Express is like a quick setup wizard, wherein the best practice configurations will be automatically setup for the cloud account. This is a read-write access to your Cloud Accounts. We recommend you review the on-boarding settings.
  3. Custom – If you want to tailor the configurations for the cloud account, select custom. All the options will be selected by default and you can uncheck them individually in the Configurations section.
Environment Select the appropriate environment for your cloud account as it determines the governance settings. The Environment list consists of – Production, Staging, QA and Development.

For example, if the cloud account is used for development, then select that from the list.

Scope Select the scope for your account. That is:

  1. Private – Select Private if the cloud account is to be used only by you
  2. Tenant – Select tenant if account will be shared across tenants associated.
  3. Account – Select Account to share with entire team across different tenants in your organization. You need to be an “Account Admin” to be able to do this.
Tenant ID This is the unique identifier of the Azure Active Directory instance. Refer the
Pre-Requisites section to know how to fetch this value.
Application ID This identifier while creating an App Registration in the Azure Active Directory.
Refer the Pre-Requisites section to know how to fetch this value.
Application Secret This is the secret key Seq will use when communicating with Azure Active Directory. Refer the Pre-Requisites section to know how to fetch this value.
Subscription Select a subscription option from the drop down list that appears. This list will contain the subscriptions within the Active Directory Tenant that is provided. The Application ID must have IAM access for the selected subscription to be able to proceed.
Subscription Type Select the subscription type from the options – Pay As You Go, CSP, EA. For descriptions about these account types, please refer Azure Account Types section above.
Currency Select the currency used for billing for this account. Currently supported values include US Dollars (USD), Indian Rupees (INR) and Swedish Krona (SEK)

Note: Currency value cannot be changed after onboarding. You will have delete and re-onboard the account if you need to change the currency. This is because all billing history is stored in the selected currency and it is not possible to go back and modify that data.

Activation

In the Activation section you can select the Compute, Storage, Network, Database, and Web cloud resource types that can be managed by CoreStack.

Cloud Products that can be added to be monitored/managed through CoreStack are:

Cloud Products Types
Compute
  • Images – VM Images Publishers, Image
  • Virtual Machines – VM Scale Sets, VMs, VM Sizes
  • Container Instances – Container Groups, Registry, Container Operations
  • Container Services
  • Others – Availability Sets
  • Azure kubernets – Cluster
Storage
  • Storage Disks – Disks, Snapshots
  • Accounts – Operations, Storage Accounts
  • Recovery Services – Vaults
Network
  • Routes – Route Table
  • Virtual Networks – Virtual Network, Network Security Group, Public IP Address, Network Interface, Traffic Manager Profile
  • Load Balancers
  • Application Gateways – Application Gateway, Available SSL Policy
Database
  • Servers – MSSQL,MSQL,PGSQL
Web
  • Sites – App Services

Configuration

Under Configuration, we can provide the requisite settings to manage the 4Cs of governance – CloudOps, Compliance, Consumption and Cost.

CloudOps

This section handles all the configuration settings associated with alerts, notifications and reports.

Alert Configuration

CoreStack issues alerts in the situation where set threshold limits are exceeded for the associated cloud account. The alerts set here appear in the CloudOps Dashboard under the Threshold Alerts section. Let us take the example of CPU alert under Compute – Virtual Machines. You can set an alert stating that a CPU Utilization above a threshold limit of say, 90%, is to be flagged. This alert will be sent as an email as well as flash in the CloudOps Dashboard.

Field Description
Threshold This is where the numerical value can be provided.
Operator Greater than, Greater than or equal, Lesser than or equal, Lesser than
Aggregation This section determines how the actual performance value should be compared with the threshold for example. That is, should the average monthly CPU utilization be compared to the threshold or the maximum value hit at a specific time be compared to the threshold.
Window Size The time interval to check if the actual metric is crossing the threshold set. For example, the comparison should be made every 30 minutes or every 4 hours or every day. The value is shown as PT1H45M, where:
PT stands for Period Time
1H stands for 1 hour
45M stands for 45 minutes
Resolve Alert Alert created for the resource based on the metric configured can be resolved with selected actions.

Activity Notifications

You can select the activities for which notifications should be sent as an email to you. The activity list is populated based on the Environment selected in the Authentication section.

Notifications

This section enables you to add the email and webhook using which notifications can be sent to you. Enter a valid email address and webhook in the respective fields.

Reports

Here, you can select the reports that will be sent to the user account at the end of the day. The two reports available are:

  1. Daily Cost by Cloud Accounts
    This shows breakup of daily costs incurred by the cloud account.
  2. Template Execution Summary
    This report shows the number of templates executed during the day, how many of them were successful and how many failed.

Compliance

Compliance is one of the pillars of good cloud governance. It is vital to configure the requisite settings right at the start to ensure compliance. This section is split into two sections: Governance Rules and Schedules.

Governance Rules

Tags

Tags help to organize Azure cloud resources, and simplify the billing process.

Tags Description
Append Tags Using CoreStack, you can add tags and the corresponding values will be appended for all the resources provisioned hereafter either through the Azure portal or through CoreStack.
Enforced Tags Enforced tags refer to those tags, the resources associated with which will be actively monitored and any non-compliance be reported in the Compliance dashboard.

Resource Locks

Resource Lock will enable Termination protection at Resource Group level.

Policies

Here, select the policies that you want to be applicable for your cloud account. There are different types of policies you can select from – Standards, Security, Cost Optimization and Availability.

Schedules

This is to provide rules for scheduling auto shutdown of the virtual machine associated with the cloud account.

The options available are:

Field Description
Shutdown Details The frequency of the shutdown must be mentioned here. For example, Daily.
Shutdown Time Select the time at which the VM shutdown must be initiated.
Restart Time Select the time at which the VM should get restarted.
Applicable Tags Add tags to specify which VMs should be auto showdown.
Exclude Resource Groups Select Resource Groups, the VMs tagged to which should not be auto shutdown.

Consumption

This section highlights the settings for VMs specific to this cloud account in the Self Service Catalog. Here you can select the Operating Systems, Resource Groups, Preferred Regions and Compute Sizes for VMs.

Fill these fields:

Field Description
Operating System Select the Operating Systems that will be made available as Self Service catalog option for your CoreStack account.
Resource Group Resource Group is referred by CoreStack for any configuration and storage account required to store the monitoring and insight data temporarily. Resource Group names only allow alphanumeric characters, underscores, hyphens and parentheses. You can also use periods, but you cannot end the name with it.
Preferred Region Provide the list regions that would be allowed for the users while ordering for the resources through Self-Service catalog.
Preferred Compute Size Provide the list of Compute Sizes that should be allowed for the users in your account while creating a Self Service Order.

Cost

You can configure the budget for this specific cloud account in this section. The budget displayed here is taken into account when computing the cost analytics and display accordingly in the Cost Analytics Dashboard. You can specify the Daily, Weekly and Monthly budget here.

User Defined

User can define their own budget and enter it in User Defined Section manually.

Auto Calculated

Auto Calculated Cost which is suggested is derived by the system based on the usage trends of the account currently reviewed.

Authorization

This is the last step in the onboarding process. The list of Roles in CoreStack for this Tenant will be displayed. You need to select the Roles that can have access to this coud account. However the level of access will depend on the role.

After selecting the roles, you can click on the “Finish” button to complete the process.

Manage Onboarded Accounts

You can come back and view/edit the settings of the Jira account from the same page: Settings > Cloud Accounts > Azure.

Click on the account to view the settings already provided. You will see the details of the account as shown below:

All the configurations done during the onboarding can be viewed here. You can also view the status of the onboarding in the left bottom of this page:

If you need to modify the settings, click on the 3 dots menu at right end to select “Edit” and modify any of the settings. The process is very similar to the onboarding steps explained above.