Setup - Azure

Note

Looking for Amazon Web Services instructions? To get started with Fugue on AWS, see Setup - AWS & AWS GovCloud.

Fugue setup is simple. First, sign up here. Once you’ve registered, you’ll be able to set up your first Azure environment and start scanning for compliance state, drift detection, and baseline enforcement (auto-remediation) of resources. (For AWS setup, see Setup - AWS & AWS GovCloud.)

Step 1: Define your Azure environment

Note

You must have at least one existing resource group in Azure in order to create an environment in Fugue.

One of the first actions you’ll take in Fugue is to define your environment. An environment represents cloud infrastructure in a provider account and includes resource configuration, compliance state, and more. After you log in, select the “Define Your Environment” button (which appears by default for new users) and you’ll be prompted to provide an environment name and select a cloud service provider – in this case, Microsoft Azure:

_images/AzureSetupStep1.png

Note

If you need to revisit a step at any point during setup, select the step number near the upper right of your screen:

_images/StepsIcons.png

Step 2: Connect to Azure and Select Resource Groups

Next, you’ll need to register an application and client secret through the Azure Portal so you can connect to Azure, and then you can choose the resource groups you’d like Fugue to scan.

Step 2a: Connect to Azure

Before Fugue can connect to your Azure subscription and scan your infrastructure, you’ll need to provide four pieces of information:

Tenant ID (directory ID)

The ID of your specific Azure Active Directory instance. To find your tenant ID, log into the Azure Portal and navigate to Azure Active Directory > Properties > Directory ID.

Subscription ID

The ID for your trial or paid subscription to Microsoft Azure. To find your subscription ID, go to All services > Subscriptions > Subscription ID.

Application ID (client ID)

The ID for the Azure Active Directory application you register for Fugue. You’ll create this in the next step.

Client secret

The secret string Fugue uses to authenticate with Azure. You’ll also create this in the next step.

_images/AzureSetupStep2.png

Create Azure Active Directory Application

To obtain an application ID (client ID) and client secret, you’ll need to create an Azure Active Directory (AD) application and service principal, assign it an RBAC role, and then generate a secret. This gives Fugue the permissions required to scan your selected resource groups.

In the Azure Portal, navigate to Azure Active Directory > App registrations (not Legacy), then select the “New registration” button.

Enter a name for the AD application – we’ve called ours fugue-example in the image below – and then ensure supported account types is set to “Accounts in this organizational directory only.” You can leave the “Redirect URI” field blank. Then, click the “Register” button.

_images/AzureSetupRegisterApp.png

After Azure registers the application and creates the service principal, you can copy the application ID and enter it into the Fugue environment setup:

_images/AzureSetupAppID.png

Assign an RBAC Role

Next, you’ll need to assign the service principal an RBAC role. You can scope the role to your entire subscription, a specific resource group, or an individual resource. If you intend to use Fugue to scan more than one resource group, it’s simplest to give the application access at the subscription level, but go with whatever works best for your use case.

To assign your service principal a role at the subscription level, navigate to All services > Subscriptions > Subscription ID and select your subscription. Then, select the Access Control (IAM) link and click the “Add” button, then “Add role assignment”:

_images/AzureSetupAddRole.png

To give Fugue permission to scan your Azure resources, select the Reader role. Leave the “Assign access to” field as is and search for the name of your AD application in the “Select” field, then select the “Save” button:

_images/AzureSetupAssignReaderRole.png

Generate a Client Secret

Now that you’ve created the AD application and set up the service principal, you can generate a client secret. Return to Azure Active Directory > App registrations and select the application you just registered, then select the Certificates & secrets link. Click the “New client secret” button and enter a description for your client secret and set an expiration date, then select “Add.” You can then copy the generated secret and enter it into the Fugue environment setup:

_images/AzureSetupClientSecret.png

Back in the Fugue environment setup, select the “Connect to Azure” button. You should see a message confirming that the connection was successful:

_images/AzureSetupConnectionSuccess.png

You can select “Undo” if you need to go back and change a setting, or if you need Fugue to connect again and refresh the list of resource groups. Note that when you select “Undo,” Fugue clears all of the fields.

Step 2b: Select Resource Groups

Now that Fugue has connected to your Azure subscription, you may specify the resource groups you want Fugue to scan:

_images/AzureSetupStep2b.png

To expand the list and display all resources, select “Expand Resource Groups” below the list. Then, to shorten the list, select “Contract Resource Groups.”

If you want to select a resource group you created in Azure after connecting but before finalizing the environment, you can refresh the list of available resource groups by selecting “Undo” and re-entering the connection information.

Note

You can remove resource groups later by editing the environment settings, as long as at least one resource group remains selected. However, to add resource groups after the environment has been created, you must use the Fugue API. See Updating Selected Resource Groups for details.

Step 3: Select Compliance Libraries

To assess your cloud environment for compliance with CIS Azure Foundations Benchmark, check the box here:

_images/AzureSetupStep3.png

Or, you may leave it blank for now and configure it later via the environment settings.

Step 4: Review Environment Details

Finally, you may review the details for your environment, including environment name, tenant/subscription/application IDs, compliance libraries, and the resource groups you want Fugue to scan:

_images/AzureSetupStep4.png

Note that if anything needs to be changed, you can revisit the appropriate step by selecting the step number near the upper right of your screen:

_images/StepsIcons.png

If the review looks good, select the “Approve and Begin Initial Scan” button. Fugue will create your environment and start to scan your infrastructure. When the scan is complete, Fugue brings you to your new environment dashboard, where you can see your compliance view, establish a baseline to enable drift detection, configure compliance report emails, and more. To learn more, see Environment Configuration.

Updating Selected Resource Groups

After you have created an Azure environment, you can remove resource groups by editing the environment settings, as long as at least one resource group remains selected. However, to add resource groups after the environment has been created, you must use the Fugue API.

The Fugue API allows you to update an environment in order to add, remove, or change the resource groups. To do so, you would use the PATCH method to send a request to the following path, substituting your own environment ID for {environment_id}:

https://api.riskmanager.fugue.co/v0/environments/{environment_id}

The request body is where you indicate which resource groups you want Fugue to scan. For example, if your environment only includes the dev-eastus resource group but you want to add prod-centralus and NetworkWatcherRG, your request body might look like this:

{
    "provider": "azure",
    "provider_options": {
        "azure": {
            "survey_resource_groups": [
                "dev-eastus",
                "prod-centralus",
                "NetworkWatcherRG"
            ]
        }
    }
}

The resources you list in the "survey_resource_groups" array replace whatever resources were previously selected. So in this case, to continue scanning dev-eastus, you would include it in the array.

Updating Selected Resource Groups with curl

To use curl to update an environment using the example above, you would use the following command:

curl -X PATCH \
https://api.riskmanager.fugue.co/v0/environments/75e7e69a-0af4-4561-9763-000000000000 \
-u $CLIENT_ID:$CLIENT_SECRET \
-d '{
    "provider": "azure",
    "provider_options": {
        "azure": {
            "survey_resource_groups": [
                "dev-eastus",
                "prod-centralus",
                "NetworkWatcherRG"
            ]
        }
    }
}'

When the command succeeds, the API returns a JSON document including the details of the updated environment.

To learn more about updating an environment with the API, see Updating an Environment. For more information about using curl, see API Tools. To see the full Swagger documentation, see the API Reference. Or, for general instructions, see the API User Guide.

Updating Selected Resource Groups with Postman

To use Postman to update an environment using the example above, select the PATCH - Updates an environment request from the Fugue API Postman collection, then enter the environment_id path variable on the “Params” tab:

_images/PostmanUpdateAzureParams.png

Next, select the “Body” tab and paste your request body into the text box:

_images/PostmanUpdateAzureBody.png

Here’s the request body we used for the example curl command:

{
    "provider": "azure",
    "provider_options": {
        "azure": {
            "survey_resource_groups": [
                "dev-eastus",
                "prod-centralus",
                "NetworkWatcherRG"
            ]
        }
    }
}

When you’re ready, hit the “Send” button, and when the request succeeds you’ll see a 200 OK status and a JSON document including the details of the updated environment.

To learn more about updating an environment with the API, see Updating an Environment. For more information about using Postman, see API Tools. To see the full Swagger documentation, see the API Reference. Or, for general instructions, see the API User Guide.

Supported Azure Services

For a list of currently supported Azure services, see Service Coverage. If you have questions about specific services or resources, reach out to us at support@fugue.co.