Azure Account Credential Setup

1. Overview

Aviatrix Controller uses Azure APIs extensively to launch Aviatrix gateways, configure encrypted peering and other features.

In order to use Azure API, you need to first create an Aviatrix Access Account on the Aviatrix controller. This access account corresponds to a valid Azure subscription with API credentials. You need to create an access account for each subscription.

This document describes, for a given subscription, how to obtain the necessary information, specifically Application ID, Application Key (Client secret), and Application Directory ID to create an Aviatrix Access Account so that the Controller can execute APIs on that subscription. There are 3 sections, make sure you go through all of them.

2. API and Permission Setup

Setting up Azure permission for Aviatrix involves three main steps.

  1. Register Aviatrix Controller Application with Azure Active Directory
  2. Assign a role to the Aviatrix Controller Application
  3. Get Application ID, Application Key (Client secret) and Directory ID

Important: Complete the following steps in order.

2.1 – Register Aviatrix Controller Application

Login to the Azure Portal:

  1. From the Azure portal click on “All services” and search for “Azure Active Directory” and click on “Azure Active Directory”.
  2. Click “App registrations”. Do not choose “App registrations (Legacy)”


  1. Click “+ New registration”


  1. Name = Aviatrix Controller
  2. Supported account types = Accounts in this organizational directory only
  3. Click Register.
  1. Done

2.2 – Assign a role to the Aviatrix Application

  1. Login to the Azure portal
  2. On the top left, click All services, search for “Subscriptions”
  1. Copy the Subscription ID (to notepad or a convenient location)


  1. Click on the Subscription ID
  2. Then select “Access control (IAM)”.


  1. Click Add and then select the “Contributor” role. If the “Contributor” role is too broad, you can later replace it with a custom role with specific permissions. Refer to Use Azure IAM Custom Role for instructions.
  2. In the Select search field, type in “Aviatrix”. The Aviatrix Controller (that you created in section 2.1) app should show up. Select this one and click Select towards to the bottom.

2.3 – Setup Information for Programmatic Sign in

  1. From the Azure portal, click All services and search for “Azure Active Directory”. Click “App registrations” and then the application to see the Application (client) ID and Directory (tenant) ID.


  2. Retrieve the Application (client) ID and Directory (tenant) ID.

    1. Copy the Application ID and Directory ID for later use.


  3. Retrieve the Client Secrets.

    1. Click Certificates & secrets
    2. Click + New client secret


    1. Enter in the following, and then click Add
      • Description = Aviatrix
      • Expires = Never


    1. You should see the new secret as shown below.


    1. Copy the secret. This will be used as the Application Key in the Aviatrix Controller.
  1. Add API permissions.

    Go to Azure Active Directory -> select the “Aviatrix Controller” application, click into the application.

    1. Click API permissions


    1. Click “+Add a permission”
    2. Choose Azure Service Management



  2. Done

At this point you should have the following information to create an access account on Azure.

Access Account Setup Input Field Value
Subscription ID From section 2.2
Directory ID From section 2.3
Application ID From section 2.3
Application Key (Client Secret) From section 2.3

Additional References

If you need additional information, refer to How to: Use the portal to create an Azure AD application and service principal that can access resources on Azure documentation.

Azure China notes

Deploying the Aviatrix Gateway in the Azure China Cloud


  • You must already have a Microsoft Azure China account and Aviatrix Controller in AWS China to deploy an Aviatrix Gateway in the Azure China Cloud.
  1. Create the Aviatrix Controller in your AWS China Cloud. Go to Onboarding and select Azure China.
  2. Enter the Aviatrix Customer ID.
  3. Enter the Certificate Domain.
  4. Create the Primary Access Account.
  1. Deploy Aviatrix gateway from the Gateway page in the Aviatrix Controller or the Multi-Cloud Transit Solution page.

For more information, see “What is a China ICP License?”