Azure Account Credential Setup

1. Overview

Aviatrix Controller uses Azure APIs extensively to launch Aviatrix gateways, configure encrypted peering and other features.

In order to use Azure API, you need to first create an Aviatrix Access Account on the Aviatrix controller. This access account corresponds to a valid Azure subscription with API credentials. You need to create an access account for each subscription.

This document describes, for a given subscription, how to obtain the necessary information, specifically Application ID, Application Key (Client secret), and Application Directory ID to create an Aviatrix Access Account so that the Controller can execute APIs on that subscription. There are 3 sections, make sure you go through all of them.

2. API and Permission Setup

Setting up Azure permission for Aviatrix involves three main steps.

  1. Register Aviatrix Controller Application with Azure Active Directory
  2. Assign a role to the Aviatrix Controller Application
  3. Get Application ID, Application Key (Client secret) and Directory ID

Important: Complete the following steps in order.

2.1 – Register Aviatrix Controller Application

Login to the Azure Portal: https://portal.azure.com

  1. From the Azure portal click on “All services” and search for “Azure Active Directory” and click on “Azure Active Directory”.
  2. Click “App registrations”. Do not choose “App registrations (Legacy)”

image03

  1. Click “+ New registration”

image04

  1. Name = Aviatrix Controller
  2. Supported account types = Accounts in this organizational directory only
  3. Click Register.
  1. Done

2.2 – Assign a role to the Aviatrix Application

  1. Login to the Azure portal
  2. On the top left, click All services, search for “Subscriptions”
image11
  1. Copy the Subscription ID (to notepad or a convenient location)

image12

  1. Click on the Subscription ID
  2. Then select “Access control (IAM)”.

image13

  1. Click Add and then select the “Contributor” role. If the “Contributor” role is too broad, you can later replace it with a custom role with specific permissions. Refer to Use Azure IAM Custom Role for instructions.
  2. In the Select search field, type in “Aviatrix”. The Aviatrix Controller (that you created in section 2.1) app should show up. Select this one and click Select towards to the bottom.

2.3 – Setup Information for Programmatic Sign in

  1. From the Azure portal, click All services and search for “Azure Active Directory”. Click “App registrations” and then the application to see the Application (client) ID and Directory (tenant) ID.

    image01

  2. Retrieve the Application (client) ID and Directory (tenant) ID.

    1. Copy the Application ID and Directory ID for later use.

    image14

  3. Retrieve the Client Secrets.

    1. Click Certificates & secrets
    2. Click + New client secret

    image06

    1. Enter in the following, and then click Add
      • Description = Aviatrix
      • Expires = Never

    image07

    1. You should see the new secret as shown below.

    image15

    1. Copy the secret. This will be used as the Application Key in the Aviatrix Controller.
  1. Add API permissions.

    Go to Azure Active Directory -> select the “Aviatrix Controller” application, click into the application.

    1. Click API permissions

    image08

    1. Click “+Add a permission”
    2. Choose Azure Service Management

    image09

    image10

  2. Done

At this point you should have the following information to create an access account on Azure.

Access Account Setup Input Field Value
Subscription ID From section 2.2
Directory ID From section 2.3
Application ID From section 2.3
Application Key (Client Secret) From section 2.3

Additional References

If you need additional information, refer to How to: Use the portal to create an Azure AD application and service principal that can access resources on Azure documentation.

Azure China notes

Deploying the Aviatrix Gateway in the Azure China Cloud

Prerequisites:

  • You must already have a Microsoft Azure China account and Aviatrix Controller in AWS China to deploy an Aviatrix Gateway in the Azure China Cloud.
  • If you have not created a storage account in your Microsoft Azure cloud, create a storage account first.
  1. Create the Aviatrix Controller in your AWS China Cloud. Go to Onboarding and select Azure China.
  2. Enter the Aviatrix Customer ID.
  3. Enter the Certificate Domain.
  4. Create the Primary Access Account.
  5. Download the Aviatrix gateway image to your Microsoft Azure China storage account in a specified region. If the storage account does not exist, go to Azure China portal to create one first. Note: The download may take up to 20 minutes due to Azure infrastructure limitations.
  6. Deploy Aviatrix gateway in Gateway page or Multi-Cloud Transit Solution page.

For more information, see “What is a China ICP License?”