Monitoring Microsoft Azure

Overview

TOS monitors Microsoft Azure® Public Cloud and Azure Government for policy revision changes.

To monitor Azure, you must complete three setup tasks in the Azure portal:

To see which TOS features are supported for your device, review the SecureTrack Features by Vendor.

Classic rules are firewall rules that are configured directly on the device and are not part of Azure Firewall policies. These rules are not supported.

Adding Azure accounts

There are two ways to add Azure accounts:

Manually

Add every Azure account individually, as described here in Add a Device.
Automatically

From 25-2 PHF1, you can configure a Cloud Organization and import its accounts according to a predefined schedule.
For detailed information, see Cloud Organization Device Groups.

Account authentication

For TOS to authenticate with and monitor the Azure account, you need the account credentials. When adding a device, you can configure credentials in one of the following ways:

Associate with a predefined Cloud Organization

If you have configured Cloud Organizations, you can associate the device with the Cloud Organization and specify the required ID of the subscription to associate with the device.
Device-specific credentials

The credentials unique to the device such as the Subscription ID, Tenant ID, and the Client ID and Secret. See Add a Device.

Prerequisites

The following values and permissions are required to add a Microsoft Azure device in TOS:

Credentials

Subscription ID: The ID of your Azure subscription. How to find it
Directory ID (Tenant ID): The ID of your Azure Active Directory tenant. How to find it
Application (Client) ID and App Secret: Both are generated when you register an app in Microsoft Entra ID. Registration and authentication steps

These tasks are required in Azure: Register an app, create a role, and assign the role.

Roles and Permissions

Permissions in Azure are assigned through roles. You can either create a custom role to define the required permissions or use an existing role.

To create a custom role, see the Microsoft documentation: Create or update Azure custom roles.

When assigning the role, set the scope at the level of the subscription or resource group that you want TOS to monitor. Permissions set at a higher level (for example, subscription) are inherited by lower levels (for example, resource groups).

General Azure Monitoring

Use the following permission blocks based on the features you want to enable:

Visibility and Basic Path Analysis

These permissions allow SecureTrack to collect details from key Azure components, including virtual networks (VNETs) and network security groups (NSGs), as well as virtual machines, interfaces, and subnets.

Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/virtualNetworks/read
Microsoft.Compute/virtualMachines/read
Microsoft.Network/networkInterfaces/read
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/locations/operationResults/read
Microsoft.network/virtualnetworkgateways/connections/read
Microsoft.Network/routeTables/read
Microsoft.Network/vpnGateways/read
Microsoft.Network/virtualNetworks/subnets/read 
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read

Advanced Path Analysis

These permissions allow SecureTrack to retrieve network topology data used to build the network map and perform path analysis.

VPN and Virtual Gateways

Microsoft.Network/virtualNetworkGateways/read
Microsoft.Network/virtualnetworkgateways/getlearnedroutes/action
Microsoft.Network/localnetworkgateways/read
Microsoft.Network/connections/read 
Microsoft.Network/vpnsites/read
Microsoft.network/vpnGateways/vpnConnections/read

Internal Load Balancer

Microsoft.Network/loadBalancers/read
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read

ExpressRoute

Microsoft.Network/expressRouteCircuits/read
Microsoft.Network/expressRouteCircuits/peerings/read
Microsoft.Network/expressRouteCircuits/peerings/write
Microsoft.Network/expressRouteCircuits/peerings/routeTables/read
Microsoft.Network/expressRouteGateways/read
Microsoft.Network/expressRouteGateways/expressRouteConnections/read

Write permissions are required only because of how the Azure API provides routing tables. TOS does not create or change routes.

Virtual WAN

Microsoft.Network/virtualHubs/read
Microsoft.Network/virtualHubs/routingIntent/read
Microsoft.Network/virtualWans/read
Microsoft.Network/virtualHubs/hubRouteTables/read
Microsoft.Network/virtualHubs/effectiveRoutes/action
Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read
Microsoft.Network/virtualHubs/bgpConnections/read

Rule and Object Usage Analysis

These permissions enable SecureTrack to analyze flow log data and identify the last hit date for NSG rules and the objects used in those rules.

Microsoft.Network/networkWatchers/read
Microsoft.Network/networkWatchers/flowLogs/read
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

SecureChange Provisioning

These permissions allow SecureChange to create, update, and remove firewall rules in Azure network security groups (NSGs) during provisioning.

Microsoft.Network/networkSecurityGroups/securityRules/read
Microsoft.Network/networkSecurityGroups/securityRules/write
Microsoft.Network/applicationSecurityGroups/read

Automatic Subscription import via Cloud Organization

These permissions are required for automatic import of subscriptions through Azure Management Groups:

Microsoft.Management/managementGroups/read
Microsoft.Resources/subscriptions/read
Microsoft.Management/managementGroups/descendants/read

Azure Firewall Monitoring

These permissions apply specifically to Azure Firewall and its related policy and diagnostic components.

Visibility and Path Analysis

These permissions allow SecureTrack to collect topology and policy details from Azure Firewall Standard and Premium policies.

Microsoft.Network/ipGroups/read
Microsoft.Network/firewallPolicies/read
Microsoft.Network/azurefirewalls/read
Microsoft.Network/firewallPolicies/ruleCollectionGroups/read

Rule Usage Analysis

These permissions enable SecureTrack to analyze flow log data and identify the last hit date for Azure Firewall policy rules.

Microsoft.OperationalInsights/workspaces/read
Microsoft.Network/azureFirewalls/providers/Microsoft.Insights/DiagnosticSettings/Read

VNet Automatic Import

When you add a device, you can enable Automatic Import for Virtual Networks (VNets) within a subscription. When enabled, SecureTrack automatically detects changes to the VNets (VNets which were added and deleted), and reflects them in the device list and revision history. Changes to the VNets are also reflected in the Map when a scheduled sync occurs or when you Sync the map.

With automatic import, VNets are imported at 10-minute intervals.

With Automatic Import enabled, devices that were deleted from Azure are automatically deleted from the list of devices in SecureTrack, and their history is no longer available. Therefore, if your continuous integration/continuous deployment (CI/CD) pipeline regenerates VNets, the history of the deleted VNet will not be available in the new replacement VNets. To retain revision data in SecureTrack for devices that have been deleted from your VNets, use manual import.

The maximum number of VNets for Automatic Import depends on your TOS deployment. For more information, contact Tufin Customer Support.

Add a Device

Use the wizard to add a Microsoft Azure device so TOS can monitor it.

1. Do one of the following:
  - To add a device, select Azure > Azure.
  - To add a Cloud Organization, select Azure > Azure Tenant.
Configure the device settings:
- General settings
  - Device Type: Microsoft Azure (filled automatically)
  - Name for Display
  - Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.
  - ST server: In a distributed deployment, the TOS cluster that monitors the parent device and its VNets.
- Usage Analysis
  - Collect traffic logs for rule usage analysis: Selected by default, from R24-1. Supported for Azure Firewall and NSG.
  - Collect traffic logs for object usage analysis: Selected by default, from R24-2. Supported for NSG only.
  Usage collection is not supported when Azure subscription is monitored on a remote collector.
  - Enable Rule Optimizer Recommendations: Supported from R25-2 PHF1 for NSG only. Select to collect and save traffic usage data for Rule Optimizer recommendations.
  Enabling Usage Analysis requires additional configuration in Azure. See Configuring Azure to Send Log Data to TOS.
- Topology
  - Enable Topology: Select to collect routing information for building the network Map.
    Topology options for Advanced management mode are configured when you import managed devices.
- VNet Import:
  - Automatic Import: To automatically detect new and deleted VNets in the Azure subscription, and reflect the updates in SecureTrack. VNets are automatically imported at 10-minute intervals.
  - Manual Import: Import VNets after you add the Azure device.
Click Next.
Configure the TOS connection to the Microsoft Azure device according to the parameters required by the device.
- Cloud Organization
  - Use Cloud Organization: Optional. Select to associate this device with a predefined Cloud Organization. When associated with a Cloud Organization, other connection mechanisms and credentials are automatically disabled.
  - Subscription ID: Mandatory when Use Cloud Organization is selected. The ID of the subscription to associate with the device.
  See Azure Cloud Organization settings.
- Connection
  
  Connection credentials, required if the device is not associated with a Cloud Organization.
  See Prerequisites for details.
- For proxy server connections, select Proxy and enter the http/https proxy server and port. Username and password are optional.
Click Next.
Configure Monitoring Settings:
- To use timing settings from the Timing page, select Default.
- To use custom monitoring, select Custom and configure Periodic Polling for SecureTrack to retrieve the configuration from each device::
  - To use the timing page settings, select Use timing page settings (Monitoring > Timing).
  - To define a custom interval, select Custom settings and configure the Polling frequency.
    If you select 1 day, you can set the exact time (hour and minute) for daily polling.
Click Next and then click Save to confirm the device configuration settings.
The Microsoft Azure device now appears in the Monitored Devices tree.
Choose the next step:
- Import Azure Virtual Networks
- Import Azure Load Balancers
- Import Azure Firewall Policies
- Import Azure Virtual WAN
- Add another Microsoft Azure
To import Virtual Networks, the VNet must have at least one VNIC.
Click Done.

Configure a Monitored Device

After you add a device, you can configure or manage it from the Monitored Devices tree. Options vary depending on your environment.

The following example shows configuration options for an Azure device. Options vary depending on the device type.

Edit configuration: Open the wizard to modify device settings. See Add a Device.
Delete this device: Type yes to confirm deletion.
Import Azure Virtual Networks: Select the virtual networks to add.
Import Azure Load Balancers: Select the load balancers to add.
Import Azure Firewall Policies: Select the firewall policies to add.
Import Azure Virtual WAN: Select the virtual WANs and virtual hubs to add.

How Do I Get Here?

SecureTrack > Monitoring > Manage Devices