Monitoring Microsoft Azure Cloud Platform

Overview

TOS Aurora monitors the Microsoft Azure Resource Manager (RM) platform for policy revision changes.

To see which TOS features are supported for your device, review the feature support table. Classic rules - rules that have been configured on the firewall directly and not included in Azure firewall policies - are not supported.

Prerequisites

To complete the Microsoft Azure configuration procedures, you must have the following connection information:

ID for an active Azure subscription - see Find your Azure subscription (Microsoft documentation).

A tenant represents a single organization, and is the dedicated instance of Azure that you receive when you sign up for Azure services.

  1. Navigate to Microsoft Entra ID > Properties.

  2. Copy the Directory ID.

An Application ID (also referred to as a Client ID) is the unique ID provided by Azure for any registered application. You must register an application in your tenant to enable TOS Aurora to monitor Azure devices.

  1. Using the Azure portal, log in to your Azure Account with a user who can create an app registration.

  2. Navigate to Microsoft Entra ID.

  3. Select Manage > App registrations > New registration.

  4. Type a name for the application (for example, Tufin app).

  5. Under Supported account types, select Accounts in the organizational directly only - Single tenant).

  6. Click Register.

  7. Copy the App ID.

An Application Secret (also known as a Client Secret, Shared Secret, or Keys) is a credential used by an application to authenticate itself to a tenant when signing in to Azure. These keys do not refer to key vaults.

  1. Navigate to Certificates and secrets > Client secrets > New client secret

  2. In the Add a client secret panel, select an Expires value from the list.

  3. Click Add.

  4. Copy the secret Value BEFORE you leave the page.

You should also assign Tufin app permissions to monitor the Azure subscription. See Assigning Permissions to the App Registration.

Additional information from Microsoft documentation:

Add a Device

  1. Select Azure:

  2. Configure the device settings:

    • Name for Display

    • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

    • ST server: In a distributed deployment, select which TOS Aurora cluster monitors this device (not shown in image)

    • Usage Analysis

      • Collect traffic logs for rule usage analysis: Selected by default, from R24-1. Supported for Azure Firewall and NSG.

      • Collect traffic logs for object usage analysis: Selected by default, from R24-2. Supported for NSG only.

      Usage collection is not supported when Azure subscription is monitored on a remote collector.

      Note: Enabling Usage Analysis requires configuration in Azure. See Configuring Azure to Send Log Data to TOS.
    • Enable Topology: Collects routing information for building the network Interactive Map.

  3. Click Next.

  4. Configure the TOS Aurora connection to the Microsoft Azure device, according to the parameters required by the device:

    See Prerequisites for details.

  5. If you connect to the device with a proxy server, select Proxy and enter the HTTPS Proxy Hostname or IP, Port, Username, and Password.

  6. Click Next.

  7. In Monitoring Settings, do one of the following:

    • To use real-time monitoring and timing settings from the Timing page, select Default.

    Otherwise, select Custom and configure the monitoring mode and settings.

    • In Periodic Polling, select Custom settings and configure the Polling frequency: How often TOS Aurora fetches the configuration from each device.

      If you select 1 day, you can then select the exact time (hour and minute) for the daily polling.

  8. Click Next

  9. Save the configuration.

    The Microsoft Azure device now appears in the Monitored Devices tree.

  10. You can now do one of the following:

    • Import Azure Virtual Networks

    • Import Azure Load Balancers

    • Import Azure Firewall Policies

    • Import Azure Virtual WAN

    • Add another Microsoft Azure

    Importing Virtual Networks requires that the vnet has at least one VNIC.

  11. Click Done.

Configure a Monitored Device

After you add a device, further configuration options are available.

Options vary depending on your environment.

Example

  • Edit configuration: Use the wizard to modify selected device settings. See Add a Device in this topic.

  • Delete this device: Type yes to confirm that you want to delete the device.

  • Import Azure Virtual Networks: Select the Azure Virtual Networks to be added.

  • Import Azure Load Balancers: Select the Azure Load Balancers to be added.

  • Import Azure Firewall Policies: Select the Azure Firewall Policies to be added.

  • Import Azure Virtual WAN: Select the Virtual WANs and Virtual Hubs to be added.

How Do I Get Here?

SecureTrack > Monitoring > Manage Devices