[go: up one dir, main page]
Scribd
Upload
332 views25 pages

NetBrain Quick Setup Guide Azure

Uploaded by

ajrob69_187428023
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
332 views25 pages

NetBrain Quick Setup Guide Azure

Uploaded by

ajrob69_187428023
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

NetBrain® Integrated Edition

Quick Setup Guide (Azure)

Version 10.0| Last Updated 2021-04-19


Copyright ©2004-2021 NetBrain Technologies, Inc. All rights reserved.
Contents

1. Setting Up Azure API Access for NetBrain ............................................................................................................................. 3

1.1. Creating Custom Roles ...................................................................................................................................................... 3

1.2. Registering Apps ............................................................................................................................................................... 13

1.3. Configuring NetBrain to Access Azure.......................................................................................................................... 17

2. Discovering Azure Network in NetBrain Domain ............................................................................................................... 21

3. Auto-Updating Azure Data in NetBrain through Benchmark .......................................................................................... 22


1. Setting Up Azure API Access for NetBrain

NetBrain uses Rest API to retrieve data from Azure. NetBrain authenticates and communicates with Azure via the
“client id/secret method” using “Active Directory Application and Service Principle”. NetBrain sends API requests
from the Front Server, therefore it is required to ensure the Front Server has access to the following Microsoft
endpoints: *.core.windows.net, *.azure.com, *.microsoft.com and *.microsoftonline.com.

Example: A visualized topology map for the network of Azure Vnet with site-to-site VPN and direct connect to local
network.

1.1. Creating Custom Roles

Azure provides role-based access control (RBAC) to manage who has access to Azure resources, what they can do
with those resources, and what areas they have access to. It is highly recommended to create a custom role to
define the minimal scope of permissions that enables NetBrain to communicate with Azure via Rest APIs and
retrieve the data to build data model and monitor the cloud services.

NetBrain Quick Setup Guide (Azure) | 3


1. Go to Azure Active Directory in Azure Portal.

2. Go to Roles and administrators and click New custom role.

3. Define the Basics Configuration.

4 | NetBrain Quick Setup Guide (Azure)


The following sample JSON file is used to define the role with the minimal permissions required for NetBrain
discovery and data retrieval.

"properties": {

"roleName": "<your role name>",

"description": "<description of the role>",

"assignableScopes": [

"/subscriptions/<your subscription ID>",

"/subscriptions/<your subscription ID>"

],

"permissions": [

"actions": [

"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.Subscription/aliases/read",

NetBrain Quick Setup Guide (Azure) | 5


"Microsoft.Compute/availabilitySets/read",

"Microsoft.Network/networkSecurityGroups/read",

"Microsoft.Network/applicationSecurityGroups/read",

"Microsoft.Network/routeTables/read",

"Microsoft.Network/routeTables/routes/read",

"Microsoft.Network/connections/read",

"Microsoft.Network/virtualWans/read",

"Microsoft.Network/virtualHubs/read",

"Microsoft.Network/virtualHubs/hubRouteTables/read",

"Microsoft.Network/virtualHubs/effectiveRoutes/action",

"Microsoft.Network/publicIPAddresses/read",

"Microsoft.Network/virtualNetworks/read",

"Microsoft.Network/natGateways/read",

"Microsoft.Network/localnetworkgateways/read",

"Microsoft.Network/vpnGateways/read",

"Microsoft.Network/expressRouteGateways/read",

"Microsoft.Network/virtualNetworkGateways/read",

"Microsoft.Network/virtualnetworkgateways/supportedvpndevices/action",

"microsoft.network/virtualnetworkgateways/getlearnedroutes/action",

"Microsoft.Network/expressRouteCircuits/read",

"Microsoft.Network/expressRouteCircuits/peerings/read",

"Microsoft.Network/expressRouteCircuits/peerings/connections/read",

"Microsoft.Network/expressRouteCircuits/peerings/arpTables/read",

"Microsoft.Network/expressRouteCircuits/peerings/routeTables/read",

"Microsoft.Network/expressRouteCircuits/peerings/routeTablesSummary/read",

6 | NetBrain Quick Setup Guide (Azure)


"Microsoft.Network/expressRouteCircuits/peerings/stats/read",

"Microsoft.Network/expressRouteCircuits/peerings/peerConnections/read",

"Microsoft.Network/expressRouteCircuits/stats/read",

"Microsoft.Storage/storageAccounts/read",

"Microsoft.Storage/storageAccounts/blobServices/read",

"Microsoft.Storage/storageAccounts/blobServices/containers/read",

"Microsoft.Storage/storageAccounts/regeneratekey/action",

"Microsoft.Network/virtualwans/vpnconfiguration/action",

"Microsoft.Compute/virtualMachineScaleSets/read",

"Microsoft.Compute/virtualMachineScaleSets/instanceView/read",

"Microsoft.Compute/virtualMachines/read",

"Microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read",

"Microsoft.Network/networkInterfaces/read",

"Microsoft.Network/networkInterfaces/effectiveRouteTable/action",

"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action",

"Microsoft.Network/networkInterfaces/ipconfigurations/read",

"Microsoft.Network/loadBalancers/read",

"Microsoft.Network/loadBalancers/backendAddressPools/read",

"Microsoft.Network/loadBalancers/backendAddressPools/backendPoolAddresses/read",

"Microsoft.Network/loadBalancers/frontendIPConfigurations/read",

"Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/read",

"Microsoft.Network/loadBalancers/inboundNatPools/read",

"Microsoft.Network/loadBalancers/inboundNatRules/read",

"Microsoft.Network/loadBalancers/loadBalancingRules/read",

NetBrain Quick Setup Guide (Azure) | 7


"Microsoft.Network/loadBalancers/networkInterfaces/read",

"Microsoft.Network/loadBalancers/outboundRules/read",

"Microsoft.Network/loadBalancers/probes/read",

"Microsoft.Network/loadBalancers/virtualMachines/read",

"Microsoft.Network/applicationGateways/read",

"Microsoft.Network/applicationGateways/backendhealth/action",

"Microsoft.Network/applicationGateways/getBackendHealthOnDemand/action",

"Microsoft.Network/applicationGateways/effectiveNetworkSecurityGroups/action",

"Microsoft.Network/applicationGateways/effectiveRouteTable/action",

"Microsoft.Network/azurefirewalls/read",

"Microsoft.Network/azureFirewalls/applicationRuleCollections/read",

"Microsoft.Network/azureFirewalls/natRuleCollections/read",

"Microsoft.Network/azureFirewalls/networkRuleCollections/read",

"Microsoft.Network/firewallPolicies/read",

"Microsoft.Network/firewallPolicies/ruleCollectionGroups/read",

"Microsoft.Network/firewallPolicies/ruleGroups/read",

"Microsoft.Network/privateEndpoints/read",

"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",

"Microsoft.Network/privateEndpoints/privateLinkServiceProxies/read",

"Microsoft.Resources/subscriptions/locations/read",

"Microsoft.Resources/tenants/read",

"Microsoft.ApiManagement/service/users/token/action",

"Microsoft.Network/locations/serviceTags/read",

"Microsoft.Resources/subscriptions/resources/read",

"Microsoft.Storage/storageAccounts/listAccountSas/action",

8 | NetBrain Quick Setup Guide (Azure)


"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read",

"Microsoft.Network/publicIPPrefixes/read",

"Microsoft.Insights/Metrics/Read",

"Microsoft.Insights/Metrics/providers/Metrics/Read",

"Microsoft.Insights/Metrics/Microsoft.Insights/Read",

"Microsoft.Network/ipGroups/read",

"Microsoft.Compute/virtualMachines/instanceView/read",

"Microsoft.Network/vpnsites/read"

],

"notActions": [

],

"dataActions": [

],

"notDataActions": [

4. Review Permissions.

NetBrain Quick Setup Guide (Azure) | 9


5. Select subscription as Assignable Scopes.

10 | NetBrain Quick Setup Guide (Azure)


Note: Since Azure has API throttling limitation with 12000 reads per hour, it is suggested to add up to 30 subscriptions
per App based on the testing result of one subscription includes 30 VNets (each NVet includes 10 VMs, and each VM
includes 1 VNIC).

6. Review the Custom Role in JSON Format

NetBrain Quick Setup Guide (Azure) | 11


7. Review and Create the Custom Role

12 | NetBrain Quick Setup Guide (Azure)


1.2. Registering Apps

The Microsoft identity platform performs identity and access management (IAM) only for registered applications.
Therefore, an app needs to be registered in Azure portal to establish a trust relationship between the NetBrain
Workstation and Microsoft Azure.

1. Go to Azure Active Directory in Azure Portal.

NetBrain Quick Setup Guide (Azure) | 13


2. Go to App registrations and click New registration.

3. Define the Name of the App, select Accounts in this organizational directory only (Single tenant) as the
account type, then click Register.

14 | NetBrain Quick Setup Guide (Azure)


Note: Only “Single Tenant” account type is supported in the current release, therefore it is important to ensure you have
selected “Accounts in this organizational directory only (Single tenant)” as the account type.

4. Go to API permissions of the registered App to view the permissions. Keep all the default settings as is.

5. Go to Certificate & secrets of the registered App and click a + New client secret.

NetBrain Quick Setup Guide (Azure) | 15


Note: Only the client id/secret method is supported in the current release and the certificates method will be supported
in the future release.

6. Go to Access control (IAM) of the subscription and assign the previously created role to the registered App.

16 | NetBrain Quick Setup Guide (Azure)


1.3. Configuring NetBrain to Access Azure

Once you have created the custom role and registered the App, it's time to connect NetBrain to Azure.

1. In the Domain Management page, select Operations > Discover Settings > API Server Manager from the
quick access toolbar, then click Add API server.

2. In the Server Name field, enter a meaningful name that can uniquely identify your registered App.

3. Select Microsoft Azure as the API Source Type.

NetBrain Quick Setup Guide (Azure) | 17


1) In the Endpoint (Application/Client ID) field, copy and paste the ID from your registered App.

2) In the Client Secret field, copy and paste the value from the created client secret of your registered App.

18 | NetBrain Quick Setup Guide (Azure)


3) In the Directory (Tenant) ID field, copy and paste the ID from the registered App.

4) Click Test to verify the connection.

4. Once the API server is successfully verified and saved, you can proceed with the discovery to start the data
retrieval.

Note: By default, NetBrain queries all subscription within the defined tenant. If you want NetBrain to collect data from a
specified subscription, please assign the role to this registered App for this subscription only.

Note: One API server can only access one Azure tenant. If you want to discover multiple tenants, please register an App
for each tenant and create multiple API servers to associate with these tenants and Apps.

Note: Since it is not currently supported to retrieve the tenant details (including tenant name) using Azure Management
API via APP Registration and Service Principle, NetBrain will create a random tenant name. However, you can manually
specify your Tenant Name in the API Server Manager as below.

NetBrain Quick Setup Guide (Azure) | 19


Note: To successfully retrieve data from Azure, please make sure that your Front Server has access to
*.core.windows.net, *.azure.com, *.microsoft.com and *.microsoftonline.com.

20 | NetBrain Quick Setup Guide (Azure)


2. Discovering Azure Network in NetBrain Domain

To understand an Azure Network, you need to first discover the network data model in a NetBrain domain.

1) In the Domain Management page, select Operations > Discover from the quick access toolbar.

2) Select the API server created to access Azure and click Start Discovery.

Note: In order to properly build the data model, NetBrain requires CLI and SNMP access to all virtual network
appliances of each Azure VNet (e.g., the virtual firewall instances).

NetBrain Quick Setup Guide (Azure) | 21


3. Auto-Updating Azure Data in NetBrain through Benchmark

The discovery only retrieves the basic data of your Azure network and builds the L3 topology. After the discovery,
you need to execute a benchmark task to retrieve all data and build all components, including visual spaces and
data views.

Example: Benchmark Azure in a NetBrain Domain.

1. On the Start Page, click Schedule Task.

2. On the Schedule Discovery/Benchmark tab, click Add Benchmark Task.

3. On the Frequency tab, define the task frequency.

4. On the Device Scope tab, select the Select external API servers to retrieve data of SDN nodes check box
and select the API servers for Azure.

Note: As a best practice, we recommend to re-use the “Basic System Benchmark” with a full benchmark task, where all
devices are selected. This is to ensure all Azure connected physical or virtual devices are selected within the device
scope.

22 | NetBrain Quick Setup Guide (Azure)


5. On the Retrieve Live Data tab, select the Microsoft Azure check box, and make sure to select the following
tables under the NCT table:

• Azure AppGW Backend Pools Table

• Azure AppGW Http Setting Table

• Azure AppGW Listener Table

• Azure AppGW Rule Table

• Azure AppGW Translation Table

• Azure Firewall Application Rule Collection Table

• Azure Firewall DNAT Rule Collection Table

• Azure Firewall Network Rule Collection Table

• Azure LoadBalancer Backend Pools Table

• Azure LoadBalancer Inbound NAT Rules Table

• Azure LoadBalancer Load Balancing Rules Table

• Azure LoadBalancer Outbound Rules Table

• Azure MSEE ARP Table

• Azure MSEE Route Summary Table

• Azure MSEE Route Table

• Azure NATGW NAT Table

• Azure Neighbor Relationship Table

• Azure Route Dependency Table

• Azure VHub Effective Route Table

• Azure VHub Route Table

• Azure Virtual Route Table

• Azure VNet Network Security Groups Table

• Azure VNet Peering Table

NetBrain Quick Setup Guide (Azure) | 23


• Azure VNet Route Table

• Azure VNIC Effective Route Table

• BGP Advertised Route Table

Note: It is required to select the BGP Advertised Route Table (unselected by default) when the Azure network is
connected with other networks (e.g., on-premise network) via ExpressRoute Circuit.

6. On the Additional Operation After Benchmark tab, select the check boxes for:

• Update MPLS Cloud

• Update Public Cloud (Recalculate Azure Virtual Route Table)

• Update Build Topology

24 | NetBrain Quick Setup Guide (Azure)


7. Click Submit.

NetBrain Quick Setup Guide (Azure) | 25

You might also like