Azure VNet Policies and Permissions Reference

Published April 5, 2023 | Last modified February 21, 2025

Objective

This document explains the various types of required policies that grant permissions for users to create or modify resources as part of deploying F5® Distributed Cloud Sites on Azure. This document also provides instructions to create a service principal using the Azure cloud reference scripts.

Azure VNet Policies

In case of Azure VNet site deployments, it is required that you have the Owner role and create service principal subscription with Contributor role for it.

Note: Users should use the below listed permissions for reference only and should not use them directly in their configurations. If direct usage is necessary, refer to Create Service Principal Using Cloud Reference Script for more details.

The following is the JSON view of the required policy and permissions to deploy Azure VNet site:

Azure VNet Site Permissions
{
    "properties": {
        "roleName": "$ROLE_NAME",
        "description": "F5 XC Custom Role to create Azure VNET site",
        "assignableScopes": [
            "/subscriptions/$SUBSCRIPTION_ID"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read",
                    "*/register/action",
                    "Microsoft.Compute/disks/delete",
                    "Microsoft.Compute/skus/read",
                    "Microsoft.Compute/virtualMachineScaleSets/delete",
                    "Microsoft.Compute/virtualMachineScaleSets/write",
                    "Microsoft.Compute/virtualMachines/delete",
                    "Microsoft.Compute/virtualMachines/write",
                    "Microsoft.MarketplaceOrdering/agreements/offers/plans/cancel/action",
                    "Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/write",
                    "Microsoft.Network/loadBalancers/backendAddressPools/delete",
                    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
                    "Microsoft.Network/loadBalancers/backendAddressPools/write",
                    "Microsoft.Network/loadBalancers/delete",
                    "Microsoft.Network/loadBalancers/write",
                    "Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses/action",
                    "Microsoft.Network/networkInterfaces/delete",
                    "Microsoft.Network/networkInterfaces/join/action",
                    "Microsoft.Network/networkInterfaces/write",
                    "Microsoft.Network/networkSecurityGroups/delete",
                    "Microsoft.Network/networkSecurityGroups/join/action",
                    "Microsoft.Network/networkSecurityGroups/securityRules/delete",
                    "Microsoft.Network/networkSecurityGroups/securityRules/write",
                    "Microsoft.Network/networkSecurityGroups/write",
                    "Microsoft.Network/publicIPAddresses/delete",
                    "Microsoft.Network/publicIPAddresses/join/action",
                    "Microsoft.Network/publicIPAddresses/write",
                    "Microsoft.Network/routeTables/delete",
                    "Microsoft.Network/routeTables/join/action",
                    "Microsoft.Network/routeTables/write",
                    "Microsoft.Network/virtualHubs/delete",
                    "Microsoft.Network/virtualHubs/bgpConnections/delete",
                    "Microsoft.Network/virtualHubs/bgpConnections/read",
                    "Microsoft.Network/virtualHubs/bgpConnections/write",
                    "Microsoft.Network/virtualHubs/ipConfigurations/delete",
                    "Microsoft.Network/virtualHubs/ipConfigurations/read",
                    "Microsoft.Network/virtualHubs/ipConfigurations/write",
                    "Microsoft.Network/virtualHubs/read",
                    "Microsoft.Network/virtualHubs/write",
                    "Microsoft.Network/virtualNetworks/delete",
                    "Microsoft.Network/virtualNetworks/peer/action",
                    "Microsoft.Network/virtualNetworks/subnets/delete",
                    "Microsoft.Network/virtualNetworks/subnets/join/action",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Network/virtualNetworks/subnets/write",
                    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
                    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
                    "Microsoft.Network/virtualNetworks/write",
                    "Microsoft.Network/virtualNetworkGateways/delete",
                    "Microsoft.Network/virtualNetworkGateways/read",
                    "Microsoft.Network/virtualNetworkGateways/write",
                    "Microsoft.Resources/subscriptions/locations/read",
                    "Microsoft.Resources/subscriptions/resourcegroups/delete",
                    "Microsoft.Resources/subscriptions/resourcegroups/read",
                    "Microsoft.Resources/subscriptions/resourcegroups/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
Copied!

Create Role and Service Principal

Perform the following steps to create a role in Azure portal with required permissions to create Azure VNet site and then create service principal subscription with contributor role for it.

Step 1: Log into Azure portal and navigate to access control section.

Go to Home > Subscriptions. Change to your subscription for which you are owner and click Access Control IAM.

Step 2: Create a custom role with required permissions.

Change to Role assignments tab. Click Add and select Add custom role. Give a name in the Basics tab and click the JSON tab. Click Edit to add the permissions listed in the Azure VNet Policies chapter.

Step 3: Complete creating the role.

Click Review + create.

Step 4: Create the service principal account.

You can create service principal account using F5 Distributed Cloud Services Terraform tool or using Azure CLI.

Step 4.1: Install Azure CLI.

See Install the Azure CLI for information on Azure CLI installation and perform installation accordingly.

Step 4.2: Create service principal.

Enter the following commands to create service principal:

az login
az account list --output table
SUBSCRIPTION_ID=<subscription_id>
az account set -s $SUBSCRIPTION_ID
az ad sp create-for-rbac -n <deployment-name> --role="<custom-role>" --scopes="/subscriptions/$SUBSCRIPTION_ID"
Copied!

Note: Replace subscription_id with your Azure subscription ID and the <custom-role> with the custom role created in previous step.

Note: In case service principal creation failing with error message stating that you have not accepted the legal terms on this subscription, enter the following command to accept the terms and conditions: az vm image terms accept --urn "volterraedgeservices:volterra-node:volterra-node:0.7.1"

Create Service Principal Using Cloud Reference Script

The following video tutorial shows how to create an Azure role and apply to service account:

Perform the following steps:

Note: The Azure CLI is required. See Install the Azure CLI for more information.

Step 1: Run the Azure login command.
az login
Copied!

The CLI opens your default browser and load an Azure sign-in page. Sign-in with your account credentials.

Step 2: List the Azure accounts and subscriptions.
az account list --output table
Copied!

Get the desired Azure SubscriptionId from the output of above command.

Step 3: Set the active account to the subscription ID as per your choice.
export SUBSCRIPTION_ID=<subscription_id>
az account set -s $SUBSCRIPTION_ID
Copied!
Step 4: Create the Azure custom role using the cloud reference script.

Download the script from the Azure Cloud Reference Script location in the JSON format. The name of the file is f5xc-azure-custom-role.json. Enter the following command:

az role definition create --role-definition ./f5xc-azure-custom-role.json
Copied!

Note: Replace the value of $SUBSCRIPTION_ID to the relevant SubscriptionId in the JSON file.

Step 5: Create the service principal and assign the custom role created in Step 4.
az ad sp create-for-rbac --role="f5xc-azure-role" --scopes="/subscriptions/$SUBSCRIPTION_ID" -n "SP_NAME"
Copied!

The following is the list of field descriptions for the above command:

  • f5xc-azure-role is the custom role created in Step 4.
  • SP_NAME is the service principal name that will be created.

The resulting JSON output can be used to create Azure Client Secret for Service Principal on F5® Distributed Cloud Console. See Azure Cloud Credentials for more information.

On this page: