Azure VNet Policies and Permissions Reference
Objective
This document explains the various types of required policies that grant permissions for users to create or modify resources as part of deploying F5® Distributed Cloud Sites on Azure. This document also provides instructions to create a service principal using the Azure cloud reference scripts.
Azure VNet Policies
In case of Azure VNet site deployments, it is required that you have the Owner role and create service principal subscription with Contributor role for it.
The following is the JSON view of the required policy and permissions to deploy Azure VNet site:
Azure VNet Site Permissions
{
"properties": {
"roleName": "$ROLE_NAME",
"description": "F5 XC Custom Role to create Azure VNET site",
"assignableScopes": [
"/subscriptions/$SUBSCRIPTION_ID"
],
"permissions": [
{
"actions": [
"*/read",
"*/register/action",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/virtualMachineScaleSets/delete",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.MarketplaceOrdering/agreements/offers/plans/cancel/action",
"Microsoft.MarketplaceOrdering/offerTypes/publishers/offers/plans/agreements/write",
"Microsoft.Network/loadBalancers/backendAddressPools/delete",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/write",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/write",
"Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses/action",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/virtualHubs/delete",
"Microsoft.Network/virtualHubs/bgpConnections/delete",
"Microsoft.Network/virtualHubs/bgpConnections/read",
"Microsoft.Network/virtualHubs/bgpConnections/write",
"Microsoft.Network/virtualHubs/ipConfigurations/delete",
"Microsoft.Network/virtualHubs/ipConfigurations/read",
"Microsoft.Network/virtualHubs/ipConfigurations/write",
"Microsoft.Network/virtualHubs/read",
"Microsoft.Network/virtualHubs/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworkGateways/delete",
"Microsoft.Network/virtualNetworkGateways/read",
"Microsoft.Network/virtualNetworkGateways/write",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Resources/subscriptions/resourcegroups/delete",
"Microsoft.Resources/subscriptions/resourcegroups/read",
"Microsoft.Resources/subscriptions/resourcegroups/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Create Role and Service Principal
Perform the following steps to create a role in Azure portal with required permissions to create Azure VNet site and then create service principal subscription with contributor role for it.
Step 1: Log into Azure portal and navigate to access control section.
Go to Home > Subscriptions. Change to your subscription for which you are owner and click Access Control IAM.
Step 2: Create a custom role with required permissions.
Change to Role assignments tab. Click Add and select Add custom role. Give a name in the Basics tab and click the JSON tab. Click Edit to add the permissions listed in the Azure VNet Policies chapter.
Step 3: Complete creating the role.
Click Review + create.
Step 4: Create the service principal account.
You can create service principal account using F5 Distributed Cloud Services Terraform tool or using Azure CLI.
Step 4.1: Install Azure CLI.
See Install the Azure CLI for information on Azure CLI installation and perform installation accordingly.
Step 4.2: Create service principal.
Enter the following commands to create service principal:
az login
az account list --output table
SUBSCRIPTION_ID=<subscription_id>
az account set -s $SUBSCRIPTION_ID
az ad sp create-for-rbac -n <deployment-name> --role="<custom-role>" --scopes="/subscriptions/$SUBSCRIPTION_ID"
Note: Replace
subscription_idwith your Azure subscription ID and the<custom-role>with the custom role created in previous step.
Note: In case service principal creation failing with error message stating that you have not accepted the legal terms on this subscription, enter the following command to accept the terms and conditions:
az vm image terms accept --urn "volterraedgeservices:volterra-node:volterra-node:0.7.1"
Create Service Principal Using Cloud Reference Script
The following video tutorial shows how to create an Azure role and apply to service account:
Perform the following steps:
Note: The Azure CLI is required. See Install the Azure CLI for more information.
Step 1: Run the Azure login command.
az login
The CLI opens your default browser and load an Azure sign-in page. Sign-in with your account credentials.
Step 2: List the Azure accounts and subscriptions.
az account list --output table
Get the desired Azure SubscriptionId from the output of above command.
Step 3: Set the active account to the subscription ID as per your choice.
export SUBSCRIPTION_ID=<subscription_id>
az account set -s $SUBSCRIPTION_ID
Step 4: Create the Azure custom role using the cloud reference script.
Download the script from the Azure Cloud Reference Script location in the JSON format. The name of the file is f5xc-azure-custom-role.json. Enter the following command:
az role definition create --role-definition ./f5xc-azure-custom-role.json
Note: Replace the value of
$SUBSCRIPTION_IDto the relevantSubscriptionIdin the JSON file.
Step 5: Create the service principal and assign the custom role created in Step 4.
az ad sp create-for-rbac --role="f5xc-azure-role" --scopes="/subscriptions/$SUBSCRIPTION_ID" -n "SP_NAME"
The following is the list of field descriptions for the above command:
f5xc-azure-roleis the custom role created in Step 4.SP_NAMEis the service principal name that will be created.
The resulting JSON output can be used to create Azure Client Secret for Service Principal on F5® Distributed Cloud Console. See Azure Cloud Credentials for more information.