Cloud Rewind protects your cloud application environment in Azure and ensures cloud application resilience. This document explains how to allow Cloud Rewind to enable cloud application resilience to your Azure cloud infrastructure and the list of permissions required for the same.
Prerequisites
For onboarding Azure subscriptions, Cloud Rewind needs to be registered as an enterprise application under the Azure tenant with specific roles and permissions enabled. The onboarding user requires the listed permissions in the Azure tenant,
- Owner
- User Access Administrator
To add a new Azure Cloud Connection in Cloud Rewind, follow the below steps:
- Navigate to "Cloud Connections", click "Add Cloud Connection," and choose "Azure Cloud"
- Fill in the Name and Description for the connection
- Provide the required authentication details from the Azure account to register Cloud Rewind
Enter the “Tenant Id” and click “REGISTER” to register the Cloud RewindARS.
In the new window, - Select the “Accept” option to approve the permissions requested for the Cloud RewindARS application to be registered as an Enterprise Application in the given Azure tenant - Once the request is approved to register in the tenant, Cloud RewindARS application will be displayed as an Enterprise application in the given Azure tenant
- In the Cloud Rewind Cloud Connection, provide the Azure authentication details, Azure account’s “Subscription ID”, and “Object ID” of the registered Cloud Rewind Application
- Select the operational regions where your protection and recovery operations need to be done
- Add the Azure services by choosing “ADD SERVICES” and click “NEXT“
Apply IAM Permissions
- From the “Instant” tab, run the given command in the Azure portal bash cloud shell to grant the required permissions in a single step
- Or, select the “Manual” tab and click either the “DOWNLOAD ARM TEMPLATE “option or run the curl command to download the template
- An ARM template that will assign the necessary roles to the Cloud Rewind application will be downloaded
- In your Azure console, run the given command with the downloaded template file path
- Select the confirmation message to grant the permissions and click “FINISH”
If you have technical challenges in the above steps, you may have problems with one or more of the following items
- Permission to register Cloud Rewind as an enterprise app
- You don't have permission to assign roles to Cloud Rewind enterprise app
- The assigned role is removed or blocked before the discovery process
- There is a network outage or Azure response delay that causes the discovery to delay longer due to Exponential Backoff
Cloud Connection Dashboard and Actions
After successfully completing the Cloud Connection discovery process, all selected operational region resources will be listed at the bottom of your Cloud Connection summary page.
Additionally, the following options can be accessed under the Cloud Connection Actions button,
Edit: This option allows users to refine their Cloud Connection settings with flexibility. Users can update the Cloud Connection name, add new operational regions, and modify the selection of cloud services to be discovered.
Manage Azure Permissions: This feature grants users to effortlessly update Cloud Connection permissions as required.
Recovery Profile This option enables user to create a cloud connection-based recovery profile, which can be utilized in all the cloud assembly recovery created under this cloud connection. Click here to configure.
Disable: With the disable option, users gain control over their Cloud Connection discovery process. This functionality enables users to temporarily suspend Cloud Connection discovery and reactivate it when needed.
Download Report: Enhancing visibility and insights, this option generates a comprehensive summary report file detailing Cloud Connection resources, regions, and additional relevant details.
Delete: Users can utilize the delete option to permanently remove selected Cloud Connections.
Sync Now: This option triggers immediate Cloud Connection discovery when needed.
Azure IAM Permissions
Note
When a particular role's permission is revoked manually in the Azure portal, the set of operations associated with that role will fail.
Appranix ARS Discovery Resource Group Default Access
permissions:
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
- Microsoft.Resources/subscriptions/resourceGroups/resources/read
Appranix ARS Discovery Storage Default Access
permissions:
- Microsoft.Storage/storageAccounts/read
- Microsoft.Storage/storageAccounts/write
- Microsoft.Storage/storageAccounts/blobServices/containers/read
- Microsoft.Storage/storageAccounts/blobServices/containers/write
- Microsoft.Storage/storageAccounts/listKeys/action
- Microsoft.Storage/storageAccounts/blobServices/read
- Microsoft.Storage/storageAccounts/fileServices/shares/read
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
- Microsoft.Compute/disks/beginGetAccess/action
- Microsoft.Compute/disks/endGetAccess/action
- Microsoft.Compute/disks/read
- Microsoft.Compute/diskEncryptionSets/read
Appranix ARS Discovery Compute Default Access
permissions:
- Microsoft.Compute/virtualMachines/read
- Microsoft.Compute/virtualMachineScaleSets/read
- Microsoft.Compute/virtualMachineScaleSets/skus/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
- Microsoft.Compute/sshPublicKeys/read
- Microsoft.Compute/availabilitySets/read
- Microsoft.Compute/snapshots/read
Appranix ARS Discovery Network Default Access
permissions:
- Microsoft.Network/networkInterfaces/read
- Microsoft.Network/publicIPAddresses/read
- Microsoft.Network/virtualNetworks/read
- Microsoft.Network/networkSecurityGroups/read
- Microsoft.Network/virtualNetworks/subnets/read
- Microsoft.Network/applicationSecurityGroups/read
- Microsoft.Network/routeTables/routes/read
- Microsoft.Network/routeTables/read
- Microsoft.Network/localnetworkgateways/read
- Microsoft.Network/virtualNetworkGateways/read
- Microsoft.Network/azurefirewalls/read
- Microsoft.Network/firewallPolicies/read
- Microsoft.Network/privateLinkServices/read
- Microsoft.Network/dnszones/read
- Microsoft.Network/privateDnsZones/read
- Microsoft.Network/privateLinkServices/read
- Microsoft.Network/frontDoorWebApplicationFirewallPolicies/read
- Microsoft.Network/dnsForwardingRulesets/read
- Microsoft.Network/dnsResolvers/read
- Microsoft.Network/trafficManagerProfiles/read
- Microsoft.Network/frontDoors/read
- Microsoft.Network/frontDoorWebApplicationFirewallPolicies/read
- Microsoft.Network/natGateways/read
Appranix ARS Discovery Load balancer Default Access
permissions:
- Microsoft.Network/loadBalancers/backendAddressPools/backendPoolAddresses/read
- Microsoft.Network/loadBalancers/backendAddressPools/join/action
- Microsoft.Network/loadBalancers/backendAddressPools/read
- Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/readMicrosoft.Network/loadBalancers/inboundNatPools/join/action
- Microsoft.Network/loadBalancers/inboundNatPools/read -Microsoft.Network/loadBalancers/inboundNatRules/read
- Microsoft.Network/loadBalancers/loadBalancingRules/read
- Microsoft.Network/loadBalancers/networkInterfaces/read
- Microsoft.Network/loadBalancers/outboundRules/read
- Microsoft.Network/loadBalancers/probes/read
- Microsoft.Network/loadBalancers/read
- Microsoft.Network/loadBalancers/read -Microsoft.Network/loadBalancers/virtualMachines/read
Appranix ARS Discovery Event Grid Default Access
permissions:
- Microsoft.EventGrid/topics/read
- Microsoft.EventGrid/topics/eventSubscriptions/read
- Microsoft.EventGrid/domains/read
- Microsoft.EventGrid/domains/eventSubscriptions/read
- Microsoft.EventGrid/domains/topics/read
- Microsoft.EventGrid/domains/topics/eventSubscriptions/read
- Microsoft.EventGrid/systemTopics/read
- Microsoft.EventGrid/systemTopics/eventSubscriptions/read
- Microsoft.EventGrid/eventSubscriptions/read
Appranix ARS Discovery CDN Profiles Default Access
permissions:
- Microsoft.Cdn/profiles/afdendpoints/read
- Microsoft.Cdn/profiles/customdomains/read
- Microsoft.Cdn/profiles/endpoints/customdomains/read
- Microsoft.Cdn/profiles/endpoints/origingroups/read
- Microsoft.Cdn/profiles/endpoints/origins/read
- Microsoft.Cdn/profiles/endpoints/read
- Microsoft.Cdn/profiles/origingroups/origins/read
- Microsoft.Cdn/profiles/origingroups/read
- Microsoft.Cdn/profiles/read
Appranix ARS Discovery Mysql Flexible Server Default Access
permissions:
- Microsoft.DBforMySQL/servers/privateEndpointConnectionProxies/read
- Microsoft.DBforMySQL/servers/privateEndpointConnections/read
- Microsoft.DBforMySQL/servers/read
- Microsoft.DBforMySQL/locations/azureAsyncOperation/read
- Microsoft.DBforMySQL/flexibleServers/read
Appranix ARS Discovery NoSql Server Default Access
permissions:
- Microsoft.DocumentDB/databaseAccounts/read
- Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read
- Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read
- Microsoft.DocumentDB/databaseAccounts/read
- Microsoft.DocumentDB/databaseAccounts/tables/read
- Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/read
- Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/tables/read
Appranix ARS Discovery Pqsql Flexible Server Default Access
permissions:
- Microsoft.DBforPostgreSQL/servers/privateEndpointConnections/read
- Microsoft.DBforPostgreSQL/servers/read Microsoft.Cache/redis/read
- Microsoft.DBforPostgreSQL/flexibleServers/read
- Microsoft.DBforPostgreSQL/serverGroupsv2/*
Appranix ARS Discovery SignalR Service Default Access
permissions:
- Microsoft.SignalRService/SignalR/read
Appranix ARS Discovery Logic Default Access
permissions:
- Microsoft.Logic/workflows/read
Appranix ARS DiscoveryApp Configuration Default Access
permissions:
- Microsoft.AppConfiguration/configurationStores/read
Appranix ARS Discovery Data Factory Default Access
permissions:
- Microsoft.DataFactory/datafactories/read
Appranix ARS Discovery Container Service Default Access
permissions:
- Microsoft.ContainerService/managedClusters/read
Appranix ARS Discovery WebSites Default Access
permissions:
- Microsoft.Web/sites/Read
- Microsoft.Web/serverfarms/Read
- Microsoft.Web/sites/config/list/Action
- Microsoft.web/sites/functions/read
Appranix ARS Discovery Private Endpoint Default Access
permissions:
- Microsoft.Network/privateEndpoints/read
Appranix ARS Discovery Service Bus Default Access
permissions:
- Microsoft.ServiceBus/namespaces/read
- Microsoft.ServiceBus/namespaces/topics/read
- Microsoft.ServiceBus/namespaces/queues/read
Appranix ARS Discovery Event Hub Default Access
permissions:
- Microsoft.EventHub/namespaces/read
- Microsoft.EventHub/namespaces/eventhubs/read
Appranix ARS Discovery SQL Managed Instance Default Access
permissions:
- Microsoft.Sql/managedInstances/read
Appranix ARS Discovery Shared gallery Default Access
permissions:
- Microsoft.Compute/galleries/read
- Microsoft.Compute/galleries/images/read
- Microsoft.Compute/galleries/images/versions/read
Appranix ARS Discovery Application Gateway Default Access
permissions:
- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read
- Microsoft.Network/applicationGateways/read
- Microsoft.Network/applicationGateways/privateEndpointConnections/read
Appranix ARS Discovery Proximity Placement Group Default Access
permissions:
- Microsoft.Compute/proximityPlacementGroups/read
Appranix ARS Discovery Wcf Relay Default Access
permissions:
- Microsoft.Relay/namespaces/read
- Microsoft.Relay/namespaces/WcfRelays/read
Appranix ARS Discovery Sql Managed Instance Default Access
permissions:
- Microsoft.Sql/servers/elasticPools/read
- Microsoft.SqlVirtualMachine/sqlVirtualMachines/read
- Microsoft.Sql/servers/read
- Microsoft.Sql/servers/databases/read
Appranix ARS Protection Web Default Access
permissions:
- Microsoft.Web/sites/config/read
- Microsoft.Web/sites/Read
- Microsoft.Web/sites/config/write
- Microsoft.Web/sites/backup/action
- Microsoft.Web/sites/config/list/action
- Microsoft.Web/sites/backups/Read
Appranix ARS Protection Storage Default Access
permissions:
- Microsoft.Storage/storageAccounts/write
- Microsoft.Storage/storageAccounts/blobServices/containers/write
- Microsoft.Compute/snapshots/beginGetAccess/action
- Microsoft.Compute/snapshots/read
- Microsoft.Compute/snapshots/write
- Microsoft.Storage/storageAccounts/blobServices/write
- Microsoft.Storage/storageAccounts/objectReplicationPolicies/write
- Microsoft.Storage/storageAccounts/managementPolicies/write
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Protection Resource Group Default Access
permissions:
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
- Microsoft.Resources/subscriptions/resourceGroups/resources/read
Azure Replica-retention Permissions
permissions:
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Azure Retention Permissions
permissions:
- Microsoft.Compute/snapshots/delete
- Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
- Microsoft.web/sites/backups/delete
Appranix ARS Recovery Resource Group Default Access
permissions:
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
Appranix ARS Recovery Storage Default Access
permissions:
- Microsoft.Compute/disks/write
- Microsoft.Storage/storageAccounts/write
- Microsoft.Storage/storageAccounts/blobServices/containers/write
Appranix ARS Recovery Compute Default Access
permissions:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write
- Microsoft.Compute/virtualMachineScaleSets/write
- Microsoft.Compute/sshPublicKeys/write
- Microsoft.Compute/images/write
- Microsoft.Compute/images/read
- Microsoft.Compute/availabilitySets/write
- Microsoft.Compute/proximityPlacementGroups/write
- Microsoft.Compute/virtualMachines/extensions/write
Appranix ARS Recovery Network Default Access
permissions:
- Microsoft.Network/networkInterfaces/join/action
- Microsoft.Network/networkInterfaces/write
- Microsoft.Network/publicIPAddresses/join/action
- Microsoft.Network/publicIPAddresses/write
- Microsoft.Network/virtualNetworks/write
- Microsoft.Network/networkSecurityGroups/join/action
- Microsoft.Network/networkSecurityGroups/write
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/write
- Microsoft.Network/networkSecurityGroups/securityRules/write
Appranix ARS Recovery Load balancer Default Access
permissions:
- Microsoft.Network/loadBalancers/backendAddressPools/write
- Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action
- Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/join/action
- Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/write
- Microsoft.Network/loadBalancers/inboundNatPools/join/action
- Microsoft.Network/loadBalancers/inboundNatRules/join/action
- Microsoft.Network/loadBalancers/inboundNatRules/write
- Microsoft.Network/loadBalancers/probes/join/action
- Microsoft.Network/loadBalancers/providers/Microsoft.Insights/diagnosticSettings/write
- Microsoft.Network/loadBalancers/write
- Microsoft.Network/loadBalancers/backendAddressPools/join/action
- Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action
- Microsoft.Network/virtualNetworks/joinLoadBalancer/action
- Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses/action
Appranix ARS Recovery Deployment Manager Default Access
permissions:
- Microsoft.Resources/deployments/read
- Microsoft.Resources/deployments/write
- Microsoft.Resources/deployments/operationStatuses/read
- Microsoft.Resources/deployments/operations/read
Appranix ARS Recovery MySql Default Access
permissions:
- Microsoft.DBforMySQL/servers/write
- Microsoft.DBforMySQL/servers/privateEndpointConnectionsApproval/action
Appranix ARS Recovery Mssql Default Access
permissions:
- Microsoft.Sql/servers/write
- Microsoft.Sql/servers/databases/write
Appranix ARS Recovery Postgress Default Access
permissions:
- Microsoft.DBforPostgreSQL/servers/write
- Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionsApproval/action
Appranix ARS Recovery Application Gateway Default Access
permissions:
- Microsoft.Network/applicationGateways/write
- Microsoft.Network/applicationGateways/backendAddressPools/join/action
Appranix ARS Recovery Proximity Placement Group Default Access
permissions:
- Microsoft.Compute/proximityPlacementGroups/write
Appranix ARS Recovery Private Endpoint Default Access
permissions:
- Microsoft.Network/privateEndpoints/write
Appranix ARS Recovery Shared gallery Default Access
permissions:
- Microsoft.Compute/galleries/read
- Microsoft.Compute/galleries/write
- Microsoft.Compute/galleries/share/action
Appranix ARS Recovery Shared gallery image definition Default Access
permissions:
- Microsoft.Compute/galleries/images/read
- Microsoft.Compute/galleries/images/write
Appranix ARS Recovery Shared gallery image version Default Access
permissions:
- Microsoft.Compute/galleries/images/versions/read
- Microsoft.Compute/galleries/images/versions/write
Appranix ARS Recovery Network Route Tables Default Access
permissions:
- Microsoft.Network/routeTables/routes/write
- Microsoft.Network/routeTables/write
- Microsoft.Network/routeTables/join/action
Appranix ARS Recovery Management Identity Default Access
permissions:
- Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Appranix ARS Recovery SQL Virtual Machine Default Access
permissions:
- Microsoft.SqlVirtualMachine/sqlVirtualMachines/write
Appranix ARS Recovery Web Sites Default Access
permissions:
- Microsoft.Web/sites/restoreFromBackupBlob/action
- Microsoft.Web/sites/operationresults/read
- Microsoft.Web/serverfarms/write
- Microsoft.Web/sites/write
- Microsoft.Web/sites/restoreSnapshot/action
Appranix ARS Reset Resource Group Default Access
permissions:
- Microsoft.Resources/subscriptions/resourceGroups/delete
Appranix ARS Reset Storage Default Access
permissions:
- Microsoft.Storage/storageAccounts/delete
- Microsoft.Storage/storageAccounts/blobServices/containers/delete
- Microsoft.Compute/disks/delete
dataPermissions:
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Appranix ARS Reset Compute Default Access
permissions:
- Microsoft.Compute/virtualMachines/delete
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete
- Microsoft.Compute/virtualMachineScaleSets/delete
- Microsoft.Compute/sshPublicKeys/delete
- Microsoft.Compute/images/delete
- Microsoft.Compute/availabilitySets/delete
- Microsoft.Compute/proximityPlacementGroups/delete
Appranix ARS Reset Network Default Access
permissions:
- Microsoft.Network/networkInterfaces/delete
- Microsoft.Network/networkSecurityGroups/delete
- Microsoft.Network/publicIPAddresses/delete
- Microsoft.Network/virtualNetworks/delete
- Microsoft.Network/virtualNetworks/subnets/delete
- Microsoft.Network/networkSecurityGroups/securityRules/delete
Appranix ARS Reset Load balancer Default Access
permissions:
- Microsoft.Network/loadBalancers/backendAddressPools/delete
- Microsoft.Network/loadBalancers/delete
- Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/delete
- Microsoft.Network/loadBalancers/inboundNatRules/delete
Appranix ARS Reset MySql Default Access
permissions:
- Microsoft.DBforMySQL/servers/delete
Appranix ARS Reset Mssql Default Access
permissions:
- Microsoft.Sql/servers/delete
- Microsoft.SqlVirtualMachine/sqlVirtualMachines/delete
Appranix ARS Reset Postgress Default Access
permissions:
- Microsoft.DBforPostgreSQL/servers/delete
Appranix ARS Reset Application Gateway Default Access
permissions:
- Microsoft.Network/applicationGateways/delete
Appranix ARS Reset Proximity Placement Group Default Access
permissions:
- Microsoft.Compute/proximityPlacementGroups/delete
Appranix ARS Reset Private Endpoint Default Access
permissions:
- Microsoft.Network/privateEndpoints/delete
Appranix ARS Reset Shared gallery Default Access
permissions:
- Microsoft.Compute/galleries/delete
Appranix ARS Reset Shared gallery image definition Default Access
permissions:
- Microsoft.Compute/galleries/images/delete
Appranix ARS Reset Shared gallery image version Default Access
permissions:
- Microsoft.Compute/galleries/images/versions/delete
Appranix ARS Reset Network Route Table Default Access
permissions:
- Microsoft.Network/routeTables/routes/delete
- Microsoft.Network/routeTables/delete
Appranix ARS Reset Web Sites Default Access
permissions:
- Microsoft.web/sites/backups/delete
- Microsoft.Web/sites/config/delete
Note
This list of permissions may increase as Cloud Rewind adds more services for protection.