Skip to main content

Azure Resource Management Information

Introduction

This guide describes how the supported Azure resources are discovered and managed in the Xshield Platform when a Subscription is onboarded to the Xshield platform.

Pleaseholder

Core Tags

The Xshield platform supports a number of Core Tags which are used to help manage Assets in the platform. When supported Azure resources such as Virtual Machines are discovered, certain tags on those resources (if configured) will be automatically imported into the platform. These tags are constantly monitored and automatically updated in the platform as needed by the Cloud Connector.

A few examples of supported core tags that are user-configurable:

  • Application: Typically used to identify parts of a cloud-based application
  • Environment: Used to distinguish between types of environments (Production, Testing, Development, etc)
  • Owner: Identifies the resource owner, typically a team or individual
  • Role: The role of the resource in the application (Web Gateway, Web Server, Backend, etc)

Some core tags will be populated automatically by the platform, based on the type of resource:

  • Category: The type of resource (Virtual Machine, VM Scale Set, Database, etc)
  • Location: The Azure region where the resource is located
  • Subnet: The address prefix of the subnet that the resource belongs to

Application Security Group

Additionally, when an Azure subscription is connected to Xshield for the first time, the Cloud Connector will automatically create the "Application Security Group" (ASG) Custom Core Tag. This custom core tag is used to identify Assets which are configured in the Azure portal as belonging to an Azure ASG, so they can be associated with a Segment in the platform.

Assets

Supported Assets in the Azure subscription will be discovered by the Cloud Connector and periodically synchronized to the Xshield platform. New Assets that come online after the original onboarding process will be automatically added to the platform, and Assets which are removed from the subscription will also be removed from the Xshield platform.

Currently, the Cloud Connector supports the following four types of Assets in Azure:

  • Virtual Machine - Individual Azure VMs
  • Virtual Machine Scale Set - Scalable VM groups
  • Azure Database for MySQL - Managed MySQL database service
  • Azure SQL Managed Instance - Managed SQL Server instance

For more information on how Assets are managed in the Xshield platform, check the Assets documentation.

Network Security Groups -> Xshield Templates

Network Security Groups (NSGs) that are configured in the Azure Portal and attached to NICs or Subnets will be imported into Xshield as Templates.

These templates will automatically be associated with the corresponding assets in the platform during the onboarding process, and will be continuously monitored for any changes to rules made via the Azure Portal.

  • Inbound Rules: Source for Inbound Rules will be mapped to Inbound Paths in the corresponding Template
  • Outbound Rules: The Destination for Outbound Rules will be mapped to Outbound Paths in the corresponding Template
  • Service Tags: Any Service Tags in NSG Rules will be mapped to the corresponding Named Network (see [below](./azure-resources#

Application Security Groups -> Xshield Segments

In Azure, Application Security Groups (ASGs) represent a set of assets (virtual machines, managed databases, vm scale sets, etc) that can be used as targets in Network Security Group rules. During onboarding, Application Security Groups will be discovered automatically and imported into Xshield as Segments.

In Xshield, Assets will be automatically associated with the newly-created Segments using the "Application Security Group" custom core tag.

Service Tags -> Xshield Named Networks

Service Tags in Azure are managed sets of IPv4 / IPv6 address prefixes representing specific Azure Services. Network Security Group rules in the Azure Portal can be configured to use Service Tags as a source or a target.

During onboarding, Service Tags that are used in NSG rules will be discovered and imported into Xshield as Named Networks, and will be associated with the corresponding Template Rule

Some Service Tags have special handling in the Xshield platform:

  • Internet: This Service Tag will be associated with the default "Internet (Public)" Named Network in the platform.
  • VirtualNetwork: This Service Tag will be automatically populated with the set of known VirtualNetwork and network peer prefixes.
  • AzureLoadBalancer: This Service Tag will be configured with the well-known IP address 168.63.129.16