Skip to main content

Cloud Connector Overview

⚠️ WARNING: THIS FEATURE WILL BE AVAILABLE FROM 25.3.2 RELEASE

The Xshield Cloud Connector is a cloud-native micro-segmentation service that provides visibility and security by enforcing security policies for your cloud environment without deploying any agents. This agentless approach enables organizations to implement security policies and gain insights into their cloud infrastructure seamlessly.

Supported Cloud Providers

Cloud ProviderSupport StatusNotes
Azure✅ SupportedAvailable from 25.3.2 release
AWS❌ Not SupportedFuture roadmap item
GCP❌ Not SupportedFuture roadmap item

Current Capabilities

The Cloud Connector currently supports Azure environments and provides:

  • Near-real-time visibility into supported Azure resources
  • Network traffic flow analysis using Azure flow logs
  • Telemetry data collection for security analytics
  • Policy enforcement using Azure Network Security Groups (NSGs)

Azure-Specific Information

Prerequisites

Before you can use the Cloud Connector with Azure, ensure you have:

  • Active Azure subscription with administrative access
  • Azure Tenant ID for your subscription
  • Azure AD account with minimum Application Administrator permissions - Required for allowing access to the Xshield enterprise app/service principal during authentication setup
  • Azure AD account with Owner or Contributor role on the subscription you want to onboard - Required for deploying the Cloud Connector permission template
  • Active Xshield account and access to the management portal

Supported Azure Resource Types

The following Azure resource types are currently supported for discovery, monitoring, and policy enforcement:

  • Virtual Machine - Individual Azure VMs
  • Virtual Machine Scale Set - Scalable VM groups
  • Azure Database for MySQL - Managed MySQL database service
  • Azure SQL Managed Instance - Managed SQL Server instance

Note: Support for additional Azure resource types and other cloud providers will be added in future releases.

Important Considerations

  • Azure Storage Costs: Flow log analysis requires Azure Storage Account access. Additional Azure storage costs may be incurred for cross-region data transfer when the storage account containing your VNet flow logs is located in regions other than East US 2, Central India, Germany West Central, or Australia East where Cloud Connector is deployed
  • NSG Management Scope: Primarily manages resource-level NSGs; subnet-level NSGs are managed for Virtual Machine Scale Sets and Azure managed databases
  • Flow Log Dependency: Network traffic visualization requires flow logs to be enabled and accessible via Azure Storage Accounts
  • Limited Resource Types: Currently supports 4 Azure resource types (additional types planned for future releases)

Azure Services Used

The Cloud Connector uses these Azure services:

  • Azure Active Directory: For authentication and authorization
  • Azure Resource Manager: For resource discovery and management
  • Azure Network Security Groups: For policy enforcement
  • Azure Storage Accounts: For flow log access (optional but recommended for traffic analysis)
  • Azure Flow Logs: For network traffic analysis

Getting Started

To begin using the Cloud Connector with your Azure environment:

  • Onboarding Guide - Complete step-by-step setup instructions for Azure integration