Support for Managed Services Identify (MSI) based Authentication for Microsoft Azure

Overview

Managed services identity-based authentication for Microsoft Azure provides an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. Microsoft Azure supports the following two types of managed identity service based authentication:

  • System-assigned managed identity: This feature is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it’s enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.

  • User-assigned managed identity: This feature is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that’s trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it’s assigned.

Avi Vantage release 18.1.4 supports managed services identity (MSI) based authentication for Microsoft Azure. This article explains how to configure MSI based authentication on Avi Vantage for Microsoft Azure.

Prerequisites

  • For a resource group where the Avi Controller is spawned, a role of a Contributor or higher is required.
  • For the virtual network where the Avi Service Engine instances are to be deployed, the role of Avi Controller or higher is required. For more details on creating the AviController role, refer to the Role Setup for Installation into Microsoft Azure KB article.

The above privileges are used in the below section to configure MSI based authentication.
Refer to Avi Deployment Guide for Microsoft Azure for the complete list of prerequisites.

Configuration

This section covers the following sections:

  • Configuring Microsoft Azure for MSI authentication
  • Configuring Avi Vantage to support MSI authentication

Configuring Microsoft Azure

This section covers the following:

  • Enabling MSI Authentication
  • Assigning appropriate role as per the privileges section.

Enabling MSI Authentication

  1. Provision an Avi Controller virtual machine (VM) in Microsoft Azure. For information on deploying Microsoft Azure, refer to Avi Deployment Guide for Microsoft Azure.

  2. Log in to the Microsoft Azure Portal, and navigate to Resource Groups as shown below.

    resource-group

  3. Select the specific Resource Group you created for your Controller VM. In this example, the group is the Resource Group created for the VM.

    vm-resource

  4. Select the VM for the Avi Controller from the list.

    select-vm

  5. Navigate to Identity (Preview), and set System Assigned status to On to enable MSI based authentication for the selected Avi Controller.

    identity

Assigning Role to Avi Controller VM

  1. Select the Access Control (IAM) option from the menu option on the left side.

    access-control

  2. Click on Add to create a new role.

    add-role

  3. Select the appropriate role as present in the privileges section.
    • For the resource group where the Avi Controller is spawned, a role of a Contributor or higher is required.
    • For virtual network where the Avi Service Engine instances are to be deployed, the role of AviController or higher is required.

    role

  4. In the next drop-down, Assign access to the resource Virtual Machine.

    access

  5. Next, ensure the proper subscription is selected in the Subscription drop-down.

    subscription

  6. And for Resource Group, select the appropriate resource group, and click on Save.

    save

Configuring Avi Vantage

Login to the Avi shell prompt and use the configure cloud <cloud name> to enable MSI authentication for the cloud.


[admin:10-145-139-60]: > configure cloud AZMSI

[admin:10-145-139-60]: cloud> vtype cloud_azure
[admin:10-145-139-60]: cloud> azure_configuration
[admin:10-145-139-60]: cloud:azure_configuration> network_info
New object being created
[admin:10-145-139-60]: cloud:azure_configuration:network_info> se_network_id parikshit-subnet
[admin:10-145-139-60]: cloud:azure_configuration:network_info> virtual_network_id /subscriptions/0eebbbed-14c0-462e-99e0-dfec1d42e0c9/resourceGroups/AviUsers/providers/Microsoft.Network/virtualNetworks/avi-dev-vnet1
[admin:10-145-139-60]: cloud:azure_configuration:network_info> save
[admin:10-145-139-60]: cloud:azure_configuration> resource_group dev-resource-group
[admin:10-145-139-60]: cloud:azure_configuration> subscription_id 0eebbbed-14c0-462e-99e0-dfec1d42e0c9
[admin:10-145-139-60]: cloud:azure_configuration> location westus2
[admin:10-145-139-60]: cloud:azure_configuration> save
[admin:10-145-139-60]: cloud> save

Note:
Use no cloud_credentials_ref to convert the existing Azure cloud to use the MSI authentication if all the appropriate roles are assigned to the Controller VM.


[admin:10-145-139-60]: > configure cloud AzMSICloud
[admin:10-145-139-60]: cloud> azure_configuration
[admin:10-145-139-60]: cloud:azure_configuration> no cloud_credentials_ref