Azure Canaries

Are you interested in our Azure Canaries or already have them deployed but have some questions? This page sketches out how we ship Azure Canaries to you. In comparison to AWS and GCP, Azure has a little more complexity for sharing virtual machine images, but we've worked hard to make this as painless as we can.

You can easily exchange any of your current birds for an Azure one if you don't have spare licenses, or simply purchase a few more.

Step 1: Locate your Azure Tenant ID

Getting access to Azure Canaries in your Canary Console is straightforward. Simply contact Support (hint: use the green "?" on this page), and send us your Azure Tenant ID plus the regions in which you want to run Azure Canaries. That's it, we'll do the rest. Go on, do it now.

You can find your Azure Tenant ID quickly by heading here or heading over to your Azure Portal, and browsing to Microsoft Entra ID, clicking Overview, and copying the Tenant ID:

We need your Tenant ID to share an image gallery with your Azure account.

Step 2: Authorise the Canary App

The basic idea for shipping Azure Canaries is that we create a custom Virtual Machine Image for your organisation, residing in a Thinkst Azure account. We then share it with your Azure account, in the regions you choose.

We follow Microsoft's standard approach for sharing Images across tenants.

This means creating the VM Image, placing it in a Shared Image Gallery replicated into the regions you want, registering a new App, giving the App access to the Shared Image Gallery, creating credentials on the App, and sharing the credentials with you. This lets you (as the Canary customer) obtain access tokens to the Canary App, which by extension give you access to the VM Image. You'll also authorise the Canary App to read your email address.

Fortunately, we hide most of this from you. You'll need to perform a once-off App authorisation step, and thereafter, we help you with a short wizard that generates the commands you need to run to launch VMs inside your own Tenant and Subscriptions.

Step 3: Launching Azure Canaries

If you've already sent us your Tenant ID and we've enabled Azure for you, head over to How do I launch an Azure Cloud Canary.

Like other Cloud Canaries, a registered, but offline, Cloud Canary will still occupy a license. If you've terminated a bird inside of Azure, don't forget to decommission it on your Canary Console too.

Step 4: Configure Resource Groups

The new VM will be launched into a Resource Group in your Azure Tenant. If the Resource Group does not yet exist, then our deployment wizard will help you with the necessary commands, and you can ignore the rest of this section.

However, if you want to launch into a Resource Group that already exists, then you'll need to ensure that the Canary App has been granted the Contributor role on the Resource Group before running our deployment commands. This is described in more detail in the Azure documentation (search for "Assign a Role"), but here are the steps you'll need to take:

1.  Authorise the Canary App

Make sure you've authorised the Canary App, using the link in the first step of the deployment wizard.

2. Open Resource Groups  

Sign into the Azure Portal and browse to the Resource Groups.

3. Select the Target Resource Group  

Click on the Resource Group where you want to launch the Azure Canary.
Then go to Access control (IAM).
Under Add, select Add role assignment.

4. Choose the Role

Under Role, select Contributor and click next.

5. Assign Access to the Canary App

6. Review and Confirm 

At this point, the Resource Group is now accessible to the Canary App for launching VMs.

Security Note:

The Enterprise Application (or contributor access) can be removed again once your Canary has been deployed - this is only needed for deployment.

Limitations

The Azure Portal web interface does not support viewing or deploying cross-tenant images. Instead, you need to use the CLI.

For most folks this isn't a problem as they rely on the Azure CLI in any case.

You're done!