Introduction
Are you interested in our Azure Canaries, or already have them deployed but have some questions? This page sketches out the way that we ship Azure Canaries to you. In comparison to AWS and GCP, Azure has a little more complexity for sharing virtual machine images, but we've worked hard to make this as painless as we know how.
You can easily exchange any of your current birds for an Azure one if you don't have spare licenses, or simply purchase a few more.
First steps
Getting access to Azure Canaries in your Canary Console is straightforward. Simply contact Support (hint: use the green "?" on this page), and send us your Azure Tenant ID plus the regions in which you want to run Azure Canaries. That's it, we'll do the rest. Go on, do it now.
You can find your Azure Tenant ID quickly by heading here or heading over to your Azure Portal, and browsing to Microsoft Entra ID, clicking Overview, and copying the Tenant ID:
We need your Tenant ID to share an image gallery with your Azure account.
Apps and Shared Image Galleries
The basic idea for shipping Azure Canaries is that we create a custom Virtual Machine Image for your organisation, residing in a Thinkst Azure account. We then share it with your Azure account, in the regions you choose.
We follow Microsoft's standard approach for sharing Images across tenants.
This means creating the VM Image, placing it in a Shared Image Gallery replicated into the regions you want, registering a new App, giving the App access to the Shared Image Gallery, creating credentials on the App, and sharing the credentials with you. This lets you (as the Canary customer) obtain access tokens to the Canary App which by extension give you access to the VM Image. You'll also authorise the Canary App to read your email address.
Fortunately we hide most of this from you. You'll need to perform a once-off App authorisation step, and thereafter we help you with a short wizard that generates the commands you need to run to launch VMs inside your own Tenant and Subscriptions.
Launching VMs
If you've already sent us your Tenant ID and we've enabled Azure for you, head over to How do I launch an Azure Cloud Canary.
Like other Cloud Canaries, a registered, but offline, Cloud Canary will still occupy a license. If you've terminated a bird inside of Azure, don't forget to decommission it on your Canary Console too.
Resource Groups
The new VM will be launched into a Resource Group in your Azure Tenant. If the Resource Group does not yet exist, then our deployment wizard will help you with the necessary commands, and you can ignore the rest of this section.
However, if you want to launch into a Resource Group which already exists, then you'll need to ensure that the Canary App has been granted the Contributor role on the Resource Group before running our deployment commands. This is described in more detail in the Azure documentation (search for "Assign a Role"), but here's the steps you'll need to take:
1. Make sure you've authorised the Canary App, using the link in the first step of the deployment wizard.
2. Sign into the Azure Portal and browse to the Resource Groups.
3. Select the existing Resource Group you want to launch the Azure Canary into, and then select Access control (IAM). Under Add select Add role assignment
4. Under Role, select Contributor and click next.
5. Under Assign access to:, leave this as Azure AD user, group, or service principal. Click on Select Members, Search for Thinkstcanary, Select the ThinkstCanary App you've authorised in step 1 by clicking on it and click Select. Click Review + Assign
6. Review the changes to make sure the ThinkstCanary App has been assigned the Contributor role and Click Review + Assign once more.
At this point the Resource Group is now accessible to the Canary App for launching VMs.
Limitations
The Azure Portal web interface does not support viewing or deploying cross-tenant images. Instead, you need to use the CLI.
For most folks this isn't a problem as they rely on the Azure CLI in any case.