Heads up! Azure Canaries are currently in Beta.
Are you interested in our Azure Canaries, or already have them deployed but have some questions? This page sketches out the way that we ship Azure Canaries to you. In comparison to AWS and GCP, Azure has a little more complexity for sharing virtual machine images, but we've worked hard to make this as painless as we know how.
You can easily exchange any of your current birds for an Azure one if you don't have spare licenses, or simply purchase a few more.
Getting access to Azure Canaries in your Canary Console is straightforward. Simply contact Support (hint: use the green "?" on this page), and send us your Azure Tenant ID plus the regions in which you want to run Azure Canaries. That's it, we'll do the rest. Go on, do it now.
You can find your Azure Tenant ID by logging into the Azure Portal, browsing to "Azure Active Directory", clicking "Properties", and copying the "Directory ID", also known as the Tenant ID:
We need your Tenant ID to share an image gallery with your Azure account.
Apps and Shared Image Galleries
The basic idea for shipping Azure Canaries is that we create a custom Virtual Machine Image for your organisation, residing in a Thinkst Azure account. We then share it with your Azure account, in the regions you choose.
We follow Microsoft's standard approach for sharing Images across tenants.
This means creating the VM Image, placing it in a Shared Image Gallery replicated into the regions you want, registering a new App, giving the App access to the Shared Image Gallery, creating credentials on the App, and sharing the credentials with you. This lets you (as the Canary customer) obtain access tokens to the Canary App which by extension give you access to the VM Image. You'll also authorise the Canary App to read your email address.
It's a little convoluted, but... well..., Microsoft. Amirite?
Fortunately we hide most of this from you. You'll need to perform a once-off App authorisation step, and thereafter we help you with a short wizard that generates the commands you need to run to launch VMs inside your own Tenant and Subscriptions.
If you've already sent us your Tenant ID and we've enabled Azure for you, head over to How do I launch an Azure Cloud Canary.
Like other Cloud Canaries, a registered, but offline, Cloud Canary will still occupy a license. If you've terminated a bird inside of Azure, don't forget to decommission it on your Canary Console too.
The new VM will be launched into a Resource Group in your Azure Tenant. If the Resource Group does not yet exist, then our deployment wizard will help you with the necessary commands, and you can ignore the rest of this section.
However, if you want to launch into a Resource Group which already exists, then you'll need to ensure that the Canary App has been granted the Contributor role on the Resource Group before running our deployment commands. This is described in more detail in the Azure documentation (search for "give the app registration access to the resource group"), but here's the steps you'll need to take:
- Make sure you've authorised the Canary App, using the link in the first step of the deployment wizard.
- Sign into the Azure Portal and browse to the Resource Groups.
- Select the existing Resource Group you want to launch the Azure Canary into, and then select Access control (IAM). Under Add role assignment select Add.
- Under Role, type Contributor.
- Under Assign access to:, leave this as Azure AD user, group, or service principal.
- Under Select type ThinkstCanary. This will search for the App you've authorised then select it when it shows up in the list. When you are done, select Save.
At this point the Resource Group is now accessible to the Canary App for launching VMs.
The Azure Portal web interface does not support viewing or deploying cross-tenant images. Instead, you need to use the CLI.
For most folks this isn't a problem as they rely on the Azure CLI in any case.