Description: Canaries aren't just hardware devices. You can run Canaries inside your Azure Cloud infrastructure, using the same Console as the rest of your Canary fleet.
Note: Like other Cloud Canaries, a registered, but offline, Cloud Canary will still occupy a license. If you've terminated a bird on Azure, don't forget to decommission it on your Canary Console too. See guide here to decommission a Canary.
For further reading on the permissions required to launch an Azure Cloud Canary, click here.
Note: If you have multiple subscription ID's, you'll need to manually target the subscription if it's not the default, click here to jump to the steps.
Follow the steps below to create your Azure Cloud Canary:
Step 1:
Log in to your Console.
Step 2:
Click the + icon and click Add New Canary.
Step 3:
Click Add Azure Canary.
Step 4:
Click Launch.
Step 5:
Click Follow this link to enable the Canary App in your Azure Portal.
Step 6:
Click Accept to accept the permissions.
Note: this step will only need to be run on your first Azure Canary.
Note: The Canary app is only required for deploying your Birds and can be removed from your tenant once complete.
Step 7:
After accepting the permissions, click Next
This step can be skipped if you would like to deploy to another tenant, where a new link can be generated in the next step here.
Step 8:
Add the below details and click Next.
- Add your Resource Group for the new VM.
- Enter your Subscription ID.
- Select Yes from the drop down list.
- Change your VM's name.
- Select the region from the drop down list.
Note:
If you want to launch your Bird into an existing VNET/subnet, please click on "Specify existing Vnet/Subnet" and specify the VNet Name, VNet Resource Group, and the Subnet Name, and click on Next.
Note: Deploying to a new Azure Tenant?
If you are deploying to a new Azure tenant an authorisation link can be created by entering the new Tenant ID, then clicking on the hyperlink.
Step 9:
Select the script option you would like to use, Bash or Powershell, copy the script and click Done.
- Select Linux (Bash) if you opted to use Bash
- Select Windows (Powershell) if you opted to use Powershell
- Use the copy icon to copy the script to your clipboard
- Click Done
Step 10:
On Azure, open the command line option you opted to use.
- Linux - Bash
- Windows - Powershell
Note: We have opted to use Bash.
Note: If you have multiple subscriptions, you'll want to tweak the script to manually specify the subscription ID / name.
Insert the below line immediately after the line `az account get-access-token`:
az account set --subscription XXXXX
- Paste the script you copied in Step 9 and hit enter.
- The script will run and let you know once it has finished.
Step 11:
On your Console you should see a pop-up to confirm your new Canary.
Click Add Canary.
Step 12:
Your Azure Canary will boot and connect back to your Console.
You can setup your new Canary from within your Console using the remote management - Guide found here.
You're done! ;-)
Costs per Azure Canary Virtual Machine:
Azure permissions:
We've made the below custom Azure role available to make getting the minimum required permissions easy. The JSON role structure includes the optional permissions documented in the table a little further on in this guide.
Documentation on how to use this to create a custom role can be found here.
Note: You'll need to replace the subscription scope with your preferred subscription ID.
{
"properties": {
"roleName": "AzureCustomDeploymentPermisions",
"description": "",
"assignableScopes": [
"/subscriptions/<YOUR SUBSCRIPTION ID HERE>"
],
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Resources/deployments/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Permission Breakdown
Below is a breakdown of each command you'll find in a Canary Azure deployment script, and the permission required.
| Action | Permissions Required | Note |
| Authorising Canary Application | None | Only needs a valid user in the Azure tenant. |
| Access to Azure CLI |
Microsoft.Storage/storageAccounts/write Microsoft.Resources/subscriptions/resourcegroups/read Microsoft.Storage/storageAccounts/read |
Needed for the deployer to access the Azure CLI and run the script. |
| az role assignment | Microsoft.Authorization/roleAssignments/write | Needed to assign contributor role to the deployment resource group. |
| az account / az login | None | Used to switch accounts to the Canary App. |
Optional Permissions
| Action | Permissions Required | Note |
| Create New Virtual Network |
Microsoft.Resources/deployments/validate/action Microsoft.Network/VirtualNetworks/write Microsoft.Resources/deployments/write |
Gives the user access to create Virtual networks. |
| az group create |
Microsoft.Resources/deployments/validate/action Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/resourcegroups/write |
Only needed if resource group needs to be created at deployment. |