Canaries aren’t limited to hardware devices; you can also deploy them directly within your Azure Cloud environment. This allows you to monitor your infrastructure using the same Console that manages the rest of your Canary fleet.
Keep in mind:
Like other Cloud Canaries, a registered but offline Azure Canary still consumes a licence. If you’ve terminated a Canary in Azure, remember also to decommission it from your Console.
If you have multiple subscription IDs, you may need to manually select the correct subscription if it’s not the default. Click here to jump to the steps.
For detailed information on permissions required to launch an Azure Cloud Canary, jump to our permissions guide.
Follow the steps below to create your Azure Cloud Canary:
Step 1: Sign in to your Console
You can log in to your Console.
Step 2: Add a new Canary
Click the + Add button and select Add New Canary.
Step 3: Choose Azure Canary
Click Add Azure Canary.
Step 4: Launch the deployment process
Click Launch.
Step 5: Enable the Canary app in Azure
Click Follow this link to enable the Canary App in your Azure Portal.
Step 6: Accept required permissions
Click Accept to accept the permissions.
Note:
- This step will only need to be run on your first Azure Canary.
- The Canary app is only required for deploying your Birds and can be removed from your tenant once complete.
Step 7: Continue setup after authorisation
After accepting the permissions, click Next.
Note:
- This step can be skipped if you would like to deploy to another tenant, where a new link can be generated in the next step here.
Step 8: Enter deployment details
Add the details below and click Next.
- Add your Resource Group for the new VM.
- Enter your Subscription ID.
- Select Yes from the drop-down list.
- Change your VM's name.
- Select the region from the drop-down list.
Note:
- If you want to launch your Bird into an existing VNET/subnet, please click on "Specify existing Vnet/Subnet" and specify the VNet Name, VNet Resource Group, and the Subnet Name, and click on Next.
Deploying to a new Azure Tenant?
If you are deploying to a new Azure tenant, an authorisation link can be created by entering the new Tenant ID, then clicking on the hyperlink.
Step 9: Generate and copy the deployment script
Select the script option you would like to use, Bash or PowerShell, copy the script and click Done.
- Select Linux (Bash) if you opted to use Bash
- Select Windows (PowerShell) if you opted to use PowerShell
- Use the copy icon to copy the script to your clipboard
- Click Done
Step 10: Run the script in Azure CLI
On Azure, open the command line option you opted to use.
- Linux - Bash
- Windows - PowerShell
Note: We have opted to use Bash.
- Paste the script you copied in Step 9 and hit enter.
- The script will run and let you know once it has finished.
Step 11: Confirm the new Canary in your Console
On your Console, you should see a pop-up to confirm your new Canary.
Click Add Canary to commission it to your Console.
Step 12: Manage your Canary
Your Azure Canary will boot and connect back to your Console. You can set up your new Canary from within your Console using the remote management Guide found here.
Costs per Azure Canary Virtual Machine:
The Azure birds run on a B1S instance size, and depending on the region you run the Canary in, it would cost around 7$ per month.
Simply head over to this link here, select Virtual Machine, select the region and change the instance size to B1S, and you will be given the monthly costs. (As seen below)
Azure permissions
We've made the custom Azure role shown below available to make getting the minimum required permissions easy. The JSON role structure includes the optional permissions documented in the table a little further on in this guide.
Documentation on how to use this to create a custom role can be found here.
Permissions required for the end user running the deployment:
Note: You will need to replace the subscription scope with your preferred subscription ID.
{YOUR_SUBSCRIPTION_ID}Permission Breakdown:
Below is a breakdown of each command you'll find in a Canary Azure deployment script, and the permission required for the Azure App.
| Action | Permissions Required | Note |
| Authorising Canary Application | None | Only needs a valid user in the Azure tenant. |
| Access to Azure CLI |
Microsoft.Storage/storageAccounts/write Microsoft.Resources/subscriptions/resourcegroups/read Microsoft.Storage/storageAccounts/read |
Needed for the deployer to access the Azure CLI and run the script. |
| az role assignment | Microsoft.Authorization/roleAssignments/write | Needed to assign contributor role to the deployment resource group. |
| az account / az login | None | Used to switch accounts to the Canary App. |
Optional Permissions for the end user:
| Action | Permissions Required | Note |
| Create New Virtual Network |
Microsoft.Resources/deployments/validate/action Microsoft.Network/VirtualNetworks/write Microsoft.Resources/deployments/write |
Gives the user access to create Virtual networks. |
| az group create |
Microsoft.Resources/deployments/validate/action Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/resourcegroups/write |
Only needed if resource group needs to be created at deployment. |
Permissions required by the service principal (Enterprise App):
Note:
- You'll need to replace the subscription and resource group scope with your intended deployment location.
{
"properties": {
"roleName": "CanaryDeployServicePrinciple",
"description": "",
"assignableScopes": [
"/subscriptions/{YOUR_SUBSCRIPTION_ID}/resourceGroups/{YOUR_RESOURCE_GROUP}"
],
"permissions": [
{
"actions": [
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Resources/deployments/operationStatuses/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkInterfaces/join/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}You're done!