Description: Canaries aren't just hardware devices. You can run Canaries inside your Azure Cloud infrastructure, using the same Console as the rest of your Canary fleet.

Note: Like other Cloud Canaries, a registered, but offline, Cloud Canary will still occupy a license. If you've terminated a bird on Azure, don't forget to decommission it on your Canary Console too. See guide here to decommission a Canary.

For further reading on the permissions required to launch an Azure Cloud Canary, click here.

Note: If you have multiple subscription ID's, you'll need to manually the target subscription if it's not the default, click here to jump to the steps.

Follow the steps below to create your Azure Cloud Canary:

Step 1:

Step 2:

Click the + icon and click Add Canary.

Step 3:

Click Add Azure Canary.

Step 4:

Click Launch.

Step 5:

Click Follow this link to enable the Canary App in your Azure Portal.

Step 6:

Click Accept to accept the permissions.

Note: this step will only need to be run on your first Azure Canary.

Note: The Canary app is only required for deploying your Birds and can be removed from your tenant once complete.

Step 7:

After accepting the permissions, click Next

This step can be skipped if you would like to deploy to another tenant, where a new link can be generated in the next step here.

Step 8:

Add the below details and click Next.

Add your Resource Group for the new VM
Select Yes from the drop down list
Change your VM's name
Select the region from the drop down list
Click Next

Note:

If you want to launch your Bird into an existing VNET/subnet, please click on "Specify existing Vnet/Subnet" and specify the VNet Name, VNet Resource Group, and the Subnet Name, and click on Next.

Note:

If you are deploying to a new Azure tenant an authorisation link can be created by entering the new Tenant ID, then clicking on the hyperlink.

Step 9:

Select the script option you would like to use, Bash or Powershell, copy the script and click Done.

Select Linux (Bash) if you opted to use Bash
Select Windows (Powershell) if you opted to use Powershell
Use the copy icon to copy the script to your clipboard
Click Done

Step 10:

On Azure, open the command line option you opted to use.

Linux - Bash
Windows - Powershell

Note: We have opted to use Bash.

Note: If you have multiple subscriptions, you'll want to tweak the script to manually specify the subscription ID / name.

Insert the below line immediately after the line `az account get-access-token`:

az account set --subscription XXXXX

Paste the script you copied in Step 9 and hit enter.

The script will run and let you know once it has finished.

Step 11:

On your Console you should see a pop-up to confirm your new Canary.

Click Add Canary.

Step 12:

Your Azure Canary will boot and connect back to your Console.

You can setup your new Canary from within your Console using the remote management - Guide found here.

You're done! ;-)

Costs per Azure Canary Virtual Machine:

The Azure birds run on a B1S instance size and depending on the region you run the Canary in, it would costs around 7$ per month.

Simply head over to this link here, select Virtual Machine, select the region and change the instance size to B1S and you will be given the monthly costs. (As seen below)

Azure permissions:

We've made the below custom Azure role available to make getting the minimum required permissions easy. The JSON role structure includes the optional permissions documented in the table a little further on in this guide.

Documentation on how to use this to create a custom role can be found here.

Note: You'll need to replace the subscription scope with your preferred subscription ID.

{
    "properties": {
        "roleName": "AzureCustomDeploymentPermisions",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<YOUR SUBSCRIPTION ID HERE>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Storage/storageAccounts/write",
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/write",
                    "Microsoft.Resources/deployments/validate/action",
                    "Microsoft.Network/virtualNetworks/write",
                    "Microsoft.Resources/deployments/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Permission Breakdown

Below is a breakdown of each command you'll find in a Canary Azure deployment script, and the permission required.

Action	Permissions Required	Note
Authorising Canary Application	None	Only needs a valid user in the Azure tenant.
Access to Azure CLI	Microsoft.Storage/storageAccounts/write Microsoft.Resources/subscriptions/resourcegroups/read Microsoft.Storage/storageAccounts/read	Needed for the deployer to access the Azure CLI and run the script.
az role assignment	Microsoft.Authorization/roleAssignments/write	Needed to assign contributor role to the deployment resource group.
az account / az login	None	Used to switch accounts to the Canary App.

Optional Permissions

Action

Permissions Required

Note

Create New Virtual Network

Microsoft.Resources/deployments/validate/action

Microsoft.Network/VirtualNetworks/write

Microsoft.Resources/deployments/write

Gives the user access to create Virtual networks.

az group create

Microsoft.Resources/deployments/validate/action

Microsoft.Resources/deployments/write

Microsoft.Resources/subscriptions/resourcegroups/write

Only needed if resource group needs to be created at deployment.

Search

How do I create an Azure Cloud Canary?

Step 1:

Step 2:

Step 3:

Step 4:

Step 5:

Step 6:

Step 7:

Step 8:

Note:

Note:

Step 9:

Step 10:

Step 11:

Step 12:

You're done! ;-)

Costs per Azure Canary Virtual Machine:

Azure permissions: