Skip to main content

Search

How do I create an Azure Cloud Canary?

  • Updated

Description: Canaries aren't just hardware devices. You can run Canaries inside your Azure Cloud infrastructure, using the same Console as the rest of your Canary fleet.

Note: Like other Cloud Canaries, a registered, but offline, Cloud Canary will still occupy a license. If you've terminated a bird on Azure, don't forget to decommission it on your Canary Console too. See guide here to decommission a Canary.

For further reading on the permissions required to launch an Azure Cloud Canary, click here.

Follow the steps below to create your Azure Cloud Canary:

Step 1:

Log in to your Console.

mceclip1.png

Step 2:

Click the + icon and click Add Canary.

__-_Add_Canary.png

Step 3:

Click Add Azure Canary.

Add_Azure.png

 

Step 4:

Click Launch.

mceclip0.png

Step 5:

Click Follow this link to enable the Canary App in your Azure Portal.

Azure_-_Link_Next.png

Step 6:

Click Accept to accept the permissions.

Note: this step will only need to be run on your first Azure Canary.

Note: The Canary app is only required for deploying your Birds and can be removed from your tenant once complete.

Permissions___Accept.png 

Permission___ACcept_-_Done.png

Step 7:

After accepting the permissions, click Next

This step can be skipped if you would like to deploy to another tenant, where a new link can be generated in the next step here.

Azure_-_Next_.png

Step 8:

Add the below details and click Next.

  1. Add your Resource Group for the new VM
  2. Select Yes from the drop down list
  3. Change your VM's name
  4. Select the region from the drop down list
  5. Click Next

mceclip2.png

Note:

If you want to launch your Bird into an existing VNET/subnet, please click on "Specify existing Vnet/Subnet" and specify the VNet Name, VNet Resource Group, and the Subnet Name, and click on Next.

mceclip1.png

Note:

If you are deploying to a new Azure tenant an authorisation link can be created by entering the new Tenant ID, then clicking on the hyperlink.

mceclip4.png

Step 9:

Select the script option you would like to use, Bash or Powershell, copy the script and click Done.

  1. Select Linux (Bash) if you opted to use Bash
  2. Select Windows (Powershell) if you opted to use Powershell
  3. Use the copy icon to copy the script to your clipboard
  4. Click Done

mceclip3.png

Step 10:

On Azure, open the command line option you opted to use.

  • Linux - Bash
  • Windows - Powershell

Note: We have opted to use Bash.

AZURE_Bash_PowerShell.png

bash_-_1.png

  • Paste the script you copied in Step 9 and hit enter.

bash_-_2.png

  • The script will run and let you know once it has finished.

bash_-_3.png

Step 11:

On your Console you should see a pop-up to confirm your new Canary.

Click Add Canary.

Add_Canary_-_Azure.png

Step 12:

Your Azure Canary will boot and connect back to your Console.

You can setup your new Canary from within your Console using the remote management - Guide found here.

Azure_online.png

You're done! ;-)

Costs per Azure Canary Virtual Machine:

The Azure birds run on a B1LS instance size and depending on the region you run the Canary in, it would costs between $3 and $6 per month.
Simply head over to this link here, select Virtual Machine, select the region and change the instance size to B1LS and you will be given the monthly costs. (As seen below)
 
mceclip0.png

Azure permissions:

We've made the below custom Azure role available to make getting the minimum required permissions easy. The JSON role structure includes the optional permissions documented in the table a little further on in this guide.

Documentation on how to use this to create a custom role can be found here.

Note: You'll need to replace the subscription scope with your preferred subscription ID.

{
    "properties": {
        "roleName": "AzureCustomDeploymentPermisions",
        "description": "",
        "assignableScopes": [
            "/subscriptions/<YOUR SUBSCRIPTION ID HERE>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Storage/storageAccounts/write",
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/write",
                    "Microsoft.Resources/deployments/validate/action",
                    "Microsoft.Network/virtualNetworks/write",
                    "Microsoft.Resources/deployments/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Permission Breakdown

Below is a breakdown of each command you'll find in a Canary Azure deployment script, and the permission required.

Action Permissions Required Note
Authorising Canary Application None Only needs a valid user in the Azure tenant.
Access to Azure CLI

Microsoft.Storage/storageAccounts/write

Microsoft.Resources/subscriptions/resourcegroups/read

Microsoft.Storage/storageAccounts/read

 Needed for the deployer to access the Azure CLI and run the script.
az role assignment Microsoft.Authorization/roleAssignments/write Needed to assign contributor role to the deployment resource group.
az account / az login None Used to switch accounts to the Canary App.

Optional Permissions

Action Permissions Required Note
Create New Virtual Network

Microsoft.Resources/deployments/validate/action

Microsoft.Network/VirtualNetworks/write

Microsoft.Resources/deployments/write

 Gives the user access to create Virtual networks.
az group create

Microsoft.Resources/deployments/validate/action

Microsoft.Resources/deployments/write

Microsoft.Resources/subscriptions/resourcegroups/write

 Only needed if resource group needs to be created at deployment.
Was this article helpful?
4 out of 5 found this helpful
Return to top