Knowledge Base

Register existing Azure Resources
Topic: Cloudspaces
Related: Register Existing Networks, Allocate a Cloudspace, Network Time Protocol (NTP) in a Cloudspace, Delete my AWS Cloudspace, Cloudspace Security

Use this article to register existing Azure resources to CONS3RT

Azure Info to Collect

Collect the following information from yoru Azure subscription to configure the CONS3RT connection.

Subscription Info

  • Azure Environment (AzureCloud or AzureUSGovernment)
  • Tenant ID
  • Subscription ID

Service Principal

The service prinicipal is the account credential that CONS3RT uses to connect to the Azure API. Collect:

  • Service Principal / App Registration Object ID (e.g. 22222222-2222-2222-2222-222222222222)
  • Secret Key

Virtual Network Info

CONS3RT uses a virtual network, and two or more subnets to deploy virtual machines in to. The subnet specified as the “cons3rt-net” will be used for provisioning, asset installation, container deployment, and remote access. The subnet specified as the “primary-net” will be setup as the initial default route for CONS3RT-deployed VMs. Any number of additional networks can be registered after the fact.

  • Location / Region (e.g. usgovvirginia)
  • Resource Group Name
  • Virtual Network Name
  • Name of the subnet to be used as the “cons3rt-net”
  • Name of the subnet to be used as the “primary-net” (the intitial default route)

Access Point

The access point is the source IP address that traffic flowing from the “cons3rt-net” subnet appears to CONS3RT.

  • Access Point IP address

Tagging NAT Virtual Machines

CONS3RT uses NAT virtual machines to handle traffic flowing between CONS3RT and Azure virtual machines in the virtual network. In order to let CONS3RT know which NAT VM handles traffic for which subnets, apply the cons3rt_nat tag to each NAT VM, and set the value of the tag to the name of the subnet that it is NAT’ing.

For example:

  • Traffic from subnet my-awesome-net flows through NAT VM nat-vm0
  • Apply tag cons3rt_nat: my-awesome-net to nat-vm0

Note: The access point above is most likely the public IP of the NAT virtual machine for the cons3rt-net

Storage Account

CONS3RT requires access to storage account in the same resource group as the virtual network for OS image sharing, cloud init scripts, and debug logs. If a storage account does not exist, create one in the same resource group. Only storage blobs are needed in the storage account. Optionally add the tag virtualization_realm : Cloudspace-Name, replacing the “Cloudspace-Name” with the actual cloudspace name requested below.

For collection to submit in the registration request, include:

  • Storage Account name

Ports and Protocols

Virtual machines deployed by CONS3RT communicate back to the CONS3RT infrastructure to perform asset installations, health checks, and container deployments. Traffic originating from the “cons3rt-net” subnet needs to be allowed to reach the CONS3RT infrastructure IP address at the following protocols and ports:

  • TCP port 4443
  • TCP port 6443
  • TCP port 7443
  • TCP port 8443

Remote Access

To enable CONS3RT remote access to your virtual Azure resources, take the following additional steps:

  • Allow TCP/9443 traffic originating from the CONS3RT infrastructure IP address to the “cons3rt-net” NAT virtual machine security group
  • NAT TCP/9443 traffic from the CONS3RT infrastructure IP address to an available private IP address on the “cons3rt-net” subnet (e.g. x.x.x.250). This will be the Remote Access IP Address.
  • For the network security group attached to the “cons3rt-net” subnet, allow:
    • TCP/9443 (remote access) from the “cons3rt-net” NAT virtual machine
    • TCP/22 (SSH), TCP/5902 (VNC), and TCP/3389 (RDP) from the Remote Access IP Address

For collection to submit in the registration request, include:

  • Remote Access IP Address (private IP address from the previous steps)

Submit a Request

Decide on a “Cloudspace Name” that will appear in CONS3RT to represent your Azure resources.

Once the info is collected and the steps have been performed, send a request to support@cons3rt.com with the following info:

* Desired Cloudspace Name: 
* Azure Environment: 
* Tenant ID: 
* Subscription ID: 
* Service Principal Object ID: 
* Secret Key: 
* Location/Region: 
* Resource Group Name: 
* Virtual Network Name: 
* cons3rt-net Subnet name: 
* primary-net Subnet name: 
* Access Point IP address: 
* Storage Account Name: 
* Remote Access IP address (if using remote access):

The CONS3RT community team will register your existing Azure resources to CONS3RT!

Additional Networks

Once the registration is complete, you can register as many additional subnets in the virtual network to CONS3RT. Once the subnets are registered, they can be attached to virtual machines deployed from CONS3RT.