Knowledge Base
Use this article to register existing Azure resources to CONS3RT
Azure Info to Collect
Collect the following information from yoru Azure subscription to configure the CONS3RT connection.
Subscription Info
- Azure Environment (
AzureCloud
orAzureUSGovernment
) - Tenant ID
- Subscription ID
Service Principal
The service prinicipal is the account credential that CONS3RT uses to connect to the Azure API. Collect:
- Service Principal / App Registration Object ID (e.g.
22222222-2222-2222-2222-222222222222
) - Secret Key
Virtual Network Info
CONS3RT uses a virtual network, and two or more subnets to deploy virtual machines in to. The subnet specified as the “cons3rt-net” will be used for provisioning, asset installation, container deployment, and remote access. The subnet specified as the “primary-net” will be setup as the initial default route for CONS3RT-deployed VMs. Any number of additional networks can be registered after the fact.
- Location / Region (e.g.
usgovvirginia
) - Resource Group Name
- Virtual Network Name
- Name of the subnet to be used as the “cons3rt-net”
- Name of the subnet to be used as the “primary-net” (the intitial default route)
Access Point
The access point is the source IP address that traffic flowing from the “cons3rt-net” subnet appears to CONS3RT.
- Access Point IP address
Tagging NAT Virtual Machines
CONS3RT uses NAT virtual machines to handle traffic flowing between CONS3RT and Azure virtual machines in the virtual network. In order to let CONS3RT know which NAT VM handles traffic for which subnets, apply the cons3rt_nat
tag to each NAT VM, and set the value of the tag to the name of the subnet that it is NAT’ing.
For example:
- Traffic from subnet
my-awesome-net
flows through NAT VMnat-vm0
- Apply tag
cons3rt_nat: my-awesome-net
tonat-vm0
Note: The access point above is most likely the public IP of the NAT virtual machine for the cons3rt-net
Storage Account
CONS3RT requires access to storage account in the same resource group as the virtual network for OS image sharing, cloud init scripts, and debug logs. If a storage account does not exist, create one in the same resource group. Only storage blobs are needed in the storage account. Optionally add the tag virtualization_realm : Cloudspace-Name
, replacing the “Cloudspace-Name” with the actual cloudspace name requested below.
For collection to submit in the registration request, include:
- Storage Account name
Ports and Protocols
Virtual machines deployed by CONS3RT communicate back to the CONS3RT infrastructure to perform asset installations, health checks, and container deployments. Traffic originating from the “cons3rt-net” subnet needs to be allowed to reach the CONS3RT infrastructure IP address at the following protocols and ports:
- TCP port 4443
- TCP port 6443
- TCP port 7443
- TCP port 8443
Remote Access
To enable CONS3RT remote access to your virtual Azure resources, take the following additional steps:
- Allow TCP/9443 traffic originating from the CONS3RT infrastructure IP address to the “cons3rt-net” NAT virtual machine security group
- NAT TCP/9443 traffic from the CONS3RT infrastructure IP address to an available private IP address on the “cons3rt-net” subnet (e.g.
x.x.x.250
). This will be the Remote Access IP Address. - For the network security group attached to the “cons3rt-net” subnet, allow:
- TCP/9443 (remote access) from the “cons3rt-net” NAT virtual machine
- TCP/22 (SSH), TCP/5902 (VNC), and TCP/3389 (RDP) from the Remote Access IP Address
For collection to submit in the registration request, include:
- Remote Access IP Address (private IP address from the previous steps)
Submit a Request
Decide on a “Cloudspace Name” that will appear in CONS3RT to represent your Azure resources.
Once the info is collected and the steps have been performed, send a request to support@cons3rt.com with the following info:
* Desired Cloudspace Name:
* Azure Environment:
* Tenant ID:
* Subscription ID:
* Service Principal Object ID:
* Secret Key:
* Location/Region:
* Resource Group Name:
* Virtual Network Name:
* cons3rt-net Subnet name:
* primary-net Subnet name:
* Access Point IP address:
* Storage Account Name:
* Remote Access IP address (if using remote access):
The CONS3RT community team will register your existing Azure resources to CONS3RT!
Additional Networks
Once the registration is complete, you can register as many additional subnets in the virtual network to CONS3RT. Once the subnets are registered, they can be attached to virtual machines deployed from CONS3RT.
- See this article for registering additional networks