Onboard Azure to CloudHiro cost optimization platform
Please read until the end before you start.
Automated onboarding process
To automate the process:
-
Download this powershell script
-
In Azure portal, open the Cloud Shell.
-
Copy-paste the entire contents of the powershell script into the shell.
-
Follow the guidelines inside
-
Once the onboarding script done, follow the instructions at the end and use the parameters to register to cloudhiro.
-
Move to "Register to CloudHiro" section down below.
-
Remarks
-
The onboarding script supports only EA\MACC agreements.
-
CSP (Cloud Solution Provider) agreements - you will be needing to ask the CSP to enable you to buy reservations on your own in your subscriptions. More details here
-
Do not close the Cloud Shell until you have copied all the parameters given at the end of the onboarding script (Subscription id, resource group name, storage account name, container name, tenant id, application id) and downloaded the pem file (certificate) to your computer.
-
If you do not have the required permissions, the onboarding process will notify at the end and you will need to add those permissions manually.
-
Manual Onboarding process
Creating a service principal
The following guide will show you how to set up your account to allow Costi to access it in a secure manner. To do this We will create a Service Principal for Costi.
-
Use Azure CLI to set the active subscription - Run the following command: az account set --subscription ""
-
Use Azure CLI to Create the Service Principal - Run the following command: az ad sp create-for-rbac -n "Costi" --create-cert
-
You should get a response similar to the one below:
Creating a role assignment under the scope of "/subscriptions/"
{
"appId": "XXX",
"displayName": "Costi",
"fileWithCertAndPrivateKey":" "/path/to/certificate/tmp123abc_v.pem"
"name": "http://Costi",
"password": "YYY",
"tenant": "ZZZ"
} -
Please save the response. We will need some of the properties - they are needed later in the registration step
​
Create billing export
-
There are two methods:
-
A - Traditional - Billing export - You control what CloudHiro can see, but billing data is available for up to 3 months in the past.
-
B - New method - billing API - CloudHiro can Access up to 12 months of billing data in the past.
-
​
Method A - Billing export
-
There is an Azure guide for this.
-
Create a storage account for Costi to be able to read from.
-
Create a billing exports at the highest level possible (billing account preferred), that will export CSV files to the storage account. Do not export at “Tenant management group” or any other management group. Billing account level or subscription level.
A total of 6 exports should be created:-
Daily export - month to date - it will run automatically each day.
-
Amortized cost (1)
-
Actual cost (2)
-
-
One-time export of the last 2 months before the current month - each one of them will run 1 time.
-
Previous month (i.e. we are in July, meaning June)
-
Amortized cost (3)
-
Actual cost (4)
-
-
2 months ago (i.e. we are in July, meaning May)
-
Amortized cost (5)
-
Actual cost (6)
-
-
-
-
Please note: The entire billing path must include two components.
-
The month of the export is in the ‘YYYYMM’ format, this is usually the Azure default.
-
The string ‘amor’ in the path of the export contains the amortized data, for example - directory or container has the “amor” string in it.
-
Method B - Billing API:
​
-
Just grant the “Enrollment reader” permission to the service principal - Add it manually or you can use the following script (haven’t been tested)
​
Add role assignments
-
You can use this script from the azure CLI to quickly assign the role to all subscriptions.
-
If you did not use the script, navigate to Subscriptions -> Access Control (IAM) -> Role Assignments. ​​Add the following role assignments to the service principal:
-
​Reader
-
Billing Reader
-
For the Storage accounts that all the billing exports:​​​​
-
Reader and Data Access
-
Storage Blob Data Reader
-
-
Add subscription and permissions for Auto-RI management
Auto-RI is our automated Reservation Management.
-
Create a new subscription for our purchases. If you already have a subscription for purchases, you can use that one.
-
Grant Reservations Administrator at the Tenant level. Azure’s manual on how to add permissions at the tenant level - use this link,
-
Grant Reservations Purchaser on the subscription you have created above.
-
Grant Reservations Reader at the tenant level to see all reservations purchased.
-
Please note:
-
Auto-RI requires the billing export from the previous section (method A or B).
-
IF you are working through a Cloud Solution Provider (CSP), you will be needing to ask the CSP to enable you to buy reservations on your own in your subscriptions. More details here
-
​
Add Log analytics permissions guide
-
After creating the service principal, go to the app registration of the service principal created → API permissions → add a permission → api’s my organization uses → log analytics API → add data.read permission.
​
Configure Billing Export & Azure-RI in CloudHiro
-
Login to your CloudHiro account.
-
Go to system->settings and update the four fields required for Bill CSV Location & the Azure RIs Subscription ID field. Update all at once. If you do not have a subscription ID, you can simply use 123 as a placeholder.
​Register to CloudHiro
-
Register here. Please note: If you are using a reseller, either use the reseller-provided link to register or add “?partner=[reseller-name]” to the end of the URL above. If you did not, our support can re-allocate your account to your reseller later on
-
You will need the following values from the previously saved response to complete the registration form:
-
​Client ID - “appId“
-
Certificate - “fileWithCertAndPrivateKey”
-
Tenant Id - “tenant”
-
-
​After registering to CloudHiro, confirm the email you got and login.
-
In CloudHiro go to System -> Settings (or press this link ) and update the following fields. In the "Azure RI's subscription ID - Read / Purchase RI's" please enter the subscription-id where you have granted the permissions to buy reservations.
-
Press "Update"
​
​
​
​
​​​
​
​
​
That’s it!
We are done setting up. You can now ask your partner for a tour of CloudHiro and the CloudHiro visualizer.
​
Required permissions summary for CloudHiro's service principal
Permission | Scope | Reason |
---|---|---|
Storage Blob Data Reader | Storage Account that holds the billing exports | The ability to list all blobs in that storage account (Billing - Method A - billing exports) |
Enrollment reader | Billing Account | Ability to read billing data from API ((Billing - Method B - API) |
Reader | Subscriptions | The ability to list and get all resources and their properties. |
Monitoring Reader | Subscriptions | The ability to view metrics and see the usage of log analytics. |
Reader and Data Access | Storage Account that holds the billing exports | The ability to view the blobs' content. |
Log analytics API | App registration | Reach log analytics API and show how much each resource is sending to log analytics workspaces. |
Reservations Administrator | Tenant | The ability to view and manage the reservations at the Tenant level, so all reservations will be visible to CloudHiro. The ability to manage RIs correctly by splitting, exchanging, refunding, etc. |
Reservations Purchaser | Purchasing Subscription | The ability to calculate the cost of the reservation and to purchase the reservation in that billing subscription. |
Reservations Reader | Tenant | The ability to see all reservations. |