This article explains how to configure MSI authentication on NSX Advanced Load Balancer for Microsoft Azure.

Managed services identity-based authentication for Microsoft Azure provides an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

Microsoft Azure supports the following two types of managed identity service-based authentication:

  • System-assigned managed identity

  • User-assigned managed identity

System-assigned Managed Identity

This feature is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that is trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it is enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.

User-assigned Managed Identity

This feature is created as a standalone Azure resource. Through the create process, Azure creates an identity in the Azure AD tenant that is trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it is assigned. NSX Advanced Load Balancer release 18.1.4 supports managed services identity (MSI) authentication for Microsoft Azure. NSX Advanced Load Balancer only supports system-assigned managed identity. This article explains how to configure MSI authentication on NSX Advanced Load Balancer for Microsoft Azure.

The configuration of MSI for NSX Advanced Load Balancer consists the following sections:

  • Configuring Microsoft Azure for MSI authentication

  • Configuring NSX Advanced Load Balancer to support MSI authentication