NSX Cloud leverages the Managed Service Identity (MSI) feature of Microsoft Azure to manage authentication while keeping your Microsoft credentials secure.

For NSX Cloud to operate in your Microsoft Azure subscription, you need to generate MSI roles for CSM and PCG and a Service Principal for NSX Cloud.

This is achieved by running the NSX Cloud PowerShell script. In addition, you need two files in the JSON format as parameters. When you run the PowerShell script with required parameters, the following constructs are created:

  • an Azure AD application for NSX Cloud .

  • an Azure Resource Manager Service Principal for the NSX Cloud application.

  • a role for CSM attached to the Service Principal account.

  • a role for PCG to enable it to work on your public cloud inventory.

Note:

The response time from Microsoft Azure can cause the script to fail when you run it the first time. If the script fails, try running it again.

Prerequisites

  • You must have PowerShell 5.0+ with AzureRM Module installed.

  • You must be the owner of the Microsoft Azure subscription for which you want to run the script to generate the NSX Cloud Service Principal.

Procedure

  1. On a Windows desktop or server, download the ZIP file named CreateNSXCloudCredentials.zip from the NSX-T Data Center Download page > Drivers & Tools > NSX Cloud Scripts > Microsoft Azure.

  2. Extract the following contents of the ZIP file in your Windows system:

    Filename

    Description

    CreateNSXRoles.ps1

    This is the PowerShell script to generate the NSX Cloud Service Principal and MSI roles for CSM and PCG

    nsx_csm_role.json

    This file contains the CSM role name and permissions for this role in Microsoft Azure. This is an input to the PowerShell script and must be in the same folder as the script.

    nsx_pcg_role.json

    This file contains the PCG role name and permissions for this role in Microsoft Azure. This is an input to the PowerShell script and must be in the same folder as the script. The default PCG (Gateway) Role Name is nsx-pcg-role.

    Note:

    If you are creating roles for multiple subscriptions in your Microsoft Azure Active Directory, you must change the CSM and PCG role names for each subscription in the respective JSON files and rerun the script.

  3. Run the script with your Microsoft Azure Subscription ID as a parameter. The parameter name is subscriptionId.

    For example,

    .\CreateNSXRoles.ps1 -subscriptionId <your_subscription_ID> 

    This creates a Service Principal for NSX Cloud, a role with appropriate privileges for CSM and PCG, and attaches the CSM and PCG roles to the NSX Cloud Service Principal.

  4. Look for a file in the same directory where you ran the PowerShell script. It is named like: NSXCloud_ServicePrincipal_<your_subscription_ID>_<NSX_Cloud_Service_Principal_name>. This file contains the information you need to add your Microsoft Azure subscription in CSM.
    • Client ID

    • Client Key

    • Tenant ID

    • Subscription ID

    Note:

    Refer to the JSON files that are used to create the CSM and PCG roles for a list of permissions available to them after the roles are created.

What to do next

Add your Microsoft Azure Subscription in CSM