For NSX Cloud to operate in your subscription, create a Service Principal to grant the required permissions, and roles for CSM and PCG based on the Microsoft Azure feature for managing identities for Azure Resources.

Note: If you already added an AWS account to CSM, update the MTU in NSX Manager > Fabric > Profiles > Uplink Profiles > PCG-Uplink-HostSwitch-Profile to 1500 before adding the Microsoft Azure account. This can also be done using the NSX Manager REST APIs.

Overview:

  • Your Microsoft Azure subscription contains one or more VNets that you want to bring under NSX-T Data Center management. The VNet might be in Transit mode or Compute mode. Transit VNet is one in which you deploy the PCG. You can link other VNets to the Transit VNet and onboard workload VMs hosted in them. The VNets linked to the Transit VNet are called Compute VNets.
  • NSX Cloud provides a PowerShell script to generate the Service Principal and roles that use the managed identity feature of Microsoft Azure to manage authentication while keeping your Microsoft Azure credentials secure. You can also include multiple subscriptions under one Service Principal using this script.
  • You have the option of reusing the Service Principal for all your subscriptions, or to create new Service Principals as required. There is an additional script if you want to create separate Service Principals for additional subscriptions.
  • For multiple subscriptions, whether you are using a single Service Principal for all, or multiple Service Principals, you must update the JSON files for the CSM and PCG roles to add each additional subscription name under the section AssignableScopes.
  • If you already have an NSX Cloud Service Principal in your VNet, you can update it by running the scripts again and leaving out the Service Principal name from the parameters.
  • The Service Principal name must be unique for your Microsoft Azure Active Directory. You may use the same Service Principal in different subscriptions under the same Active Directory domain, or different Service Principals per subscription. But you cannot create two Service Principals with the same name.
  • You must either be the owner of or have permissions to create and assign roles in all the Microsoft Azure subscriptions.
  • The following scenarios are supported:
    • Scenario 1: You have a single Microsoft Azure Subscription that you want to enable with NSX Cloud.
    • Scenario 2: You have multiple Microsoft Azure Subscriptions under the same Microsoft Azure Directory, that you want to enable with NSX Cloud, but want to use one NSX Cloud Service Principal across all your subscriptions.
    • Scenario 3: You have multiple Microsoft Azure Subscriptions under the same Microsoft Azure Directory, that you want to enable with NSX Cloud, but want to use different NSX Cloud Service Principal names for different subscriptions.

Here is an outline of the process:

  1. Use the NSX Cloud PowerShell script to:
    • Create a Service Principal account for NSX Cloud.
    • Create a role for CSM.
    • Create a role for PCG.
  2. (Optional) Create Service Principals for other subscriptions you want to link.
  3. Add the Microsoft Azure subscription in CSM.
    Note: If using multiple subscriptions, whether using the same or different Service Principals, you must add each subscription separately in CSM.