NSX Cloud provides PowerShell scripts that help you generate the required service principal and roles for one or multiple subscriptions.
Prerequisites
- You must have PowerShell 5.0+ with the AzureRM Module installed. If you have the new Azure Powershell Az module, you must run the Enable-AzureRmAlias command to ensure that the AzureRM cmdlets for NSX Cloud run successfully .
- You must either be the owner of or have permissions to create and assign roles in all the Microsoft Azure subscriptions.
Note: The response time from Microsoft Azure can cause the script to fail when you run it the first time. If the script fails, try running it again.
Procedure
Results
The following constructs are created:
-
an Azure AD application for NSX Cloud.
-
an Azure Resource Manager Service Principal for the NSX Cloud application.
-
a role for CSM attached to the Service Principal account.
-
a role for PCG to enable it to work on your public cloud inventory.
- a file named like NSXCloud_ServicePrincipal_<your_subscription_ID>_<NSX_Cloud_Service_Principal_name> is created in the same directory where you ran the PowerShell script. This file contains the information required to add your Microsoft Azure subscription in CSM.
Note: Refer to the JSON files that are used to create the
CSM and
PCG roles for a list of permissions available to them after the roles are created.
What to do next
Add your Microsoft Azure Subscription in CSM
Note: When enabling
NSX Cloud for multiple subscriptions, you must add each separate subscription to CSM individually, for example, if you have five total subscriptions you must add five Microsoft Azure accounts in
CSM with all other values the same but different subscription IDs.