NSX Cloud provides PowerShell scripts that help you generate the required service principal and roles for one or multiple subscriptions.

Prerequisites

  • You must have PowerShell 5.0+ with the AzureRM Module installed. If you have the new Azure Powershell Az module, you must run the Enable-AzureRmAlias command to ensure that the AzureRM cmdlets for NSX Cloud run successfully .
  • You must either be the owner of or have permissions to create and assign roles in all the Microsoft Azure subscriptions.
Note: The response time from Microsoft Azure can cause the script to fail when you run it the first time. If the script fails, try running it again.

Procedure

  1. On a Windows desktop or server, download the ZIP file named CreateNSXCloudCredentials.zip from the NSX-T Data Center Download page > Drivers & Tools > NSX Cloud Scripts > Microsoft Azure.

  2. Extract the following contents of the ZIP file in your Windows system:
    Script/File Description
    CreateNsxRoles.ps1 The PowerShell script to generate the NSX Cloud Service Principal and managed identity roles for CSM and PCG. This script takes the following parameters:
    • -subscriptionId <the Transit_VNet's_Azure_subscription_ID>
    • (optional) -servicePrincipalName <Service_Principal_Name>
    • (optional) -useOneServicePrincipal
    AddServicePrincipal.ps1 An optional script required if you want to add multiple subscriptions and assign different Service Principals to each subscription. See Scenario 3 in the following steps. This script takes the following parameters:
    • -computeSubscriptionId <the_Compute_VNet's_Azure_subscription_ID>
    • -transitSubscriptionId <the Transit_VNet's_Azure_Subscription_ID>
    • -csmRoleName <CSM_Role_Name>
    • -servicePrincipalName <Service_Principal_Name>
    nsx_csm_role.json A JSON template for the CSM role name and permissions. This file is required as an input to the PowerShell script and must be in the same folder as the script.
    nsx_pcg_role.json A JSON template for the PCG role name and permissions. This file is required as an input to the PowerShell script and must be in the same folder as the script.
    Note: The default PCG (Gateway) Role Name is nsx-pcg-role. You need to provide this value when adding your subscription in CSM.
  3. Scenario 1: You have a single Microsoft Azure Subscription that you want to enable with NSX Cloud.
    1. From a PowerShell instance, go to the directory where you downloaded the Microsoft Azure scripts and JSON files.
    2. Run the script named CreateNsxRoles.ps1 with the parameter -SubscriptionId, as follows:
      .\CreateNsxRoles.ps1 -subscriptionId <the_single_Azure_subscription_ID> 
      Note: If you want to override the default Service Principal name of nsx-service-admin, you can also use the parameter - servicePrincipalName. The Service Principal name must be unique in your Microsoft Azure Active Directory.
  4. Scenario 2: You have multiple Microsoft Azure Subscriptions under the same Microsoft Azure Directory, that you want to enable with NSX Cloud, but want to use one NSX Cloud Service Principal across all your subscriptions.
    1. From a PowerShell instance, go to the directory where you downloaded the Microsoft Azure scripts and JSON files.
    2. Edit each of the JSON files to add a list of other subscription IDs under the section titled "AssignableScopes", for example:
      "AssignableScopes": [
      
      "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
      
      "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-ffffffffffff",
      
      "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-000000000000"
      Note: You must use the format shown in the example to add subscription IDs: "/subscriptions/<Subscription_ID>"
    3. Run the script named CreateNsxRoles.ps1 with the parameters -subscriptionID and -useOneServicePrincipal:
      .\CreateNsxRoles.ps1 -subscriptionId <the_Transit_VNet's_Azure_subscription_ID> -useOneServicePrincipal 
      Note: Omit the Service Principal name here if you want to use the default name: nsx-service-admin. If that Service Principal name already exists in your Microsoft Azure Active Directory, running this script without a Service Principal name updates that Service Principal.
  5. Scenario 3: You have multiple Microsoft Azure Subscriptions under the same Microsoft Azure Directory, that you want to enable with NSX Cloud, but want to use different NSX Cloud Service Principal names for different subscriptions.
    1. From a PowerShell instance, go to the directory where you downloaded the Microsoft Azure scripts and JSON files.
    2. Follow steps b and c from the second scenario to add multiple subscriptions to the AssignableScopes section in each of the JSON files.
    3. Run the script named CreateNsxRoles.ps1 with the parameters -subscriptionID:
      .\CreateNsxRoles.ps1 -subscriptionId <One of the subscription_IDs> 
      Note: Omit the Service Principal name here if you want to use the default name: nsx-service-admin. If that Service Principal name exists in your Microsoft Azure Active Directory, running this script without a Service Principal name updates that Service Principal.
    4. Run the script named AddServicePrincipal.ps1 with the following parameters:
      Parameter Value
      -computeSubscriptionId The Compute_VNet's Azure Subscription ID
      -transitSubscriptionId The Transit VNet's Azure Subscription ID
      -csmRoleName Get this value from the file nsx_csm_role.JSON
      -servicePrincipalName New Service Principal name
      ./AddServicePrincipal.ps1 -computeSubscriptionId <the_Compute_VNet's_Azure_subscription_ID>
       -transitSubscriptionId <the_Tranist_VNet's_Azure_Subscription_ID> 
      -csmRoleName <CSM_Role_Name>
      -servicePrincipalName <new_Service_Principal_Name>”
  6. Look for a file in the same directory where you ran the PowerShell script. It is named like: NSXCloud_ServicePrincipal_<your_subscription_ID>_<NSX_Cloud_Service_Principal_name>. This file contains the information required to add your Microsoft Azure subscription in CSM.
    • Client ID
    • Client Key
    • Tenant ID
    • Subscription ID

Results

The following constructs are created:

  • an Azure AD application for NSX Cloud.

  • an Azure Resource Manager Service Principal for the NSX Cloud application.

  • a role for CSM attached to the Service Principal account.

  • a role for PCG to enable it to work on your public cloud inventory.

  • a file named like NSXCloud_ServicePrincipal_<your_subscription_ID>_<NSX_Cloud_Service_Principal_name> is created in the same directory where you ran the PowerShell script. This file contains the information required to add your Microsoft Azure subscription in CSM.
Note: Refer to the JSON files that are used to create the CSM and PCG roles for a list of permissions available to them after the roles are created.

What to do next

Add your Microsoft Azure Subscription in CSM
Note: When enabling NSX Cloud for multiple subscriptions, you must add each separate subscription to CSM individually, for example, if you have five total subscriptions you must add five Microsoft Azure accounts in CSM with all other values the same but different subscription IDs.