github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Improve the Azure cloud auto join documentation (#8530) 

* Update the Azure cloud auto join documentation with more explicit information on how to configure the infrastructure.
* Add a note regarding the length of time taken for Azure to sync the MSI permissions.
* Update references from tag_name to tag_key in the Azure examples
Co-authored-by: Jono Sosulska <42216911+jsosulska@users.noreply.github.com>
pull/8750/head
Petrik van der Velde 4 years ago committed by GitHub
parent
c5301b98ac
commit
069d56797f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 15
      website/pages/docs/install/cloud-auto-join.mdx

15
website/pages/docs/install/cloud-auto-join.mdx
Unescape View File

@ -85,17 +85,17 @@ endpoint](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-d
### Microsoft Azure
This returns the first private IP address of all servers in the given region
which have the given `tag_key` and `tag_value` in the tenant and subscription, or in
which have the given `tag_key` and `tag_value` applied to their virtual NIC in the tenant and subscription, or in
the given `resource_group` of a `vm_scale_set` for Virtual Machine Scale Sets.
```shell-session
$ consul agent -retry-join "provider=azure tag_name=... tag_value=... tenant_id=... client_id=... subscription_id=... secret_access_key=..."
$ consul agent -retry-join "provider=azure tag_key=... tag_value=... tenant_id=... client_id=... subscription_id=... secret_access_key=..."
```
```json
{
"retry_join": [
"provider=azure tag_name=... tag_value=... tenant_id=... client_id=... subscription_id=... secret_access_key=..."
"provider=azure tag_key=... tag_value=... tenant_id=... client_id=... subscription_id=... secret_access_key=..."
]
}
```
@ -122,11 +122,16 @@ Use these configuration parameters (instead of `tag_name` and `tag_value`) when
- `resource_group` - the name of the resource group to filter on.
- `vm_scale_set` - the name of the virtual machine scale set to filter on.
When using tags the only permission needed is `Microsoft.Network/networkInterfaces`.
When using tags the only permission needed is `Microsoft.Network/networkInterfaces/read`. The scope for this permission is the Resource Group
that contains the virtual NICs for the Virtual Machines.
When using Virtual Machine Scale Sets the only role action needed is `Microsoft.Compute/virtualMachineScaleSets/*/read`.
~> **Note:** If the Consul datacenter is hosted on Azure, Consul can use Managed Service Identities (MSI) to access Azure instead of an environment variable and shared client id and secret. MSI must be enabled on the VMs hosting Consul, and it is the preferred configuration since MSI prevents your Azure credentials from being stored in Consul configuration. This feature is supported from Consul 1.7 and above.
~> **Note:** If the Consul datacenter is hosted on Azure, Consul can use Managed Service Identities (MSI) to access Azure instead of an environment
variable, shared client id and secret. MSI must be enabled on the VMs or Virtual Machine Scale Sets hosting Consul. It is the preferred configuration
since MSI prevents your Azure credentials from being stored in Consul configuration. This feature is supported in Consul 1.7 and above. When using
MSI, the `tag_key`, `tag_value` and `subscription_id` need to be supplied for Virtual machines.
Be aware that the amount of time that Azure takes for the VMs to detect the MSI permissions can be between a minute to an hour.
### Google Compute Engine

Write Preview
Loading…
Cancel
Save