Cloudockit's Optimal Setup - Enterprise - Azure
The purpose of this document is to provide the detailed steps to install and configure Cloudockit Desktop in an optimal way so you can get going as quickly as possible with your automated documentation generation for your Azure environment.
Cloudockit desktop can be installed in many ways. On a workstation, on a server, or on a virtual machine.
Based on our experience, we have identified that the optimal way is to create a virtual machine using the image available on Azure Marketplace which includes Cloudockit Desktop.
Step 1 – Creating the virtual machine
Connect to the Azure portal and go to Virtual Machines
From the Virtual Machines page, press Add in the upper left corner and then Virtual Machine.
Basics
Project Details
Add the Virtual Machine to the Resource Group of your choice.
Instance Details
Virtual Machine Name: Name your virtual machine
Region: Select Region
Availability options: Select from the drop-down.
Image:
Click: Browse all public and private images
In Select an image, enter Cloudockit in the search bar and select Cloudockit Desktop.
Azure Spot Instance: No
Size: Standard_A2_v2 – 2vcpus, 4 GiB memory (Suggested)
Administrator Account
Define the Username and Password
Inbound port rules
Public Inbound ports: Allow selected ports
Select Inbound ports: RDP (3389)
Licensing
Would you like to use an existing Windows Server license? Based on your own preferences.
Click: Disk
Disks
Click: Networking
Networking
Note :
- This setup with the Public IP can be done in different ways depending on your environment. If you have an isolated Virtual Network with a Jumpbox to access your virtual machines, you can absolutely use that instead of the Public IP
- If you use the Public IP, we strongly recommend that you activate the Just In Time Access to add additional security
Load Balancing
Do you want to place this virtual machine behind an existing load balancing solution?: No
Click: Management
Management
Define Management as shown on the image below.
Click: Advanced
Advanced
Define the Advanced tab as shown in the image below.
Click: Tags
Tags
Define tags based on your organization’s tagging policy.
Click: Review + Create
Review & Create
Review the parameters of the virtual machine and press Create.
The Storage Account will allow you to save the documentation that you create and be available to employees in your organization.
From the Azure Portal, select Storage Accounts
Press Add in the upper left corner.
Basics
Define the Basics section as shown in the image below.
Click: Networking
Networking
Define the Networking based on your organizations’ policies.
Click: Data Protection
Data Protection
Define the Data Protection based on your organization’s policies.
Click: Advanced
Advanced
Define the Advanced tab as shown in the image below or based on your organization’s policies.
Click: Tags
Tags
Define Tags based on your organization’s tagging policy.
Click: Review & Create
Review & Create
Review the parameters of the virtual machine and press Create.
By enabling System Assigned Managed identity, this gives you the possibility to add permissions to the virtual machine instead of giving them to a user or a service principal.
The advantage of adding permissions to a virtual machine is to start document generation on new subscriptions without having to do any manual configuration in Cloudockit Desktop.
Giving Permissions to the Virtual Machine on your subscription
The only access needed to generate documentation with Cloudockit Desktop is “reading” privileges.
Access the subscription you want to give access to.
Click on the subscription name and select Access Control (IAM).
Press the Add button in the Add a role assignment box.
In the Add a role assignment section, select the following:
Role: Reader
Select: Select the virtual machine you have created
Make sure the Virtual machine is in the Selected Members section.
Click: Save
Giving the Virtual Machine Permissions on the Storage Account
Access the list of storage accounts in your subscription and select the account where you want documents from Cloudockit Desktop to be saved.
Click: Access Control (IAM)
Press the Add button in the Add a role assignment box.
In the Add a role assignment section, select the following:
Role: Contributor
Select: Select the Virtual Machine you have created.
Make sure the Virtual Machine is in the Selected Members section.
Click: Save
Additional permissions
Azure Classic Resources
Classic resources will not display in the documentation with reader privileges. You must add the credentials to the “Classic Administrator” of the subscription.
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
Azure Active Directory
Cloudockit cannot retrieve data from Azure Directory with reader privileges.
The credentials used to generate the documentation must have “Azure AD Global Administrator”.
Azure Billing
Limited billing information can be retrieved with reader privileges.
To get access to additional billing information you must give the credentials “Billing Reader” privileges.
Azure Security Center
To read information from the Azure Security Center through the compliance rules, the credentials used to generate the documentation must have “SecurityReader” privileges.
Dependencies Detection in Azure App Services
Cloudockit automatically detects dependencies between components like Azure App Services & Functions and components like storages, queues, etc.
To do that, Cloudockit scans the App Settings and App Connection Strings to detect the components the App Service is communicating with.
“Contributor” access (on the App Service only) is needed so Cloudockit can list the App Settings and Connection Strings. If you have only Reader privileges, you will see the App Service Details but not the dependencies.
Azure Kubernetes Services
The credentials used to generate the documentation must have “Azure Kubernetes Service RBAC Writer” access (on the Kubernetes Cluster only) so Cloudockit can connect to the cluster and retrieve the details.
Step 4 – Cloudockit Endpoints
Cloudockit uses Azure’s public APIs to collect the metadata which is used to create the reports and diagrams that you use. If the Virtual Machine that you use has internet connectivity, no need to worry about endpoints.
If you do not want to open this Virtual Machine to the internet, here is the list of endpoints that you will potentially need to open for Cloudockit to collect the data.
Endpoints | |
| Cloudockit license validation | generate.cloudockit.com:443 |
| Azure APIs | login.microsoftonline.com:443 |
| management.core.windows.net:443 | |
| management.azure.com:443 | |
| ratecard.azure-api.net | |
| graph.windows.net | |
| Azure GOV APIs | login.microsoftonline.us |
| management.usgovcloudapi.net | |
| management.core.usgovcloudapi.net | |
| Lucid chart diagrams | app.lucidchart.com:443 |
| Email Notification | api.sendgrid.com:443 |
Step 5 – Launch Cloudockit Desktop and Schedule a Document Generation
Connect to the Virtual Machine just created.
Create a shortcut
The first step is to create a shortcut to launch Cloudockit from your desktop.
Open Windows Explorer and go to this folder, C:\Program Files\CloudocKit
Identify the file named Cloudockit.exe
Create a shortcut and place it on your desktop.
Activating Cloudockit
Click on the desktop shortcut of Cloudockit to launch the application.
You will need to enter your product key to activate Cloudockit Desktop.
If you have not purchased a product key yet, please visit our Pricing Page.
You will see a message confirming that the activation was done successfully.
Click: OK
Connecting to an Azure platform
Press Start or Schedule a document generation.
Select Microsoft Azure from the list of platforms.
Select Managed Identity (Preview).
Select your Cloud Type and press Login.
Select All subscriptions and press Continue.
Schedule a Document Generation
Now that you are logged in, it is time to define what information you want to generate using Cloudockit.
Set the desired parameters under Documents, Workloads, and Organize Content.
Track Changes
Use the storage account created previously to track changes. This will allow you to see the differences that have occurred between a previous document and the one running right now.
Select Track Changes from the menu to the left.
Enter the name of the storage account in the Account Name box and press validate.
A confirmation message will confirm that the storage account is valid.
Check the box Save a snapshot for comparison.
This will save a JSON file in the storage account every time a new document is generated.
Check the box Compare with a previously generated document.
Select the first empty row that appears below.
This will always select the most recent file in the storage account to compare.
Drop-Off
In the Drop-Off settings, the same storage account as defined in the Track Changes section is automatically selected.
Scheduling
Define the desired schedule for your documentation to run and save your schedule.
Configuration
Enter a unique name to the parameters you have set and press Save Current Configuration.
Your configuration is saved, you can load or edit it in the future.
Step 6 – Validate that documents are successfully generated
Once your scheduled document generation is complete, let’s validate that it has been scheduled properly.
From the main menu, select View all schedules.
In the list, you will see the scheduled documentation you have configured.
You can now press run to generate a manual document generation or wait for the schedule to run its course.
Once your document is completed, you will be able to access it from the Storage Account or from the desktop application.
Press View all document generations from the main menu.
You will see the list of the documents that have been generating.
You can access the documents from the View Documents button on the right.
