Skip to main content

Azure or BYO-AZURE (Bring Your Own Azure Account)

# Azure Bring Your Own Cloud (BYOC) - Permissions Guide ## Overview This guide explains the Azure permissions and configuration required for customers who want to deploy Elestio services in their own Azure subscription. By connecting your Azure account, Elestio will create and manage resources directly in your Azure environment. ## Prerequisites Before connecting your Azure subscription to Elestio, ensure you have: - An active Azure subscription - Global Administrator, Privileged Role Administrator, or Application Administrator role in Azure AD - Contributor role on the target Azure subscription (or ability to assign it) --- ## Required Azure Permissions ### Minimum Required Role **Role**: `Contributor` **Scope**: Subscription level **Why**: This role allows Elestio to create, manage, and delete resources in your subscription while preventing it from modifying access controls or role assignments. ### Alternative: Custom Role (Advanced) If your organization requires granular permissions, you can create a custom role with these specific permissions: ```json {   "Name": "Elestio Service Manager",   "Description": "Custom role for Elestio to manage cloud resources",   "Actions": [     "Microsoft.Resources/subscriptions/resourceGroups/*",     "Microsoft.Compute/virtualMachines/*",     "Microsoft.Compute/disks/*",     "Microsoft.Network/virtualNetworks/*",     "Microsoft.Network/networkInterfaces/*",     "Microsoft.Network/networkSecurityGroups/*",     "Microsoft.Network/publicIPAddresses/*",     "Microsoft.Storage/storageAccounts/*",     "Microsoft.RecoveryServices/vaults/*",     "Microsoft.RecoveryServices/register/action",     "Microsoft.Authorization/locks/*"   ],   "NotActions": [],   "AssignableScopes": [     "/subscriptions/{your-subscription-id}"   ] } ``` --- ## What Resources Will Elestio Create? When you deploy services through Elestio using your Azure subscription, the following resources will be created: | Resource Type | Purpose | |---------------|---------| | **Resource Groups** | Logical containers for all resources (named `elestio-{region}`) | | **Virtual Machines** | Compute instances for your applications | | **Managed Disks** | Storage for VM operating systems and data | | **Virtual Networks** | Network isolation for your services | | **Network Interfaces** | Connect VMs to virtual networks | | **Public IP Addresses** | IPv4 and IPv6 addresses for external access | | **Network Security Groups** | Firewall rules to control network traffic | | **Storage Accounts** | Object storage for backups and data | | **Recovery Services Vaults** | Backup and disaster recovery services | | **Resource Locks** | Prevent accidental deletion of critical resources | --- ## OAuth Scope Required Elestio uses the following OAuth 2.0 scope to access your Azure subscription: ``` https://management.azure.com/user_impersonation ``` This scope allows Elestio to perform actions on your behalf through the Azure Resource Manager API. --- ## Step-by-Step Setup Guide ### Step 1: Assign Contributor Role to Your User Account 1. Sign in to the [Azure Portal](https://portal.azure.com) 2. Navigate to **Subscriptions** 3. Select the subscription you want to use with Elestio 4. Click **Access control (IAM)** in the left sidebar 5. Click **+ Add** → **Add role assignment** 6. In the **Role** tab:    - Search for and select **Contributor**    - Click **Next** 7. In the **Members** tab:    - Select **User, group, or service principal**    - Click **+ Select members**    - Search for and select your user account    - Click **Select**    - Click **Next** 8. In the **Review + assign** tab:    - Review the settings    - Click **Review + assign** **Verification**: You should see your user account listed with the Contributor role under "Role assignments" in the IAM section. --- ### Step 2: Register Elestio Application in Azure AD When you connect your Azure account through the Elestio dashboard: 1. Log in to your Elestio account 2. Navigate to your project settings 3. Go to **Cloud Providers** → **Azure** 4. Click **Connect Azure Account** 5. Enter your **Azure Tenant ID** (found in Azure AD → Overview) 6. Click **Authorize** You will be redirected to Microsoft login page. --- ### Step 3: Grant Admin Consent After clicking Authorize, you'll see the Microsoft permissions consent screen: 1. Review the requested permissions:    - **Access Azure Service Management as you** (`user_impersonation` scope)    - This allows Elestio to manage Azure resources on your behalf 2. If prompted, sign in with an account that has admin privileges 3. Click **Accept** to grant consent **Note**: If you don't have sufficient privileges, contact your Azure AD administrator to grant consent. --- ### Step 4: Select Subscription 1. After authorization, you'll return to the Elestio dashboard 2. Select the Azure subscription where you want to deploy resources 3. Click **Save** Your Azure account is now connected to Elestio! --- ## Security Best Practices ### 1. Use Dedicated Subscriptions For production environments, consider using a dedicated Azure subscription for Elestio-managed resources. This provides: - Clear cost tracking and billing - Isolation from other workloads - Simplified auditing and compliance ### 2. Enable Azure Activity Log Monitor all Elestio actions in your subscription: 1. Go to **Azure Monitor** → **Activity Log** 2. Set up alerts for critical operations:    - Resource deletion    - Role assignment changes    - Network security group modifications ### 3. Review Resource Locks Elestio automatically creates resource locks on VMs to prevent accidental deletion. To view them: 1. Navigate to your VM resource 2. Click **Locks** in the left sidebar 3. You'll see a lock named after your VM ### 4. Regular Access Reviews Periodically review who has access to your Azure subscription: 1. Go to **Subscriptions** → **Access control (IAM)** 2. Click **Role assignments** 3. Verify that only authorized users have Contributor or higher roles --- ## Understanding Resource Naming Conventions Elestio uses consistent naming patterns for created resources: | Resource | Naming Pattern | Example | |----------|----------------|---------| | Resource Group | `elestio-{region}` | `elestio-eastus` | | VM | `{service-name}` | `my-postgres-db` | | Public IPv4 | `{service-name}_ipv4` | `my-postgres-db_ipv4` | | Public IPv6 | `{service-name}_ipv6` | `my-postgres-db_ipv6` | | Network Interface | `{service-name}` | `my-postgres-db` | | Network Security Group | `{service-name}` | `my-postgres-db` | | Virtual Network | `elestio_{region}_vnet` | `elestio_eastus_vnet` | | Recovery Vault | `{display-name}` | Service display name | | Backup Policy | `elestioBackup` | `elestioBackup` | --- ## Backup and Recovery ### Automatic Backups Elestio automatically enables Azure Backup for services with support levels 2 and 3: - **Daily backups** are configured using Azure Recovery Services - **Backup retention**: Configurable based on your backup policy - **Recovery points** are stored in Recovery Services Vaults ### Manual Backups (Snapshots) You can trigger manual snapshots through the Elestio dashboard. These are: - Created using Azure Backup on-demand - Stored in the same Recovery Services Vault - Default retention: 2 days (configurable) ### Backup Costs Azure Backup costs are charged directly to your Azure subscription based on: - Protected instance size - Storage consumed by recovery points - Refer to [Azure Backup Pricing](https://azure.microsoft.com/en-us/pricing/details/backup/) for details --- ## Cost Management ### Viewing Costs 1. Navigate to **Cost Management + Billing** in Azure Portal 2. Select your subscription 3. Go to **Cost analysis** 4. Filter by resource group: `elestio-*` ### Cost Optimization Tips 1. **Right-size VMs**: Choose the appropriate VM size for your workload 2. **Use Reserved Instances**: For long-running services, consider Azure Reserved VM Instances (up to 72% savings) 3. **Stop Unused VMs**: Deallocate VMs when not in use to avoid compute charges 4. **Monitor Backup Storage**: Review and delete old recovery points if not needed --- ## Troubleshooting ### Error: "Insufficient permissions" **Cause**: Your user account doesn't have the required Contributor role. **Solution**: 1. Verify role assignment in Subscriptions → Access control (IAM) 2. Ensure the Contributor role is assigned at the subscription level, not resource group level 3. Wait 5-10 minutes for permissions to propagate --- ### Error: "Admin consent required" **Cause**: The Elestio application requires admin consent for the `user_impersonation` scope. **Solution**: 1. Contact your Azure AD administrator 2. Ask them to grant admin consent through Azure AD → Enterprise applications → Elestio → Permissions 3. Alternatively, have an admin complete the authorization flow --- ### Error: "Provider not registered" **Cause**: The `Microsoft.RecoveryServices` resource provider is not registered in your subscription. **Solution**: Elestio automatically registers required providers, but you can manually register: 1. Go to **Subscriptions** → Select your subscription 2. Click **Resource providers** 3. Find `Microsoft.RecoveryServices` 4. Click **Register** --- ### Error: "Quota exceeded" **Cause**: Your subscription has reached the limit for a specific resource type (e.g., CPU cores, public IPs). **Solution**: 1. Go to **Subscriptions** → **Usage + quotas** 2. View current usage and limits 3. Request a quota increase through **Support** → **New support request** --- ### Resources Not Appearing in Azure Portal **Cause**: Resource creation is in progress or failed. **Solution**: 1. Check the Elestio dashboard for deployment status 2. Review Azure Activity Log for any failed operations:    - Go to **Monitor** → **Activity Log**    - Filter by time range and status: "Failed" 3. Contact Elestio support if issues persist --- ## Data Residency and Compliance ### Data Location - All resources are created in the Azure region you select during service deployment - Data does not leave your selected region unless you configure cross-region replication - Elestio does not have direct access to your data; all access is through your Azure credentials ### Compliance Your Azure subscription maintains its existing compliance certifications. Elestio's operations are subject to: - Your Azure subscription's compliance settings - Azure's compliance certifications (SOC 2, ISO 27001, HIPAA, etc.) - Your organization's governance policies --- ## Disconnecting Your Azure Account If you need to disconnect your Azure account from Elestio: ### Important: Before Disconnecting 1. **Delete all services** deployed through Elestio first 2. This prevents orphaned resources that you'll need to manually clean up 3. Review your Azure subscription to ensure no Elestio resources remain ### Disconnection Steps 1. Go to Elestio dashboard → Project settings 2. Navigate to **Cloud Providers** → **Azure** 3. Click **Disconnect** 4. Confirm the disconnection ### Post-Disconnection Cleanup 1. Review resource groups named `elestio-*` in Azure Portal 2. Delete any remaining resources if needed 3. Remove role assignments in Subscriptions → Access control (IAM) if desired 4. Revoke application consent in Azure AD → Enterprise applications → Elestio --- ## FAQ ### Q: Can Elestio access my existing Azure resources? **A**: Yes, with the Contributor role, Elestio has read/write access to resources in your subscription. However, Elestio only creates and manages resources specifically for your Elestio services. It does not modify or access unrelated resources. ### Q: Can I use an existing resource group? **A**: Elestio automatically creates resource groups per region (e.g., `elestio-eastus`). This ensures proper organization and prevents conflicts with your existing resources. ### Q: What happens if I delete a resource manually in Azure? **A**: Deleting Elestio-managed resources directly in Azure Portal may cause: - Service outages - Inconsistencies between Elestio dashboard and actual state - Inability to manage the service through Elestio Always delete services through the Elestio dashboard. ### Q: Are resource locks applied to all resources? **A**: Elestio applies resource locks specifically to Virtual Machines to prevent accidental deletion. Other resources (NICs, disks, IPs) are not locked to allow proper cleanup during service deletion. ### Q: Can I use Service Principal instead of user account? **A**: Currently, Elestio uses delegated user authentication (`user_impersonation` scope). Service Principal authentication may be supported in future releases. ### Q: How are secrets and credentials stored? **A**: Azure authentication tokens are encrypted and stored securely in Elestio's database. Elestio uses these tokens only to manage resources on your behalf. Tokens are automatically refreshed as needed. ### Q: What is the tenant ID and where do I find it? **A**: Your Tenant ID (also called Directory ID) identifies your Azure AD tenant. To find it: 1. Go to **Azure Active Directory** → **Overview** 2. Copy the **Tenant ID** field 3. Paste it in Elestio when connecting your Azure account ### Q: Can multiple Elestio projects use the same Azure subscription? **A**: Yes, you can connect the same Azure subscription to multiple Elestio projects. Resources will still be organized in region-specific resource groups. ### Q: What regions are supported? **A**: Elestio supports all Azure regions where the required services (Compute, Network, Storage, Recovery Services) are available. You can select your preferred region when creating a service. --- ## Support ### Elestio Support For issues with: - Connecting your Azure account - Service deployments - Elestio dashboard functionality Contact: [support@elest.io](mailto:support@elest.io) ### Azure Support For issues with: - Azure subscription limits - Billing and costs - Azure service availability Visit: [Azure Support](https://azure.microsoft.com/en-us/support/options/) --- ## Additional Resources - [Azure RBAC Documentation](https://docs.microsoft.com/en-us/azure/role-based-access-control/) - [Azure Backup Documentation](https://docs.microsoft.com/en-us/azure/backup/) - [Azure Cost Management](https://docs.microsoft.com/en-us/azure/cost-management-billing/) - [Elestio Documentation](https://docs.elest.io) --- **Last Updated**: December 24, 2025 **Document Version**: 1.0

Back to top