Creating a Credential in F5 Distributed Cloud for Azure

Configuring a cloud account credential for F5 Distributed Cloud to use with Azure, while a straightforward process, requires some nuance to get just right. This article illustrates each step of the way.

  1. Log in to the Azure portal at portal.azure.com. Navigate to All Services > Azure AD > App registrations, then click “New registration”.

  2. Enter the app name and choose who can access the API. Single tenant access is recommended.


  3. Now click “Certificates & secrets”, then “Client secrets (0)”, and then “New client secret”. Enter a name for the secret and choose the default expiration time of 6 months as a best practice. 


  4. Copy the secret and save it to enter later in the F5 Distributed Cloud Console.

     

  5. In the app registration overview “Essentials” section, copy the Application (client) ID and Directory (tenant) ID. You’ll need this information in the F5 Distributed Cloud Console further in this guide.


  6. Exit the app registration, and in the Azure Active Directory Overview, save the Tenant ID to enter later in the F5 Distributed Cloud Console.


  7. In the search box, type “Subscriptions” and open the subscription that you want services provisioned in.


  8. Click “Access control (IAM)”, then “+ Add”, then “Add role assignment”.


  9. Select the built-in role “Contributor”, then click the tab “Members”.


  10. Enter the name of the app registration created in step 2 above, highlight the selection, then click “Select”.


  11. The role assignment and member should appear. Now click “Review & assign”.


  12. Open and navigate to the F5 Distributed Cloud Console, Cloud and Edge Sites >  Site Management > Cloud Credentials, then click “Add Cloud Credentials”.

  13. Enter the following details, and then click “Configure”.
    Name: azure-cred
    Cloud Credential Type: Azure Client Secret for Service Principal
    Client ID: [copied in step 5]
    Subscription ID: [copied in step 6]
    Tenant ID: [copied in step 5]

  14. Paste in the private key using type “Text”, with the key copied in step 4. Click “Blindfold”, and then click “Apply”.

     




    Click “Save and Exit

 

Congrats! You've now configured a Cloud Credential for deploying services in Azure using the Distributed Cloud Service.

Updated Feb 06, 2023
Version 3.0
  • For the CLI savvy you can use AZ cli and grab the needed outputs too. 

    From the Azure Console Bash Cloud Shell, run the following command:

      $ az ad sp create-for-rbac -n "http://[unique-name]-volterra-cc" --role contributor
      {
        "appId": "xxx-xxxx",
        "displayName": "[unique-name]-f5xc-cc",
        "name": "http://[unique-name]-f5xc-cc",
        "password": "[password]",
        "tenant": "yyy-yyy"
      }
    

    Copy the JSON output (starting with "{" ending with "}") of this command and keep it safe. This credential enables read/write access to your Azure Subscription.

    You will also need to retrieve your subscription ID. You can use the following command to list out the name, id, and whether it is your default subscription.

      $ az account show  --query [name,id,isDefault]
      [
        "f5-AZR_xxxx", <-- name
        "xxx-xxx-xxx", <-- subscription id
        true           <-- is this the default subscription
      ]
  • Very helpful, thanks for this Dave.

    I got tripped up slightly by the "Subscription ID". This ID is not listed in the step 6 screen as described here. It's easy to obtain after step 7 (search for "subscriptions" and you'll see your "Subscription ID" listed there). This gets copied into your cloud credential.