Onboard Azure to CloudHiro cost optimization platform
Please read until the end before you start.
In Azure portal, open the Cloud Shell.
Copy-paste the entire contents of the PowerShell script into the shell.
Follow the guidelines inside
Once the onboarding script is done, follow the instructions at the end and use the parameters to register to CloudHiro.
Move to "Register to CloudHiro" section below.
Important Remarks
- • The onboarding script supports only EA/MACC agreements.
- • CSP (Cloud Solution Provider) agreements - you will need to ask the CSP to enable you to buy reservations on your own in your subscriptions. More details here
- • Do not close the Cloud Shell until you have copied all the parameters and downloaded the pem file.
- • If you do not have the required permissions, the onboarding process will notify at the end and you will need to add those permissions manually.
Creating a Service Principal
The following guide will show you how to set up your account to allow CloudHiro to access it in a secure manner. We will create a Service Principal for CloudHiro.
Use Azure CLI to set the active subscription:
az account set --subscription ""Use Azure CLI to Create the Service Principal:
az ad sp create-for-rbac -n "CloudHiro" --create-certYou should get a response similar to:
Creating a role assignment under the scope of "/subscriptions/"
{
"appId": "XXX",
"displayName": "CloudHiro",
"fileWithCertAndPrivateKey": "/path/to/certificate/tmp123abc_v.pem"
"name": "http://CloudHiro",
"password": "YYY",
"tenant": "ZZZ"
}Please save the response. We will need some of the properties for the registration step.
There are two methods:
Method A - Traditional Billing Export
You control what CloudHiro can see, but billing data is available for up to 3 months in the past.
Method B - Billing API
CloudHiro can access up to 12 months of billing data in the past.
Method A - Billing Export
There is an Azure guide for this.
Create a storage account for CloudHiro to be able to read from.
Create billing exports at the highest level possible (billing account preferred). A total of 6 exports should be created:
Daily export - month to date:
- Amortized cost (1)
- Actual cost (2)
One-time export of the last 2 months:
- Previous month: Amortized cost (3) & Actual cost (4)
- 2 months ago: Amortized cost (5) & Actual cost (6)
Method B - Billing API
Just grant the "Enrollment reader" permission to the service principal - Add it manually or you can usethis script (not tested).
You can use this script from the Azure CLI to quickly assign the role to all subscriptions.
If you did not use the script, navigate to Subscriptions → Access Control (IAM) → Role Assignments. Add the following role assignments to the service principal:
For the Storage accounts that hold all the billing exports:
Auto-RI is our automated Reservation Management.
Create a new subscription for our purchases. If you already have a subscription for purchases, you can use that one.
Grant Reservations Administrator at the Tenant level. Azure's manual on how to add permissions at the tenant level -use this link
Grant Reservations Purchaser on the subscription you have created above.
Grant Reservations Reader at the tenant level to see all reservations purchased.
Please Note
- • Auto-RI requires the billing export from the previous section (method A or B).
- • IF you are working through a Cloud Solution Provider (CSP), you will need to ask the CSP to enable you to buy reservations on your own in your subscriptions. More details here
After creating the service principal, go to the app registration of the service principal created → API permissions → add a permission → APIs my organization uses → log analytics API → add data.read permission.
Login to your CloudHiro account.
Go to system→settings and update the four fields required for Bill CSV Location & the Azure RIs Subscription ID field. Update all at once. If you do not have a subscription ID, you can simply use 123 as a placeholder.
Register here. If using a reseller, use their provided link or add "?partner=[reseller-name]" to the URL.
You will need the following values from the previously saved response:
- Client ID - "appId"
- Certificate - "fileWithCertAndPrivateKey"
- Tenant Id - "tenant"
After registering, confirm the email and login.
In CloudHiro go to System → Settings and update the Azure RI's subscription ID field.
| Permission | Scope | Reason |
|---|---|---|
| Storage Blob Data Reader | Storage Account that holds the billing exports | The ability to list all blobs in that storage account (Billing - Method A - billing exports) |
| Enrollment reader | Billing Account | Ability to read billing data from API (Billing - Method B - API) |
| Reader | Subscriptions | The ability to list and get all resources and their properties |
| Monitoring Reader | Subscriptions | The ability to view metrics and see the usage of log analytics |
| Reader and Data Access | Storage Account that holds the billing exports | The ability to view the blobs' content |
| Log analytics API | App registration | Reach log analytics API and show how much each resource is sending to log analytics workspaces |
| Reservations Administrator | Tenant | The ability to view and manage the reservations at the Tenant level, so all reservations will be visible to CloudHiro. The ability to manage RIs correctly by splitting, exchanging, refunding, etc. |
| Reservations Purchaser | Purchasing Subscription | The ability to calculate the cost of the reservation and to purchase the reservation in that billing subscription |
| Reservations Reader | Tenant | The ability to see all reservations |
That's it!
We are done setting up. You can now ask your partner for a tour of CloudHiro and the CloudHiro visualizer.