This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Azure Cloud Discovery
Azure Cloud Discovery allows ServiceNow customers to effectively manage their Azure resources by creating a service principal, which grants permissions to the MID Server for accessing selected resources.This process simplifies the management of Azure subscriptions through a hierarchical structure known as management groups.
Show full answerShow less
Key Features
Management Groups and Subscriptions: Management groups contain subscriptions, allowing for organized resource management. Discovery can list subscriptions within a management group for selection in a discovery schedule.
Dynamic Credential Management: Discovery utilizes dynamically acquired credentials, eliminating the need for separate credentials for each sub-account. A temporary credential is automatically obtained via an Azure API.
Automatic Refresh: Discovery can refresh the list of sub-accounts and datacenters automatically as part of the discovery schedule.
Service Principal Configuration: Users must create a service principal in Azure and transfer credential values into their ServiceNow instance for authentication.
Tag-Based Discovery: Service Mapping can be configured to utilize discovered components in application services, creating service instance maps that include cloud components.
Key Outcomes
By implementing Azure Cloud Discovery, customers can expect streamlined access to cloud resources, improved security through dynamic credential management, and enhanced visibility into their Azure environment. This integration facilitates efficient cloud resource mapping and management, ultimately leading to better governance and operational management within ServiceNow.
If your cloud resources are in an Azure cloud, you must create a user identity
called a service principal that grants permissions to the MID Server to access selected
resources.
Azure management groups and subscriptions
An Azure management group contains other management groups and subscriptions. The management groups in an Azure Cloud environment form a hierarchy, but
don’t contain volumes or virtual
machines. Subscriptions contain cloud resources, such as virtual machines. The subscriptions that belong to management groups are called sub-accounts.
The advantages of using management groups are:
Easy population of sub-accounts
After you configure the management group and supply the necessary credentials, you can test the account. If the test succeeds, Discovery returns a list of subscriptions in that management group. From this list, you can choose
one or more subscription sub-accounts to include in the Discovery schedule using the management group. For more information on
the hierarchy of management groups and subscriptions, see Organize your resources with Azure management groups
Discovery of sub-account resources using dynamically acquired credentials
When you run Discovery on your subscriptions, you do not need separate credentials for each sub-account. Discovery finds the credentials for the management group and maps them to all of the subscription sub-accounts. The Cloud
Discovery process handles credentials automatically by acquiring a temporary credential for each sub-account via an Azure API. You can elect to use the default configuration or customize the MID Server to assume other roles for
additional controls and security. In addition, Discovery can automatically refresh the list of sub-accounts and datacenters
covered in a discovery schedule. For more information, see the KB article Retrieve newer accounts/sub-accounts automatically via Cloud Discovery.
A service principal for Azure cloud services is similar to a Microsoft
Windows service account that enables Windows processes to
communicate with each other within an Active Directory domain.
To create the Azure service principal in your ServiceNow instance, copy the service principal credential values from the Azure portal into a text editor, and then transfer those values into the instance.
Figure 1. The text file that you generate during this procedure
This table shows you the Azure Service Principal value and the location in Azure where you can find the values you need for the credentials.
Cloud Provisioning and Governance setting
Azure Service Principal value
Location of the Azure value
Tenant ID
Azure Directory ID value from the text file.
Azure Active Directory > Properties > Directory ID
Client ID
Azure Application ID value from the text file.
Azure Active Directory > App registrations > Registered App.Application ID
Azure Subscription ID associated with the Tenant ID.
Azure Active Directory > Subscriptions > Subscription ID
Verify the REST API Permissions
Download the Cloud Discovery patterns spreadsheet so you can grant user permissions required for running the Discovery patterns. In addition to permissions, the spreadsheet also includes useful information such as pattern names, types, CI Classes, and links to vendor documentation. New patterns are available
quarterly, so check periodically to be sure you have the latest version of the spreadsheet.
Data collected by Service Mapping during top-down discovery
To include discovered
components into application services, enable CI relationships used in tag-based discovery by Service Mapping. These CI relationships are available from the 1.0.68 release on the ServiceNow Store. For operational steps, see Tag-based discovery configuration.
Service Mapping uses tag-based discovery to create service instance maps including the Cloud components. The Service Mapping application comes with the following preconfigured CI relationships used for tag-based discovery. These CI relationships are available from the 1.0.68 release on the ServiceNow Store.
CI
Relationship
CI
Configuration Item [cmdb_ci]
Hosted on::Hosts
Logical Datacenter [cmdb_ci_logical_datacenter]
Logical Datacenter [cmdb_ci_logical_datacenter]
Hosted on::Hosts
Cloud Service Account [cmdb_ci_cloud_service_account]
Table 10. Cloud Public IP Address (cmdb_ci_cloud_public_ipaddress)
CI Attributes
Azure Attributes
object_id
response.id
name
response.name
public_dns
properties.dnsSettings.fqdn
public_ip_address
properties.ipAddress
Table 11. Cloud LB IP Address
(cmdb_ci_cloud_lb_ipaddress)
CI Attributes
Azure Attributes
object_id
"properties.frontendIPConfigurations.properties.privateIPAddress OR properties.frontendIPConfigurations.properties.publicIPAddress, then call Public IP Address API"
name
"properties.frontendIPConfigurations.properties.privateIPAddress OR properties.frontendIPConfigurations.properties.publicIPAddress, then call Public IP Address API"
ipaddress_type
"properties.frontendIPConfigurations.properties.privateIPAddress ==> Private IP Address OR properties.frontendIPConfigurations.properties.publicIPAddress ==> Public IP Address"
status
Installed
Table 12. "Cloud Network Interfaces cmdb_ci_nic"
CI Attributes
Azure Attributes
object_id
id
name
name
private_ip
properties.ipConfigurations
public_dns
call public ip address api - properties.dnsSettings.fqdn