This blog post applies to Madrid release and above.
Overview
National clouds are physically isolated instances of Azure. These regions of Azure are designed to make sure that data residency, sovereignty, and compliance requirements are honored within geographical boundaries.
Currently, Microsoft considers the following isolated regions as National Clouds:
• Microsoft Cloud for US Government
• Microsoft Cloud Germany
• Azure operated by 21Vianet in China
Note that Microsoft Cloud Germany (standalone region) will be replaced by two new Azure Germany regions that are integrated with the rest of Azure public cloud. As this announcement, the timeline for that is Q4 2019.
These are considered independent “national” clouds that are not associated with the Azure public cloud offering. While they are standalone, the functionality offered by these clouds is syntactically and semantically identical, albeit, a subset of the that available in Azure public cloud environment.
Below are the primary areas of difference between Azure National clouds and the Azure public clouds:
• Service endpoints
• Authentication mechanism
• Available cloud services
Given the growing demand for Microsoft Azure Government (MAG, aka Azure Gov) and Azure National clouds, let’s go over how ServiceNow IT Operations Management (ITOM) products integrate with these standalone Azure clouds.
ServiceNow ITOM products have supported Azure public clouds for a number of years. Support for Azure Gov was introduced in Madrid release. The other national clouds (Germany and China) follow the same mechanism and can be configured using the steps outlined in this blog post.
Caveat: Note that ServiceNow ITOM products have not been officially certified or supported against Germany and China regions.
Configuration of Azure Gov Cloud
Pre-requisite: Account on Azure Gov cloud. Active Directory administrator or Azure administrator role is required.
ServiceNow release: Use Madrid release and above
Portal for Azure Gov Cloud: https://portal.azure.us
Setting up Service Principal on Azure Gov Portal
A service principal for Azure cloud services is analogous to a Microsoft Windows service account that enables Windows processes to communicate with each other within an Active Directory domain.
You will need the service principal credential values to create a service account for ITOM products.
ServiceNow documentation outlines the steps to create a new Service Principal in Azure in the Create an Azure Service Principal section. At the end of the exercise, you would have the following pieces of info that you would need to register this Azure Service Principal on ServiceNow.
IMPORTANT NOTE: On Azure Portal, during the App Registration->Register an application step, be sure an select the radio button for Supported Account Types as Accounts in this organizational directory only (Single tenant). This will ensure that the Active Directory configured for Gov Cloud will be used for authentication.
MID server configuration
In order to route the traffic correctly between ServiceNow instance and Azure Gov Cloud, the MID server must be configured with certain properties. Following the steps below to configure the MID server(s) for Azure Gov Cloud access.
1. Select the MID server for configuration
2. Go to the Capabilities tab, Edit and add the following capabilities
a. Cloud Management
b. Discovery
c. Azure
3. Go to Properties tab and cut-n-paste the following properties exactly as below:
| Name | Value |
| mid.cmp.azure_api.base_endpoint | https://management.usgovcloudapi.net/${apiPath} |
| mid.cmp.azure_api.storage.container.path | https://${accountName}.blob.core.usgovcloudapi.net/?comp=list |
| mid.property.azure_token_manager.endpoint | https://login.microsoftonline.us/${tenantId}/oauth2/token |
| mid.property.azure_token_manager.endpoint_content | grant_type=client_credentials&client_id=${clientId}&resource=https%3A%2F%2Fmanagement.usgovcloudapi.net%2F&client_secret=${clientSecret} |
| mid.cmp.azure_api.storage.blob.path | https://${accountName}.blob.core.usgovcloudapi.net/${containerName}?restype=container&include=snapshots&comp=list |
Once the MID server(s) are configured and the Service Principal setup on Azure Gov cloud, create Credentials in ServiceNow using the steps outline in the documentation. In order to automatically create Service Accounts corresponding to the Azure Subscriptions that are available to this Service Principal, hit the Discover Subscriptions UI action.
Azure Gov Cloud Billing integration for Cloud Management (requires Enterprise Agreement enrollment)
Azure Gov Cloud subscriptions are typically associated with Enterprise Agreements. Follow the steps outlined in the documentation.
On Madrid release, please make the following change to the MID Script include called AzureBillingProbe. Note that making this change will not affect Azure Billing for the Azure public cloud.
As a System Adminstrator user, type-in MID Server in the left-navigation and look for Script Includes.
• Search for a script include file named AzureBillingProbe
• Make the following modification:
Replace:
endpoint = endpoint + enrollmentNum + '/usagedetails/download?billingPeriod=' + year + month
With:
endpoint = endpoint + enrollmentNum + '/billingPeriods/' + year + month + '/usagedetails';
Follow similar steps for Azure Germany and Azure China, replacing the Azure Gov specific information with Azure Germany or China specific information. Note that Germany and China region have not been certified with ITOM products. Captured here for completeness. Please share your experiences if you happen to give it a try.
Azure Germany
Portal: https://portal.microsoftazure.de
MID Server Capabilities: Cloud Management, Discovery, Azure
MID Server Properties:
| Name | Value |
| mid.cmp.azure_api.base_endpoint | https://management.microsoftazure.de/${apiPath} |
| mid.cmp.azure_api.storage.container.path | https://${accountName}.blob.core.cloudapi.de/?comp=list |
| mid.property.azure_token_manager.endpoint | https://login.microsoftonline.de/${tenantId}/oauth2/token |
| mid.property.azure_token_manager.endpoint_content | grant_type=client_credentials&client_id=${clientId}&resource=https%3A%2F%2Fmanagement.microsoftazure.de%2F&client_secret=${clientSecret} |
Azure China
Portal: https://portal.azure.cn
MID Server Capabilities: Cloud Management, Discovery, Azure
MID Server Properties:
| Name | Value |
| mid.cmp.azure_api.base_endpoint | https://management.chinacloudapi.cn/${apiPath} |
| mid.cmp.azure_api.storage.container.path | https://${accountName}.blob.core.chinacloudapi.cn/?comp=list |
| mid.property.azure_token_manager.endpoint | https://login.chinacloudapi.cn/${tenantId}/oauth2/token |
| mid.property.azure_token_manager.endpoint_content | grant_type=client_credentials&client_id=${clientId}&resource=https%3A%2F%2Fmanagement.chinacloudapi.cn%2F&client_secret=${clientSecret} |
7 Comments
