Onboard Azure to Yotascale

Yotascale needs access to specific data and services in your Azure account in order to provide cost usage and cost-saving recommendations.

In summary, we need access to:

1. Read your Cost Exports which include detailed cost utilization data

2. Read Azure Advisor recommendations so that we can aggregate them as recommended savings in a per-business context

3. Read Azure Container Insights so that can read your container utilization metrics and can show cost attribution based on utilization and container labels. If you don’t use Container Insights, we can capture cluster metrics via a Yotascale agent (which is based on Prometheus) to capture similar metrics

The summary of steps require to onboard your Azure account to Yotascale are:

1. Enable Exports

2. Create a customer role with the permission needed to read the information mentioned above

3. Create an App Registration with will supervise access

4. Onboard your Azure account to Yotascale in the Yotascale dashboard

This is a table of contents to make it easy to link to specific content:

What you need to do in your Azure Portal to give Yotascale access to Cost Export and Advisor Recommendations

Azure Portal Steps 1/4:
Setup Daily Usage and Purchase Export Files for Actual and Amortized Billing

You need to have Daily Export Files for Usage and Purchase enabled per Subscription so that Yotascale can read your usage and cost details.

For each of your Subscriptions follow these steps to enable the Export Files, in case you have not done it yet.
If you actually already have created Export, but you see an error showing that we cannot read them, then it is because your IAM Role to the Subscription does not allow us to programmatically read from your Export files.

Please make sure you have one of these permission Roles to your Azure Subscription by following these steps.

To create Export files for a Subscription, you can either follow the steps highlighted below or follow the steps from this Azure guide to creating such an Export. 

This needs to be done for both:

• Actual cost (Usage and Purchases) - Select to export standard usage and purchases

• Amortized cost (Usage and Purchases) - Select to export amortized costs for purchases like Azure reservations 

These are the steps to enable the Cost Export Files for all Subscriptions under your Billing Account Scope:

1. Go to your Cost Management and BIlling in your Azure account that you want to onboard with Yotascale
   

   

2. Click on the Billing Account you want to onboard with Yotascale

3. Click on Exports on the left menu at the bottom:

4. 

    

5. Example of what it looks like:
   

   

After you save, you’re done with Export Files. Remember you need to do this for the two types of billing data (Actual and Amortized).

Azure Portal Steps 2/4:
Create an App Registration as the umbrella for the Yotascale access

This is a process that Azure provides to register an external client (application, user) to access your account data. It runs under the Microsoft login/Auth and other endpoints, and will also make it easy to track access for audit or security purposes.

This is the overall Azure guide about the Azure App Registration process.

The steps to create an App to trust Yotascale to read data (Cost Usage Data, Azure Advisor, and Utilization Metrics) are as follows:

1. Search and go to the “App Registrations” page

2. 

   Click on “New registration”

3. Chose the organization directory. This should be the directory that holds the Subscription you want to get cost visibility for. Usually the first choice

4. The name can be anything: For example “YotascaleApp”

5. 

   Click on “Register”

6. You’ll need these parameters (Application/Client ID, Directory/Tenant ID) later to copy and paste them into Yotascale.

7. 

Azure Portal Steps 3/4:
Create a Custom Role to allow specific read access to resources from Yotascale

We will be following this Azure Guide to Creating a Custom Role for an Application.

These are the steps:

1. Search and open your Management Groups page. Link to open in Azure console

2. Select the management group level that you want to see costs in Yotascale.

3. Select “Access control (IAM)”

4. Click on “+ Add” and then on “Add custom role”

   

5. Give it a name, like “YotascaleReader”

6. 

   Click on “JSON” and the “Edit” to start editing

7. 

   Replace the “permissions” section with these “actions”:
   "permissions": [ { "actions": [ "Microsoft.CostManagement/query/action", "Microsoft.CostManagement/exports/read", "Microsoft.Advisor/recommendations/read", "Microsoft.Billing/billingAccounts/read", "Microsoft.ContainerService/containerServices/read", "Microsoft.ContainerService/managedClusters/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ]

8. It should look like this:

   

9. Click on “Save”

10. Now we need to assign this role to the YotascaleApp we created in Step 2

11. In the search field type “Yotascale” to find the newly created role and then click on “View”

    

12. Click on “Assignments” and then “+ Add assignment”

13. 

    Under “Members” select “+ Select members” and type YotascaleApp (or the name you gave to the App) to add it”

14. Search and select the custom role you just created:

15. 

    Click on “Members” now to assign it to Member, or “Next”

16. Select the App, like “YotascaleApp” and then select the actual App

17. 

    Click on “Review and Assign” and then you’re done with this step

Azure Portal Steps 4/4:

Add IAM role to the Storage Account holding the Cost Exports

1. First, open the Subscription to add a Custom Role associated storage account associated with the Cost Exports

2. Open the Access Control (IAM)

3. 

4. Click with Add Custom Role

5. Give it a name, like “Yotascale”

6. Add this to the JSON permissions:

7. CODE

           "permissions": [
               {
                   "actions": [
                       "Microsoft.Storage/storageAccounts/listkeys/action",
                       "Microsoft.Storage/storageAccounts/read",
                       "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                       "Microsoft.Storage/storageAccounts/blobServices/read"
                   ],
                   "notActions": [],
                   "dataActions": [
                       "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
                   ],
                   "notDataActions": []
               }
           ]

8. Now we need to “Add Assignment” of this role to the Storage Account where you will have the Export files for Yotascale. Open the Storage Account - Access Control (IAM) and then “+ Add” role assignment:
   

   

9. Search for the customer role “Yotascale”. The click to edit and in the “Assignments” search for the Yotascale App registration and add it.

10. 

We also need “Read Only” access to your Billing API so that we can validate that our cost processing is 100% accurate. Please follow these steps:

1. Search for Azure Cost Management + Billing

2. Click on "Cost Management"

3. Click on "Access control"

4. Click to "+ Add" a role

5. Select "Billiing account reader"

6. Type to search for the Yotascale App Registration role (principal). Above we called it YotascaleApp. It will look something like this:

   

What you need to do on the Yotascale dashboard

Now you only need to add the Azure App Registration information as well as the Cost Exports.

1. Login to https://next.yotascale.io

2. Go to “Settings” and then “Cloud Connections”

3. 

   Select “Azure”

4. Select “MCA”

5. Open your portal.azure.com in another tab

6. Navigate to “App registrations”

7. Select the App you created above. YotascaleApp in the example we did above

8. Click on Certificate & secrets

9. Add a “+ new client secret”

10. 

    Copy the Client Secret Value to the Yotascale onboarding screen to the “Client Secret” field

11. The other fields in the Yotascale dashboard are:

    1. 

       (1) copy the “Client Secret” from the previous step

    2. (2) Find the Role ID running this Azure CLI command:
       az role definition list --name YotascaleReader --query "[].{name:name, roleType:roleType, roleName:roleName}" --output tsv
       Please note the name of the Role is what you gave above. if you did not choose YotascaleReader, then enter the name you gave above
       This command will give you the Role ID

    3. (3) and (4) fields are free text. You can type anything that makes sense to you so that you can organize the account later

    4. (5) and (6) fields are copied from the “App registrations” - Overview page
       

       

There is still one step to enter the Cost Export information.

From Azure - “Cost Management and Billing” select your billing scope and then Exports

Then open the Export settings and copy them to Yotascale:
This is an example:

This will be entered for both Cash and Amortized:

You are done. Yotascale will automatically start the process of collecting Azure Exports and Read Advisor data, as well as collect Container Insight metrics if you running AKS with container insights enabled.

Next Steps

After creating the daily export and the secure connection with Yotascale, there are two additional steps:

1. Provide you Azure Account Historical Data. Azure lets you run exports for up to the last 90. Please follow this document to create the historical exports

2. Connect your AKS Clusters to Yotascale: In order to allow Yotascale to provide container cost visibility, we need to collecting container metrics. Please follow the steps in this document to connect your AKS clusters via the prometheus agent.