Home / Integrations / Azure & AWS
Integrations

Azure & AWS Integration

Discover cloud-hosted VMs, resource groups, virtual networks, storage, and more from Microsoft Azure and Amazon Web Services — essential for migration projects that involve moving workloads to or from the public cloud.

On this page

Overview

Clarity Migrate integrates with both Microsoft Azure and Amazon Web Services (AWS) to discover cloud-hosted infrastructure and import it into the CMDB. This is especially valuable for migration projects where workloads are moving between on-premises and cloud environments — Clarity can hold both source and target assets in the same CMDB, giving the migration team a unified view.

Azure discovery uses the Azure Resource Manager REST API via a Service Principal. AWS discovery uses the AWS SDK with IAM credentials. Both integrations follow the same credential vault and endpoint pattern as the VMware and Nutanix integrations.

Multi-Cloud Coverage
Support both Azure and AWS in the same CMDB — track on-prem and cloud assets side by side.
Tag Preservation
Azure and AWS tags assigned to resources are preserved as CMDB tags on imported records.
Least-Privilege Auth
Azure uses a Service Principal with Reader role only. AWS uses an IAM user with ReadOnlyAccess — no write permissions needed.
Multi-Region (AWS)
Specify one or more AWS regions to discover — assets in unspecified regions are not imported.

Prerequisites — Azure

Before configuring the Azure integration

You will need access to your Azure subscription and sufficient Azure AD permissions to create a Service Principal. Ask your Azure administrator if you don't have these permissions.

  • Azure subscription containing the resources you want to discover.
  • Service Principal with Reader role assigned on the subscription (or on specific Resource Groups if you want to scope the discovery). The Service Principal must have the Reader role — it does not need any write permissions.
  • Client ID, Tenant ID, and Client Secret for the Service Principal — obtained when you register the application in Azure AD.
  • Credentials stored in the vault as type Azure before creating the endpoint.

Prerequisites — AWS

Before configuring the AWS integration

You will need access to the AWS Console and IAM permissions to create a user and generate access keys.

  • AWS account with the resources you want to discover.
  • IAM user or role with ReadOnlyAccess policy. The built-in AWS ReadOnlyAccess managed policy is the recommended choice — it grants read access to all services without any write permissions.
  • Access Key ID and Secret Access Key generated for the IAM user.
  • Credentials stored in the vault as type AWS before creating the endpoint.
  • Known target regions. You will specify which AWS regions to discover during endpoint configuration. Have the region codes ready (e.g. us-east-1, eu-west-1).

Configuration — Azure

Follow these steps to configure an Azure integration endpoint.

1
Create a Service Principal in Azure AD

In the Azure Portal, navigate to Azure Active Directory → App registrations → New registration. Register the application, then assign the Reader role on your subscription via Subscriptions → Access control (IAM) → Add role assignment.

Generate a client secret under Certificates & secrets → New client secret. Note down the Client ID, Tenant ID, and Client Secret — you will need these in the next step.

2
Store credentials in the vault

Navigate to Administration → Credentials → Add. Set the Type to Azure, enter the Client ID, Tenant ID, and Client Secret, give it a descriptive name (e.g. Azure-Sub-Prod-Reader), and click Save.

3
Create the Integration Endpoint

Navigate to Integrations → Integration Endpoints → Add Endpoint. Select Type: Azure. Select the stored Azure credential, and enter the Subscription ID you want to discover.

4
Test the connection and save

Click Test Connection. A green banner confirms successful authentication to the Azure Resource Manager API. Click Save to store the endpoint.

5
Run Discovery

Navigate to Integrations → Azure, select the endpoint, and click Run Discovery.

Configuration — AWS

Follow these steps to configure an AWS integration endpoint.

1
Create an IAM user with ReadOnlyAccess

In the AWS Console, navigate to IAM → Users → Create user. Attach the ReadOnlyAccess managed policy. Under Security credentials, click Create access key and note the Access Key ID and Secret Access Key.

2
Store credentials in the vault

Navigate to Administration → Credentials → Add. Set the Type to AWS, enter the Access Key ID and Secret Access Key, give it a descriptive name (e.g. AWS-Prod-ReadOnly), and click Save.

3
Create the Integration Endpoint

Navigate to Integrations → Integration Endpoints → Add Endpoint. Select Type: AWS. Select the stored AWS credential. Enter the Region(s) you want to discover (e.g. us-east-1, eu-west-1). Multiple regions can be comma-separated.

4
Test the connection and save

Click Test Connection to verify the credentials and API connectivity. Click Save to store the endpoint.

5
Run Discovery

Navigate to Integrations → AWS, select the endpoint, and click Run Discovery.

Running a Discovery

Once an endpoint is configured for Azure or AWS, discovery runs follow the same pattern as other integrations. A progress bar shows import status, and results are logged in Integrations → History with counts per object type and any error messages.

What Gets Imported — Azure

The following Azure resources are discovered and imported into the Clarity CMDB:

Source Object CMDB Asset Type Notes
Azure VM Device VM name, size (SKU), OS, region, power state, private/public IP, and all Azure tags.
Resource Group Tag on Device The Resource Group name is captured as a tag on each imported VM and resource.
Virtual Network Network VNet name, address space, region, and subscription.
Subnet Subnet Subnet name, CIDR range, and parent VNet reference.
Storage Account Storage Storage account name, type (LRS/GRS/ZRS), tier, and region.

What Gets Imported — AWS

The following AWS resources are discovered and imported into the Clarity CMDB:

Source Object CMDB Asset Type Notes
EC2 Instance Device Instance name (from Name tag), instance type, AMI ID, region, state, private/public IPs, and all EC2 tags.
VPC Network VPC name (from Name tag), CIDR block, region, and VPC ID.
Subnet Subnet Subnet name, CIDR range, availability zone, and parent VPC reference.
S3 Bucket Storage Optional — enable in endpoint settings. Imports bucket name, region, and storage class.
EBS Volume Storage Volume name, type (gp2/gp3/io1 etc.), size in GB, state, and attached instance.

Scheduling

Set up recurring background jobs to keep cloud inventory in sync:

  1. Navigate to Administration → Background Jobs.
  2. Find Integration Sync — Azure or Integration Sync — AWS.
  3. Set the desired schedule and select the endpoint(s) to include.
  4. Save the job.

Cloud environments change frequently — a daily discovery schedule is recommended for active migration projects.

Example Workflow

Real-world example
Unified source and target inventory for a lift-and-shift to Azure

A migration project is moving 50 on-premises servers to Azure. Before planning begins, an admin connects both the VMware integration (source environment) and the Azure integration (target environment).

The Azure discovery imports 320 existing Azure VMs across 12 Resource Groups, all virtual networks, and storage accounts. The VMware discovery imports the 50 source VMs from the on-premises vCenter.

With both environments in the same CMDB, the migration team can now see source VMs and their planned target Azure infrastructure side by side. They build move groups that reference both the source VM (from VMware) and the target Azure region and Resource Group — making the Nutanix Move or manual migration plan far easier to construct and validate.

Tips

Import both source and target environments

Having source (on-premises) and target (cloud) assets in the same CMDB is one of the most powerful features of Clarity Migrate. Always connect both environments at the start of a migration project.

  • Tag assets in Azure/AWS before importing. Tags applied in Azure or AWS are preserved as CMDB tags. Tagging by environment, application, or business unit before running discovery means those labels arrive automatically in the CMDB.
  • Use Azure Resource Groups as an organisational filter. When browsing imported Azure assets in the CMDB, filter by the Resource Group tag to quickly see all assets belonging to a specific application or team.
  • For AWS, specify all relevant regions. Regions must be listed explicitly in the endpoint configuration. Assets in unlisted regions will not be imported. If you're unsure which regions to include, check with the AWS account owner or use the AWS Console to confirm where resources are deployed.
  • Scope Azure endpoints to specific subscriptions. If your Azure estate spans multiple subscriptions, create one endpoint per subscription. This keeps discovery logs clean and makes it easy to re-run discovery for a single subscription independently.

Common Mistakes & Troubleshooting

  • Using a Service Principal with Owner or Contributor permissions (Azure). Only the Reader role is required. Assigning higher permissions is unnecessary and a security risk. If the Test Connection shows an authorisation error, verify the Service Principal has the Reader role on the subscription — not just on the Azure AD tenant.
  • Forgetting to specify all AWS regions. AWS resources are region-scoped. If you only specify us-east-1 but have assets in eu-west-1, those assets simply won't appear in the discovery results. Check your AWS estate spans and list all active regions in the endpoint configuration.
  • Not storing credentials in the vault before creating the endpoint. As with all Clarity integrations, credentials must be added to the vault first. Attempting to save an endpoint with no credential selected will fail validation.
  • Client Secret expiry (Azure). Azure Service Principal client secrets have a configurable expiry (default 1–2 years). When the secret expires, the integration will start failing. Set a reminder to rotate the secret before expiry and update the credential in the Clarity vault.
  • AWS IAM user access keys not enabled. Newly created IAM users may have access keys in a disabled state. Verify the access key is active in the AWS Console under IAM → Users → Security credentials before testing the connection.