Setup inCloud Managed with Azure
Last updated
Last updated
groundcover inCloud is a managed enterprise solution for installing groundcover’s observability infrastructure in a customer-owned cloud environment.
To set up groundcover inCloud, you need to create an isolated subscription within your Azure organization. groundcover's control plane will automatically manage the project resources, establishing, configuring, and maintaining the infrastructure and workloads within the subscription. These include Azure Managed Groups, VNet, AKS, and LB services.
groundcover Control-Plane is a secure reconciliation controller designed to manage enterprise inCloud infrastructure environments. It is compliant with ISO-27001 and SOC-2 standards.
The control plane can securely access the isolated subscription service's principal within the customer organization using a cross-tenant federation chain. It is important to note that the inCloud setup does not require access to customer production data or workloads and is not granted such access.
Create a new Azure subscription called groundcover-incloud (suggested name) for groundcover deployment.
Step 2: Install the groundcover-managed application into the Azure tenant containing the subscription
Select "Tenant Properties" in Azure Portal
Copy the tenant ID (this information will be used later in the guide)
Paste the tenant ID into the following link, replacing <TENANT-ID> with the copied value.
https://login.microsoftonline.com/<TENANT_ID>/oauth2/authorize?client_id=81c2dd72-dd18-442e-a2bb-546c00fe63dd&response_type=code&redirect_uri=https%3A%2F%2Fgroundcover.com
Follow the oauth2 link from a privileged browser session.
You will be presented with a permission request screen, choose "Accept for the organisation" box and click "Accept"
Step 3: Grant the application access to groundcover-incloud subscription
Choose "Add > Role Assignment"
Click "Select Members"
After completing the previous steps, share the service the <TENANT_ID> and <SUBSCRIPTION_ID> (created in the previous steps) with your dedicated integration manager at groundcover.
At this stage, our automation kicks in. Please allow approximately 2 hours for the initial reconciliation loop to stabilize.
Once stabilized, your integration manager will share with you (using a private channel) the incloud-values.yaml that should be used during sensor deployment on production workload, in the following manner:
From search for "Subscription".
Pick groundcover-incloud subscription and choose "Access Control (IAM)"
On the roles screen select "Privileged administrator roles", pick the Owner role and click "Next"
On the Members screen
Popup modal should appear allowing you to add new members permissions into the subscription.
Search for groundcover-managed
Select the service principal and click "Select"
groundcover-managed now appears in the list of members that are able to gain permissions on the subscription object. Click Next
Click Review and Assign
Please see for additional information.
You can now log in to to use groundcover Managed inCloud, with total data control and privacy.
