Azure Satellite
Discover the cloud resources provisioned within a Microsoft Azure subscription and roll them into the CMDB.
Microsoft Azure
Azure resources brought into the CMDB
- Virtual machines, disks, VNICs & images
- Virtual networks & load balancers
- Blob & file storage
- SQL Database
- Metrics from Azure Monitor (60+ available)
- Cost & usage and backups
- Recommendations & announcements
- Support tickets & app registration expirations
Deploy in minutes from the Azure Marketplace
The preferred path is the Azure Marketplace appliance — a pre-built image with the Satellite and all of its tools already installed. You can also launch it through CMDB-360 LaunchPad or install it on any supported Linux VM.
Azure Marketplace appliance
Cloud appliance maintained in the Azure Marketplace catalog. Choose your subscription and region and deploy — the simplest, preferred option.
CMDB-360 LaunchPad
Launch one or many satellites as Docker containers from a single LaunchPad host that integrates automatically with the Base Station portal.
Linux VM installer
Install on any x86 or ARM Linux VM with the graphical Installer or AutoInstaller. For Azure, a Standard_B2als_v2 (2 vCPU, 4 GB RAM) is a good fit.
We recommend deploying the Satellite inside the customer’s Azure subscription so sensitive data stays within their environment — each Satellite maps to a single subscription. Because it uses the public Azure REST API, it can also run anywhere with outbound internet access. Minimum footprint: 1 vCPU, 4 GB RAM, 20 GB disk, and no inbound ports are required.
A simple two-step setup
Add the Satellite in your Base Station, then grant it read-only access to the subscription. Configuration can be pushed from the Base Station portal or run on the instance with the ConfigTool.
1 · Connect to the Base Station
Create the Azure Satellite in your CMDB-360 Base Station, then push its configuration from the portal (recommended) — or run the on-instance ConfigTool with your Base Station host (SSL port 443 by default) and the Satellite’s access token.
2 · Grant read-only Azure access
Register an application (service principal) in Microsoft Entra and assign the built-in Reader RBAC role at the subscription scope. Scope it to specific resource groups with a custom role if you only want to expose part of the subscription.
The service-principal credentials are written to an AES-encrypted config file that only the Satellite software can decrypt — safe to store on disk and unreadable even to the root user. Discovery of any resource type can be disabled from the Satellite scheduler, so it only ever sees what you choose to expose.
How the Azure Satellite protects data
The Azure Satellite runs inside the Microsoft Azure environment and sends only non-sensitive resource rosters and metadata to the CMDB-360 Base Station. Detailed information is streamed on demand and only while a user is viewing a record — nothing sensitive is stored outside the environment.