Assign Managed Identities
F5 NGINXaaS for Azure (NGINXaaS) leverages a user assigned and a system assigned managed identity for some of its integrations with Azure, such as:
- 
Azure Key Vault (AKV): fetch SSL/TLS certificates from AKV to your NGINXaaS deployment, so that they can be referenced by your NGINX configuration. 
- 
Azure Monitor: publish metrics from your NGINX deployment to Azure Monitor. 
- 
Azure Storage: export logs from your NGINX deployment to Azure Blob Storage Container. 
- 
A user assigned or a system assigned managed identity. If you are unfamiliar with managed identities for Azure resources, refer to the Managed Identity documentation from Microsoft. 
- 
Owner access on the resource group or subscription to assign the managed identity to the NGINX deployment. 
- 
Go to your NGINXaaS for Azure deployment. 
- 
Select Identity in the left menu, select the User Assigned tab, and select Add. 
- 
Select the appropriate subscription and user assigned managed identity, then select Add. 
NGINXaaS supports adding a system assigned managed identity and a user assigned managed identity. Adding more than one user assigned managed identity is not supported.
- The added user assigned managed identity will show up in the main table.
- 
Select the managed identity you want to remove from the list and then select Remove. 
- 
Confirm the operation by selecting Yes on the confirmation prompt. 
- 
Go to your NGINXaaS for Azure deployment. 
- 
Select Identity in the left menu, select the System Assigned tab, and then toggle the Status to On. 
- 
Select Save. 
- 
To confirm the operation, select Yes on the confirmation prompt. NGINXaaS supports using only one type of managed identity per deployment at a time. User assigned and system assigned identities cannot be present simultaneously.
- 
To provide the role assignments necessary for the deployment, Select Azure Role Assignments under Permissions. 
- 
Select Add Role Assignments 
- 
On the Add role assignment (Preview) panel, select the appropriate Scope and Role. Then select Save. 
- 
The system assigned managed identity will be shown as enabled on the main Identity page. 
- 
Select Identity in the left menu, then select the System assigned tab. 
- 
Toggle the Status to Off and select Save. 
- 
Confirm the operation by selecting Yes on the confirmation prompt. 
Removing a Managed Identity from an NGINX deployment has the following effects:
If the NGINX deployment uses any SSL/TLS certificates, then any updates to the deployment (including deployment properties, certificates, and configuration) will result in a failure. If the configuration is updated not to use any certificates, then those requests will succeed.
If publishing metrics is enabled for the NGINX deployment, then the metrics will no longer be published to Azure Monitor for this deployment until a Managed Identity is added.
If logging is enabled for the NGINX deployment, then the logs will no longer be exported to the Azure Blob Storage Container for this deployment until a Managed Identity is added.