VNet IQ / Docs

Connect a cloud

Add a read-only connection to AWS, Azure, or Google Cloud. VNet IQ never gets write access — it reads your network metadata and maps it automatically.

Before you start

Plan: Any plan (cloud limits apply). Role: Editor or Owner.

Every connection uses a read-only role you create in your own cloud and hand to VNet IQ. Open the dialog the same way for all three providers:

  1. In the left sidebar, click Connections.
  2. Click Add connection (top right).
  3. Pick a provider tab — Azure, AWS, or GCP — then follow the matching section below.
How many clouds can I connect?

Free and Starter cover one cloud; Pro covers two; Pro Plus covers all three; Enterprise is unlimited. AWS and GCP are newer and carry a Beta badge in the app. Multiple clouds can live in one workspace.

Azure

You'll create a service principal with the built-in Reader role on the subscriptions you want VNet IQ to see, then paste its IDs into the app.

1. Create the read-only service principal (in Azure)

az ad sp create-for-rbac \
  --name "vnetiq-reader" \
  --role "Reader" \
  --scopes "/subscriptions/<your-subscription-id>"

# returns JSON: map appId -> Client ID, password -> Client Secret, tenant -> Tenant ID

For multiple subscriptions, repeat --scopes "/subscriptions/A" "/subscriptions/B". You can also create the App registration in the Azure portal.

2. Add it in VNet IQ

  1. On the Azure tab, fill in Display name (e.g. "Prod Azure"), Tenant ID, Client ID (App ID), and Client secret.
  2. Click Add connection.

The connection starts as pending. VNet IQ lists your subscriptions to validate access, then flips to Active (or Auth failed if the credentials are wrong, or Duplicate scope if a subscription is already covered by another connection). On success, a first sync runs automatically.

AWS (Beta)

AWS uses a customer-managed read-only IAM role created by a CloudFormation template. The role can only be assumed by VNet IQ's scanner, and only with your connection's unique External ID.

1. Start the connection (in VNet IQ)

  1. On the AWS tab, enter a Display name (e.g. "Production AWS account").
  2. Click Start AWS connection. VNet IQ generates a one-time External ID and shows the next step.

2. Deploy the read-only role (in AWS)

# VNet IQ pre-fills this command in the wizard with your one-time External ID.
# Copy it from Step 1 (or download the template and upload it in the AWS console).
curl -fsSLO https://app.vnetiq.com/aws/vnetiq-reader-role.cf.yaml

aws cloudformation deploy \
  --template-file vnetiq-reader-role.cf.yaml \
  --stack-name vnetiq-reader-<external-id-prefix> \
  --parameter-overrides ExternalId=<your-external-id> \
  --capabilities CAPABILITY_NAMED_IAM

# then read the role ARN from the stack's Outputs tab

Prefer the console? Download the template, open CloudFormation → Create stack → Upload a template file, set the stack name and paste your External ID, acknowledge the IAM capability, and create the stack (~30 seconds).

3. Paste the role ARN (in VNet IQ)

  1. Copy the RoleARN from the stack's Outputs tab (it looks like arn:aws:iam::111122223333:role/vnetiq-reader).
  2. Paste it into the Role ARN field and click Complete connection.
What the role grants

Exactly eight read-only actions — ec2:DescribeRegions, DescribeVpcs, DescribeSubnets, DescribeVpcPeeringConnections, DescribeRouteTables, DescribeNatGateways, DescribeTransitGatewayVpcAttachments, and networkmanager:ListAttachments. No write access, nothing outside networking.

Google Cloud (Beta)

GCP uses a service-account key with two read-only permissions. The recommended path is a minimal custom role:

1. Create the service account, role, and key (in GCP)

gcloud iam service-accounts create vnetiq-reader --project=YOUR_PROJECT_ID

gcloud iam roles create vnetiq_reader --project=YOUR_PROJECT_ID \
  --title="VNet IQ Reader" \
  --permissions=compute.networks.list,compute.subnetworks.list

gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:vnetiq-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="projects/YOUR_PROJECT_ID/roles/vnetiq_reader"

gcloud iam service-accounts keys create vnetiq-key.json \
  --iam-account=vnetiq-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com

If custom-role creation is restricted, bind the predefined roles roles/compute.networkViewer and roles/browser instead. VNet IQ only ever calls compute.networks.list and compute.subnetworks.list.

2. Add it in VNet IQ

  1. On the GCP tab, enter a Display name.
  2. Upload vnetiq-key.json (or click Paste JSON instead and paste its contents).
  3. Click Add GCP connection.

VNet IQ validates and probes the project in the same request, so the row appears already Active (or Auth failed). The first sync runs within a few seconds.

After you connect

A first sync runs automatically and your VPCs, VNets, subnets, and address spaces show up under Networks, Pools, and the Topology view. The Connections page shows a status badge per connection and (on Pro and above) a per-connection sync history.

Gotchas

AWS: the External ID is unique per connection — don't reuse a command between connections. The role must be named exactly vnetiq-reader.
GCP: the project_id inside the key JSON is the source of truth (the display name is cosmetic) — uploading the wrong project's key shows the wrong VPCs with no error. The Compute Engine API must be enabled, or the probe reads as "permission denied".
Azure: a typo in the tenant/secret lands the connection in Auth failed — fix it via the Edit dialog (leave the secret blank to keep the existing one).

To revoke at any time, delete the connection in VNet IQ and remove the role/service principal in your cloud.

Ready to try it?

Start free — connect a read-only role and see your whole IP estate.

Start free