Phase 1: Prerequisites for Customer Managed Tenant
Scope
This guide focuses on both initial setups and subsequent advanced configurations within Azure environments to prepare for the deployment of the Unique application. It covers prerequisites and configurations essential for ensuring infrastructure, security measures, and operational tools are correctly established. The checklist includes steps for understanding Azure services, setting up identity and access management, configuring network and compute resources, and implementing monitoring and analytics solutions. The goal is to ensure a smooth, secure, and compliant deployment process for the Unique application.
Audience
This guide is intended for IT administrators and cloud architects responsible for setting up and securing Azure environments for deploying the Unique application. It provides a structured framework to follow, ensuring all necessary infrastructure, security measures, and operational tools are correctly established for a smooth and secure implementation.
Introduction
Purpose: This guide is designed to assist clients in efficiently preparing their Azure environments for the deployment of the Unique application. It serves to ensure that all necessary preconditions and setups are comprehensively addressed to facilitate a smooth and secure implementation process.
Scope: The checklist detailed herein focuses on both initial setups and subsequent advanced configurations, primarily within Azure environments. It guides through the preparatory steps required to deploy Unique, emphasizing security and functional integrity in various deployment stages.
Audience: This document is intended for IT administrators and cloud architects tasked with setting up and securing Azure environments in anticipation of deploying Unique. It provides them with a structured framework to follow, ensuring that every aspect of the environment and security setup aligns with best practices tailored to support the Unique application effectively.
General Understanding and Preparation
This section is designed to ensure that all teams involved in the deployment of Unique have a foundational understanding of the necessary preparations and are equipped to handle the complexities associated with setting up Unique in an Azure environment. Proper preparation will minimize potential issues and expedite the deployment process.
Disclaimer: Support Limitations for ClickOps Configurations
Please note that if ClickOps is utilized instead of Infrastructure as Code (IaC) or automation for setting up Unique environments, support from Unique may be limited. Unique's support is tailored for environments managed through codified and automated configurations, ensuring predictable and reproducible setups. Using ClickOps can lead to configurations that deviate from these standards, thereby restricting our ability to provide effective support or troubleshoot issues. Clients using ClickOps should be aware of these limitations and are encouraged to adopt IaC or automated processes to fully leverage Unique's support capabilities.
Below you can see a summary of required knowledge prerequisites:
Comprehensive Understanding of Azure Resources
Role-Based Access Control (RBAC): Ensure that all team members understand the importance of RBAC in managing access to Azure resources. Familiarity with Azure's RBAC permissions system is crucial for securing the deployment environment. Azure RBAC Documentation, Terraform Azure RM Provider - RBAC
Azure Resource Management: Proficiency in managing Azure resources through automation is critical. Teams should move away from ClickOps to ensure configurations are reproducible and manageable at scale. Azure Automation, Terraform Azure RM Provider
Networking Proficiency
Azure Networking Components: Teams must have a strong grasp of Azure networking components such as public IPs, Application Gateways, Virtual Networks, and Network Security Groups. Understanding how these components interact is key to securing and optimizing the environment. Azure Networking Documentation, Terraform Azure RM Provider - Networking
Custom Network Configurations: For clients using custom networking solutions, it is important to have detailed documentation and a deep understanding of how these custom setups integrate with the standard deployment architecture. Custom Azure Networking Solutions
Security and Compliance
Data Security: Understand the implications of using custom certificates and how to integrate them within Azure. This includes managing custom Certificate Authorities and ensuring that all security measures align with organizational policies. Manage Certificates in Azure
Compliance Requirements: Be aware of the compliance requirements that affect the deployment, including those related to data handling, privacy, and interactions with external networks. Azure Compliance Documentation
Kubernetes and Container Management
Azure Kubernetes Service (AKS): Gain in-depth knowledge of AKS and its dependencies, such as Managed Prometheus and Grafana, Virtual Machine Scale Sets, and storage options. AKS Documentation, Terraform Azure RM Provider - AKS
Container Orchestration: Ensure familiarity with container orchestration tools including Helm, Helmfile, and kubectl. Understand how to use these tools to manage Kubernetes resources effectively. Kubernetes Tools
Pre-Deployment Checks
Infrastructure Audit: Conduct a thorough audit of the existing infrastructure to ensure compatibility with the deployment requirements. This includes checking the configurations of VMs, storage, and networking components. Azure Audit Documentation
Preparation for Unique Mobile App Deployment: If the Unique mobile recording app is part of the deployment, prepare for any specific requirements such as custom certificate installation on client devices. Mobile Apps in Azure
Training and Documentation
Internal Training: Conduct internal training sessions to ensure all team members are up to date with the latest Azure features and deployment processes. Azure Training Resources
Documentation: Maintain comprehensive documentation of all processes, custom configurations, and operational procedures. This documentation should be readily accessible to all team members and updated regularly. Technical Documentation Best Practices
Identity and Access Management
This section is designed to guide IT administrators and cloud architects through the necessary preparations for implementing Identity and Access Management within Azure environments. A sound understanding of these principles will equip all teams involved in deploying applications to effectively manage access controls and security configurations. Proper setup of IAM is crucial to minimize potential security issues and streamline the deployment process within the Azure Landing Zone.
The entity-relationship diagram illustrating the relationships within Identity and Access Management for Azure environments, focusing on components like RBAC, Certificate Management, and Managed Identities:
1. Role-Based Access Control (RBAC) Adoption:
It is recommended to consistently use RBAC for Azure Kubernetes Service (AKS), KeyVault, and all other Azure resources to ensure a secure and scalable access control environment. The use of outdated access control methods is discouraged as they may pose security risks and impact functionality. Learn more about RBAC in Azure.
2. Certificate Management:
Clients utilizing custom certificates or custom Certificate Authorities (CAs) must have a deep understanding of their configurations.
The Unique mobile recording application currently does not support custom certificates. Exploration of this capability is possible through a dedicated integration project, estimated to take approximately 8 weeks.
3. Microsoft Intune and Azure Entra Integration:
Clients using the Unique mobile recording app alongside Microsoft Intune must be knowledgeable about Intune’s integration with Azure Entra ID, as well as the related Conditional Access Policies, Enterprise Applications, and App Registrations. Explore Intune and Azure Entra Integration.
4. Managed and Workload Identities:
Managed and Workload Identities must be properly configured to access necessary services within the Azure Landing Zone. Specifically, Workload Identities assigned to backend microservices must have access permissions to the Large Language Models (LLMs). More on Azure Managed Identities.
5. API Access Management:
Clients must ensure that Workload Identities are granted appropriate permissions for accessing specific APIs, which can be achieved through provided Terraform configurations or by client-led setups. API Management in Azure.
6. Management Group and Subscription Rights:
Adequate rights (Contributor or Owner) must be assigned on the management group and primary subscription, including necessary Data Actions for any secondary management groups or subscriptions involved. Understanding Azure Management Groups.
7. Single Sign-On (SSO) Configuration:
For SSO functionality, proper registration or knowledge of the process for Entra ID Application is essential. Setting up SSO in Azure.
8. Support and Debugging Limitations:
If Unique lacks access to the client’s Identity Provider (IDP)/Entra accounts, issue resolution will rely heavily on manual efforts such as screen sharing and log analysis, which are resource-intensive.
9. Licensing Requirements for Intune:
Use of the Unique mobile app requires an Intune license within the client’s tenant. Custom Intune configurations that deviate from standard setups may lead to compatibility issues with the Unique mobile app, and associated costs will be billed accordingly. Microsoft Intune Licensing.
Network
This section delineates the critical network configurations required for deploying Unique within an Azure environment. It covers a range of topics from managing egress traffic and network security groups to the more complex integrations of custom gateways and certificate management for ingress security. Additionally, it addresses DNS configurations, application gateway setups, and the specific requirements for integrating the Unique mobile app. A clear grasp of these network fundamentals is essential to ensure that the deployment is not only functional but also optimized for security and scalability in response to evolving business needs.
The relationships and flows between the critical network components involved in deploying Unique within an Azure environment:
1. Egress Traffic Management in Development:
During the initial or development setup phase, egress traffic should not be restricted, even if it appears unnecessary for Unique's operations. This practice ensures flexibility and scalability during early stages of deployment.
2. Network Security Group Configuration:
Network Security Groups (NSGs) should initially be configured as defined by Unique’s Terraform scripts. Customers can later enhance security configurations to suit specific needs. Learn more about NSG configuration.
3. Custom Gateway Integration:
If the default Unique Application Gateway does not meet client needs, clients are permitted to prepend an upstream gateway or deploy a private gateway. Clients are responsible for managing these network customizations and must ensure that they have the necessary concepts, processes, permissions, and implementations in place. Custom Gateway Options.
4. Certificate Management for Ingress Security:
It is crucial that the client’s practices for securing ingress traffic with certificates are well-established and ready for deployment. If the cert-manager is not usable (due to the requirement for internet-reachable clusters), alternatives must be prepared.
Certificates should be pre-created or ready to be deployed within each namespace to allow ingresses to reference them efficiently. This includes certificates managed by Unique’s Helm charts or other public configurations. Certificate Management Guide.
5. Mobile Application Compatibility:
The Unique mobile recording application requires specific certificate configurations. It will not function if the necessary custom certificates or Certificate Authorities (CAs) are not installed on client devices.
6. DNS and Zone Configuration:
Clients must ensure that DNS settings and zone delegations are correctly configured as per the Terraform setup to ensure functionality of URLs such as x.client.com and all associated subdomains. DNS Configuration Best Practices.
7. Application Gateway URL Setup:
Clients should prepare the specific URL where the Application Gateway will be hosted, ensuring it aligns with network and security configurations.
8. Subdomain Structure Flexibility:
Unique utilizes structured subdomains (e.g., id.x.client.com, gateway.x.client.com). In cases where structured subdomains are not feasible, alternative configurations such as x-id.client.com should be correctly bound to the designated IP addresses.
9. Internal Network Accessibility:
Configurations involving internal URLs (such as Private Application Gateways or DNS Zones) that make the cluster inaccessible from the internet should be carefully planned to avoid operational issues that may require extensive troubleshooting.
10. SharePoint Integration with Power Automate:
The SharePoint platform is integrated through Power Automate, which is a component of the Microsoft 365 suite. This integration is essential for the operation and functionality of the Unique solution. It should be noted that this setup operates within a "public" or external domain relative to the "internal" environment of the Unique deployment. Thus, it is critical for stakeholders to understand that the data interactions through Power Automate may traverse environments that are external to the secured internal systems. Learn about SharePoint and Power Automate Integration.
12. API Gateway Requirements:
Calls from Power Automate to the Unique system must be routed through a general API gateway to ensure seamless integration and security.
13. Compatibility with Private Clusters:
The Unique mobile app is incompatible with private Kubernetes clusters when it comes to functionalities involving recording tenants. This limitation must be considered during the network architecture planning phase.
14. Management of Public IP Restrictions:
Clients are responsible for customizing their network setups to manage or restrict the use of public IPs. For guidance on configuring outbound network rules and required configurations, clients should refer to Microsoft Azure's documentation on egress management and outbound rules for AKS clusters:
15. Image Retrieval for Kubernetes Nodes:
Kubernetes nodes must have the ability to pull images from the internet or alternatively, clients should provision their own image registry. This registry should include a synchronization job to regularly update with the latest Unique images after their release.
16. Certificate Management without Cert-Manager:
While Cert-Manager is typically used for automating the management and issuance of certificates, clients can opt for using their own certificates. This requires additional configuration on the client’s side to manually inject certificates and CA details into every deployment.
17. Limitations of Cert-Manager in Isolated Networks:
Cert-Manager will not function if the Kubernetes cluster is completely isolated from the internet. An alternative method, such as DNS challenges, can be used, but it still necessitates some level of internet exposure for the DNS zone. If the cluster cannot be exposed to the internet, further investigation and adaptation of the client’s standard ingress configurations may be required.
18. IP Address Allocation in AKS:
For AKS environments structured based on Unique’s Terraform recommendations, it is critical to ensure that there are enough IP addresses available in the subnet ranges to accommodate all pods at startup.
Compute
This section outlines the essential steps for configuring and managing the compute resources necessary for deploying Unique within an Azure environment. It covers the setup of Azure Virtual Machines (VMs) with appropriate access permissions, tooling requirements for Kubernetes management, and considerations for handling encrypted disks and shared clusters. A thorough understanding of these elements will ensure that your deployment is secure, compliant, and optimized for performance and scalability.
1. Azure VM Configuration:
An Azure Virtual Machine (VM) should be established, which can access all Unique-provisioned KeyVaults and the Kubernetes Private API. The identity assigned to this VM must have KeyVault Reader access to the same vaults. This setup might involve direct access or via an Azure Bastion host for enhanced security. Learn about Azure VM setup.
2. VM Tooling Requirements:
The VM must be equipped with essential tooling for deployment and management of Kubernetes resources. This includes:
Helm and Helmfile for package management and deployment orchestration.
Kubectl for Kubernetes cluster management.
Azure CLI (az) for managing Azure services.
Optionally, k9s for an interactive Kubernetes management experience.
3. Access to Helm Charts:
The VM requires internet access to download public helm charts from sources like ArtifactHub. Alternatively, all required helm charts must be manually pulled onto the VM, and the associated helmfiles should be customized as needed for the specific deployment environment.
4. Customization for Encrypted Disks:
If deployments involve Persistent Volumes (PV) or the Kubernetes cluster utilizes encrypted disks, the helm charts must be customized on the client’s side to correctly reference the specific encryption set used.
5. Installation in Shared Clusters:
Unique deployments are known to be complex in shared clusters, particularly because of the need to create Custom Resource Definitions (CRDs) for components like Tyk Gateway Open Source (OSS) or cert-manager. Clients must either provide a cluster where these CRDs can be freely installed or must pre-install the CRDs themselves to facilitate the setup.
6. Subnet Size and Scaling Considerations:
If the subnet sizes deviate from what is recommended by Unique’s infrastructure setup, it could impact the scaling capabilities of the deployment. Clients are responsible for resolving such issues to ensure optimal performance and scalability of the environment.
Monitor and Analytics
This section focuses on setting up and optimizing the monitoring and analytics frameworks essential for maintaining operational visibility and efficiency within your Azure environment. It includes detailed guidance on configuring a Log Analytics Workspace to capture and analyze Kubernetes pod logs, as well as integrating Grafana for advanced visualization of metrics across your systems. These tools are critical for proactive management and ensuring the high availability and performance of your applications.
The configuration and integration process for monitoring and analytics in an Azure environment:
1. Log Analytics Workspace Configuration:
An accessible Log Analytics Workspace must be established within Azure. This workspace should be configured to collect and display logs from all Kubernetes pods. It is crucial that the workspace is set up to allow comprehensive visibility into the pod logs, ensuring that operational data is readily available for analysis and troubleshooting. Learn how to configure a Log Analytics Workspace.
2. Grafana Integration for Monitoring:
A Managed Grafana instance should be set up to monitor and visualize all default metrics derived from the Kubernetes environment and any other integrated systems. This Grafana instance needs to be accessible and configured to connect seamlessly with the data sources required to retrieve these metrics. Setting up Grafana on Azure.
Related articles
Reference Architecture CMT Infrastructure requirements
Author | @Serghei Goineanu |
---|
© 2024 Unique AG. All rights reserved. Privacy Policy – Terms of Service