Prerequisites for installing Digibee Integration Platform on Azure

Learn the necessary prerequisites for installing the Digibee Integration Platform on Microsoft Azure using Azure Kubernetes Service (AKS).

Before starting the installation of the Digibee Integration Platform in the cloud environment, it’s necessary to ensure that all prerequisites are met.

1. Azure account and permissions

Customers must have an active Microsoft Azure subscription.

2. Access management for Digibee teams on Microsoft Azure

When installing and configuring the Digibee Integration Platform, it’s essential to establish appropriate access policies for the teams involved.

2.1. Cloud Engineering team access

The Cloud Engineering team is responsible for configuring the pipelines and implementing the necessary infrastructure to support the Digibee Integration Platform on Azure. To allow the team to perform its tasks, it needs to be granted proper access to Azure resources.

2.1.1. Creation of a Service Principal

The Cloud Engineering team accesses Azure resources through a Service Principal, an application identity that can be used to authenticate and access Azure resources on behalf of the GitLab pipeline. This allows the pipeline to interact with Azure resources without requiring an interactive user or login.

When creating the Service Principal, the customer must ensure that it has the "Contributor" role within the Azure subscription that contains the necessary resources and send the data generated by the Service Principal to Digibee's engineering team.

The Cloud Engineering team will use this information to configure the GitLab pipeline, allowing the pipeline to use Service Principal to interact with Azure resources.

Note that Service Principal allows a type of access known as "machine access", which means that access and interactions with Azure resources are done without direct human interaction. This type of access is useful for automating tasks, such as those performed by a CI/CD pipeline, and for programmatically managing Azure resources.

2.2. Cloud Operations team access

For the Cloud Operations team to be able to work on maintaining the Platform and resolving issues related to Azure, it’s necessary to create a group in Azure Active Directory for the Cloud Operations team and grant this group the appropriate permissions. Access to the Bastion server and other features related to platform maintenance can be configured and managed through this group, as well as auditing actions.

2.2.1. Group creation in Azure Active Directory

  • Create a new user group called Digibee-Op-Cloud.

  • Add the Cloud Operations team members to the "Digibee-Op-Cloud" group. The list of members will be provided during the design phase.

2.2.2. Granting access to the Cloud Operations team

The Cloud Operation team must be granted limited and specific permissions, such as access to AKS to run commands such as kubectl.

Add Digibee-Op-Cloud group as a new member with custom role with specific permissions, listed below:

  • Azure Kubernetes Service RBAC Admin: allows users to manage Role-Based Access Control (RBAC) for AKS, including defining and assigning specific Kubernetes roles to Azure AD users and groups.

  • Virtual Machine Contributor: allows members of the Operations team to manage virtual machines in Azure, including the bastion host VM used to establish the SSH tunnel with the private AKS cluster. With this role, the Operations team will be able to perform tasks such as starting, stopping, restarting, and deleting virtual machines, as well as configuring the network and storage associated with these VMs.

  • Network Contributor: allows members of the operations team to manage network resources in Azure, such as virtual networks, subnets, network interfaces, and network security groups. This is important to ensure that the team can set up and maintain network connectivity between the bastion host VM and the private AKS cluster.

2.2.3. Access via SSH for the Cloud Operations team

Access by Digibee's Operations team to the private AKS cluster will be done through SSH Port Forwarding, also known as SSH Tunneling. This approach was chosen as it best suited our standard working model, providing an efficient and secure solution for accessing the AKS cluster.

Access method:

  • During implementation, Digibee's Cloud Engineering team will create a virtual machine (VM) in the same virtual network (VNet) where the private AKS cluster is located. This VM will be used as a bastion host to establish a secure SSH tunnel between Digibee's operations team and the AKS cluster.

  • With the SSH tunnel configured, the Operations team will be able to access the AKS cluster and manage its resources. This includes running kubectl commands and performing other administrative tasks necessary to monitor and maintain the Digibee Integration Platform.

2.3. About customer access monitoring and revocation

Here are some guidelines on how to track activities and manage access in the Azure environment during the installation and running process:

  • Track activities in Azure: use the Azure Activity Log to closely track operations performed on Azure subscription resources. To access the Activity Log, go to the Azure portal, click Monitor in the left menu, and select Activity Log.

  • Revocation of access: revoking access to members of the Cloud Operations team is a shared responsibility between Digibee and the customer. Whenever a Digibee team member is disconnected from the company, Digibee will notify the customer. After receiving this information, it’s up to the customer to remove the disconnected user from the Digibee-Op-Cloud group in Azure Active Directory.

3. Installation and configuration via GitLab

Digibee will install and configure the platform in two main steps: creating the infrastructure using Terraform and deploying the platform using GitLab Runner. These steps are performed from a pipeline on GitLab, ensuring an automated and secure process.

GitLab Runner is a GitLab component responsible for running jobs in pipelines. It runs inside Kubernetes, which connects to GitLab and performs the tasks defined in the pipelines, such as compiling, testing, and deploying applications. The GitLab Runner enables automation, providing an efficient and secure way to manage the implementation process of the Digibee Integration Platform.

3.1. Setting up Azure access credentials in GitLab account

The Digibee team will configure the Azure access credentials in the GitLab account where Terraform will run. This ensures that the provisioning scripts have access to the required resources in the customer's Azure environment.

3.2. Creating a pipeline in GitLab

The Digibee team will create and configure a pipeline on GitLab to run the Terraform provisioning scripts and install the Digibee Integration Platform. The pipeline automates the deployment process, ensuring that the steps are performed in the correct order and with the proper settings.

3.3 Storing Terraform configuration files and scripts in the GitLab repository

Configuration files and Terraform scripts will be stored in a GitLab repository. This allows file versioning and facilitates collaboration between the Digibee team and the client, if necessary.

4. Breakdown of features and usage

This section discusses the use of specific Azure features by the Digibee Platform.

Contributor role for a Service Principal

During the initial setup and subsequent operations, the Service Principal plays a crucial role in creating, modifying or deleting various Azure resources like the AKS, VNet, and Bastion server.

To carry out these tasks efficiently and safely, the Service Principal is assigned the role of “Contributor”. This is a high-level role that provides read-write access to Azure resources, except Azure Active Directory.

The Contributor role allows the pipeline to operate without interruptions or permission errors, and allows the Cloud Engineering team to focus on maintaining and improving the Digibee Integration Platform, rather than managing permissions in Azure.

Although the Service Principal has the role of Contributor, it operates without direct human interaction. The Service Principal is only used by the GitLab pipeline, which is configured and maintained by the Cloud Engineering team.

Upon completion of these prerequisites, Digibee's Cloud Engineering team will be able to perform the installation and configuration of the Digibee Dedicated SaaS platform in the customer's cloud environment. For more information, check out the complete documentation about AKS implementation.

Last updated