Merge pull request #184126 from nicjohn79/patch-5

ShannonLeavitt · web-flow · commit 9309d78dc625 · 2022-01-07T11:41:31.000-06:00
Update hdinsight-private-link.md
diff --git a/articles/hdinsight/hdinsight-private-link.md b/articles/hdinsight/hdinsight-private-link.md
@@ -19,41 +19,207 @@ The use of Private Link to connect to an HDInsight cluster is an optional featur
 
 When `privateLink` is set to *enabled*, internal [standard load balancers](../load-balancer/load-balancer-overview.md) (SLBs) are created, and an Azure Private Link service is provisioned for each SLB. The Private Link service is what allows you to access the HDInsight cluster from private endpoints.
 
-## Prerequisites
+## Private Link Deployment Steps
+Successfully creating a Private Link cluster takes many steps, so we have outlined them here. Follow each of the steps below to ensure everything is setup correctly.
 
-Standard load balancers don't automatically provide [public outbound NAT](../load-balancer/load-balancer-outbound-connections.md) as basic load balancers do. You must provide your own NAT solution, such as a NAT gateway or a NAT provided by your [firewall](./hdinsight-restrict-outbound-traffic.md), to connect to outbound, public HDInsight dependencies. 
+* Step 1: Create prerequisites
+* Step 2: Configure HDInsight subnet
+* Step 3: Deploy NAT gateway OR firewall
+* Step 4: Deploy Private Link cluster
+* Step 5: Create private endpoints
+* Step 6: Configure DNS
+* Step 7: Check cluster connectivity
+* Appendix: Manage private endpoints for Azure HDInsight
 
-Your HDInsight cluster still needs access to its outbound dependencies. If these outbound dependencies are not allowed, cluster creation might fail. 
+## <a name="Createpreqs"></a>Step 1: Create Prerequisites
+
+To start, deploy the following resources if you have not created them already. Once this is done you should have at least 1 resource group, 2 virtual networks, and a network security group to attach to the subnet where the HDInsight cluster will be deployed as shown below.
 
-### Configure a default network security group on the subnet
+|Type|Name|Purpose|
+|----|----|-------|
+|Resource group|hdi-privlink-rg|Used to keep common resources together|
+|Virtual network|hdi-privlink-cluster-vnet|The VNET where the cluster will be deployed|
+|Virtual network|hdi-privlink-client-vnet|The VNET where clients will connect to the cluster from|
+|Network security group|hdi-privlink-cluster-vnet-nsg|Default NSG as required for cluster deployment|
+
+> [!NOTE]
+> The network security group (NSG) can simply be deployed, we do not need to modify any NSG rules for cluster deployment.
 
-Create and add a network security group (NSG) on the subnet where you intend to deploy the HDInsight cluster. An NSG is required for enabling outbound connectivity.
 
-### Disable network policies for the Private Link service
+## <a name="DisableNetworkPolicy"></a>Step 2: Configure HDInsight Subnet
 
-For the successful creation of a Private Link service, you must explicitly [disable network policies for Private Link services](../private-link/disable-private-link-service-network-policy.md).
+In order to choose a source IP address for your Private Link service, an explicit disable setting ```privateLinkServiceNetworkPolicies``` is required on the subnet. Follow the instructions here to [disable network policies for Private Link services](../private-link/disable-private-link-service-network-policy.md).
 
-### Configure a NAT gateway on the subnet
+## <a name="NATorFirewall"></a>Step 3: Deploy NAT Gateway *OR* Firewall
 
-You can opt to use a NAT gateway if you don't want to configure a firewall or a network virtual appliance (NVA) for NAT. Otherwise, skip to the next prerequisite.
+Standard load balancers don't automatically provide [public outbound NAT](../load-balancer/load-balancer-outbound-connections.md) as basic load balancers do. Since Private Link clusters use standard load balancers, you must provide your own NAT solution, such as a NAT gateway or a NAT provided by your [firewall](./hdinsight-restrict-outbound-traffic.md), to connect to outbound, public HDInsight dependencies.  
 
-To get started, add a NAT gateway (with a new public IP address in your virtual network) to the configured subnet of your virtual network. This gateway is responsible for translating your private internal IP address to public addresses when traffic needs to go outside your virtual network.
+### Deploy a NAT Gateway (Option 1)
+You can opt to use a NAT gateway if you don't want to configure a firewall or a network virtual appliance (NVA) for NAT. To get started, add a NAT gateway (with a new public IP address in your virtual network) to the configured subnet of your virtual network. This gateway is responsible for translating your private internal IP address to public addresses when traffic needs to go outside your virtual network.
 
-### Configure a firewall (optional)
+For a basic setup to get started:
+    
+1. Search for 'NAT Gateways' in the Azure portal and click **Create**.
+2. Use the following configurations in the NAT Gateway. (We are not including all configs here, so you can use the default value for those)
+    
+    | Config | Value |
+    | ------ | ----- |
+    | NAT gateway name | hdi-privlink-nat-gateway |
+    | Public IP Prefixes | Create a new public IP prefix |
+    | Public IP prefix name | hdi-privlink-nat-gateway-prefix |
+    | Public IP prefix size | /28 (16 addresses) |
+    | Virtual network | hdi-privlink-cluster-vnet |
+    | Subnet name | default |
+
+3. Once the NAT Gateway is finished deploying, you are ready to go to the next step.
+
+### Configure a firewall (Option 2)
 For a basic setup to get started:
 
 1. Add a new subnet named *AzureFirewallSubnet* to your virtual network. 
 1. Use the new subnet to configure a new firewall and add your firewall policies. 
 1. Use the new firewall's private IP address as the `nextHopIpAddress` value in your route table. 
 1. Add the route table to the configured subnet of your virtual network.
 
+Your HDInsight cluster still needs access to its outbound dependencies. If these outbound dependencies are not allowed, cluster creation might fail. 
 For more information on setting up a firewall, see [Control network traffic in Azure HDInsight](./control-network-traffic.md).
 
-The following diagram shows an example of the networking configuration that's required before you create a cluster. In this example, all outbound traffic is forced to Azure Firewall through a user-defined route. The required outbound dependencies should be allowed on the firewall before cluster creation. For Enterprise Security Package clusters, virtual network peering can provide the network connectivity to Azure Active Directory Domain Services.
+## <a name="deployCluster"></a>Step 4: Deploy Private Link cluster
+
+At this point all prerequisites should be taken care of and you are ready to deploy the Private Link cluster. The following diagram shows an example of the networking configuration that's required before you create the cluster. In this example, all outbound traffic is forced to Azure Firewall through a user-defined route. The required outbound dependencies should be allowed on the firewall before cluster creation. For Enterprise Security Package clusters, virtual network peering can provide the network connectivity to Azure Active Directory Domain Services.
 
 :::image type="content" source="media/hdinsight-private-link/before-cluster-creation.png" alt-text="Diagram of the Private Link environment before cluster creation.":::
 
-## Manage private endpoints for Azure HDInsight
+### Create the cluster
+
+The following JSON code snippet includes the two network properties that you must configure in your Azure Resource Manager template to create a private HDInsight cluster:
+
+```json
+networkProperties: {
+    "resourceProviderConnection": "Outbound",
+    "privateLink": "Enabled"
+}
+```
+For a complete template with many of the HDInsight enterprise security features, including Private Link, see [HDInsight enterprise security template](https://github.com/Azure-Samples/hdinsight-enterprise-security/tree/main/ESP-HIB-PL-Template).
+
+To create a cluster by using PowerShell, see the [example](/powershell/module/az.hdinsight/new-azhdinsightcluster#example-4--create-an-azure-hdinsight-cluster-with-relay-outbound-and-private-link-feature).
+
+To create a cluster by using the Azure CLI, see the [example](/cli/azure/hdinsight#az_hdinsight_create-examples).
+    
+## <a name="PrivateEndpoints"></a>Step 5: Create Private Endpoints
+
+Azure automatically creates a Private link service for the Ambari and SSH load balancers during the Private Link cluster deployment. After the cluster is deployed, you have to create two Private endpoints on the client VNET(s), one for Ambari and one for SSH access. Then, link them to the Private link services which were created as part of the cluster deployment.
+
+To create the Private Endpoints:
+1. Open the Azure portal and search for 'Private link'.
+2. In the results, click the Private link icon.
+3. Click 'Create private endpoint' and use the following configurations to setup the Ambari private endpoint:
+    
+    | Config | Value |
+    | ------ | ----- |
+    | Name | hdi-privlink-cluster |
+    | Resource type | Microsoft.Network/privateLinkServices |
+    | Resource | gateway-* (This should match the HDI deployment ID of your cluster, for example gateway-4eafe3a2a67e4cd88762c22a55fe4654) |
+    | Virtual network | hdi-privlink-client-vnet |
+    | Subnet | default |
+    
+4. Repeat the process to create another private endpoint for SSH access using the following configurations:
+    
+    | Config | Value |
+    | ------ | ----- |
+    | Name | hdi-privlink-cluster-ssh |
+    | Resource type | Microsoft.Network/privateLinkServices |
+    | Resource | headnode-* (This should match the HDI deployment ID of your cluster, for example headnode-4eafe3a2a67e4cd88762c22a55fe4654) |
+    | Virtual network | hdi-privlink-client-vnet |
+    | Subnet | default |
+    
+Once the private endpoints are created, you’re done with this phase of the setup. If you didn’t make a note of the private IP addresses assigned to the endpoints, follow the steps below:
+
+1. Open the client VNET in the Azure portal. 
+2. Click the 'Overview' tab.
+3. You should see both the Ambari and ssh Network interfaces listed and their private IP Addresses. 
+4. Make a note of these IP addresses because they are required to connect to the cluster and properly configure DNS.
+
+## <a name="ConfigureDNS"></a>Step 6: Configure DNS to connect over private endpoints
+
+To access private clusters, you can configure DNS resolution through private DNS zones. The Private Link entries created in the Azure-managed public DNS zone `azurehdinsight.net` are as follows:
+
+```dns
+<clustername>        CNAME    <clustername>.privatelink
+<clustername>-int    CNAME    <clustername>-int.privatelink
+<clustername>-ssh    CNAME    <clustername>-ssh.privatelink
+```
+The following image shows an example of the private DNS entries configured to enable access to a cluster from a virtual network that isn't peered or doesn't have a direct line of sight to the cluster. You can use an Azure DNS private zone to override `*.privatelink.azurehdinsight.net` fully qualified domain names (FQDNs) and resolve private endpoints' IP addresses in the client's network. The configuration is only for `<clustername>.azurehdinsight.net` in the example, but it also extends to other cluster endpoints.
+
+:::image type="content" source="media/hdinsight-private-link/access-private-clusters.png" alt-text="Diagram of the Private Link architecture.":::
+
+To configure DNS resolution through a Private DNS zone:
+    
+1. Create an Azure Private DNS zone. (We are not including all configs here, all other configs are left at default values)
+    
+    | Config | Value |
+    | ------ | ----- |
+    | Name | privatelink.azurehdinsight.net |
+    
+2. Add a Record set to the Private DNS zone for Ambari.
+    
+    | Config | Value |
+    | ------ | ----- |
+    | Name | YourPrivateLinkClusterName |
+    | Type | A - Alias record to IPv4 address |
+    | TTL | 1 |
+    | TTL unit | Hours |
+    | IP Address | Private IP of private endpoint for Ambari access |
+    
+3. Add a Record set to the Private DNS zone for SSH.
+    
+    | Config | Value |
+    | ------ | ----- |
+    | Name | YourPrivateLinkClusterName-ssh |
+    | Type | A - Alias record to IPv4 address |
+    | TTL | 1 |
+    | TTL unit | Hours |
+    | IP Address | Private IP of private endpoint for SSH access |
+    
+4. Associate the private DNS zone with the client VNET by adding a Virtual Network Link.
+    1. Open the private DNS zone in the Azure portal.
+    1. Click the 'Virtual network links' tab.
+    1. Click the 'Add' button.
+    1. Fill in the details: Link name, Subscription, and Virtual Network
+    1. Click **Save**.
+
+## <a name="CheckConnectivity"></a>Step 6: Check cluster connectivity
+
+The last step is to test connectivity to the cluster. Since this cluster is isolated or private, we cannot access the cluster using any public IP or FQDN. Instead we have a couple of options:
+
+* Set up VPN access to the client VNET from your on premise network
+* Deploy a VM to the client VNET and access the cluster from this VM
+
+For this example, we will deploy a VM in the client VNET using the following configuration to test the connectivity.
+    
+| Config | Value |
+| ------ | ----- |
+| Virtual machine name | hdi-privlink-client-vm |
+| Image | Windows 10 Pro, Version 2004 - Gen1 |
+| Public inbound ports | Allow selected ports |
+| Select inbound ports | RDP (3389) | 
+| I confirm I have an eligible Windows 10 license... | Checked |
+| Virtual network | hdi-privlink-client-vnet |
+| Subnet | default |
+
+Once the client VM is deployed, you can test both Ambari and SSH access.
+
+To test Ambari access: <br>
+1. Open a web browser on the VM.
+2. Navigate to your cluster's regular FQDN: `https://<clustername>.azurehdinsight.net`
+3. If the Ambari UI loads, the configuration is correct for Ambari access.
+
+To test ssh access: <br>
+1. Open a command prompt to get a terminal window. 
+2. In the terminal window, try connecting to your cluster with SSH: `ssh sshuser@<clustername>.azurehdinsight.net` (Replace "sshuser" with the ssh user you created for your cluster) 
+3. If you are able to connect, the configuration is correct for SSH access.
+    
+## <a name="ManageEndpoints"></a>Manage Private endpoints for Azure HDInsight
 
 You can use [private endpoints](../private-link/private-endpoint-overview.md) for your Azure HDInsight clusters to allow clients on a virtual network to securely access your cluster over [Private Link](../private-link/private-link-overview.md). Network traffic between the clients on the virtual network and the HDInsight cluster traverses over the Microsoft backbone network, eliminating exposure from the public internet.
 
@@ -77,41 +243,7 @@ The following table shows the various HDInsight resource actions and the resulti
 | Reject | Rejected | Connection was rejected by the Private Link resource owner. |
 | Remove | Disconnected | Connection was removed by the Private Link resource owner. The private endpoint becomes informative and should be deleted for cleanup. |
 
-## Configure DNS to connect over private endpoints
-
-After you've set up the networking, you can create a cluster with an outbound resource provider connection and Private Link enabled.
-
-To access private clusters, you can use Private Link DNS extensions and private endpoints. When `privateLink` is set to *enabled*, you can create private endpoints and configure DNS resolution through private DNS zones.
-
-The Private Link entries created in the Azure-managed public DNS zone `azurehdinsight.net` are as follows:
-
-```dns
-<clustername>        CNAME    <clustername>.privatelink
-<clustername>-int    CNAME    <clustername>-int.privatelink
-<clustername>-ssh    CNAME    <clustername>-ssh.privatelink
-```
-The following image shows an example of the private DNS entries configured to enable access to a cluster from a virtual network that isn't peered or doesn't have a direct line of sight to the cluster. You can use an Azure DNS private zone to override `*.privatelink.azurehdinsight.net` fully qualified domain names (FQDNs) and resolve private endpoints' IP addresses in the client's network. The configuration is only for `<clustername>.azurehdinsight.net` in the example, but it also extends to other cluster endpoints.
-
-:::image type="content" source="media/hdinsight-private-link/access-private-clusters.png" alt-text="Diagram of the Private Link architecture.":::
-
-## Create clusters
-
-The following JSON code snippet includes the two network properties that you must configure in your Azure Resource Manager template to create a private HDInsight cluster:
-
-```json
-networkProperties: {
-    "resourceProviderConnection": "Outbound",
-    "privateLink": "Enabled"
-}
-```
-
-For a complete template with many of the HDInsight enterprise security features, including Private Link, see [HDInsight enterprise security template](https://github.com/Azure-Samples/hdinsight-enterprise-security/tree/main/ESP-HIB-PL-Template).
-
-To create a cluster by using PowerShell, see the [example](/powershell/module/az.hdinsight/new-azhdinsightcluster#example-4--create-an-azure-hdinsight-cluster-with-relay-outbound-and-private-link-feature).
-
-To create a cluster by using the Azure CLI, see the [example](/cli/azure/hdinsight#az_hdinsight_create-examples).
-
 ## Next steps
 
 * [Enterprise Security Package for Azure HDInsight](enterprise-security-package.md)
-* [Enterprise security general information and guidelines in Azure HDInsight](./domain-joined/general-guidelines.md)
+* [Enterprise security general information and guidelines in Azure HDInsight](./domain-joined/general-guidelines.md)
