|
| 1 | +--- |
| 2 | +title: Get started with Azure Operator Service Manager Private Link |
| 3 | +description: Secure backhaul connectivity of on-premise artifact store hosted on Azure Operator Nexus |
| 4 | +author: msftadam |
| 5 | +ms.author: adamdor |
| 6 | +ms.date: 09/04/2024 |
| 7 | +ms.topic: get-started |
| 8 | +ms.service: azure-operator-service-manager |
| 9 | +--- |
| 10 | + |
| 11 | +# Get started with private link |
| 12 | + |
| 13 | +## Overview |
| 14 | +Document Version: 0.1 - Privatelink feature for edge artifact store |
| 15 | + |
| 16 | +## Introduction |
| 17 | +The purpose of this document is to provide a quick start guide to enable ATT ADO development using AOSM Publisher APIs to enable private link feature for AOSM artifact store. The contents of this document will be updated into the azure public docs for AOSM service. We will notify ATT when the public documentation is ready for this feature. |
| 18 | + |
| 19 | +## Permissions for linking AOSM Artifact Store resource to NFC |
| 20 | +In addition to the appropriate permissions on the AOSM resourcs, the role that is linking the AOSM artifact store to NFC should have the below permission. |
| 21 | + |
| 22 | +``` |
| 23 | +Microsoft.ManagedNetworkFabric/networkFabricControllers/write |
| 24 | +``` |
| 25 | + |
| 26 | +> [!NOTE] |
| 27 | +> A more fine-grained permission for NFC is in the works and will be rolled out in the next two weeks that replaces the privileged permission above |
| 28 | +
|
| 29 | +## AOSM APIs for setting up privatelink to artifact store |
| 30 | +Below is the sequence of operations to be done for Private Link enablement when uploading artifacts. |
| 31 | + |
| 32 | +### Create Publisher and AS with Public Access disabled. |
| 33 | +* The publisher resource must be created with identity type set to 'SystemAssigned'. If the publisher was created without this property, the publisher can be updated by performing a reput on the publisher. |
| 34 | +* To disable the public access on the ACR backed by the artifact store, the new property “backingResourcePublicNetworkAcccess” is used. The property is added in the 2024-04-15 version. 2024-04-15 API version is backwards compatible. Existing ArtifactResource can be used by doing a reput with the new property and API version. |
| 35 | + |
| 36 | +``` |
| 37 | +param location string = resourceGroup().location |
| 38 | +param publisherName string |
| 39 | +param acrArtifactStoreName string |
| 40 | +
|
| 41 | +/* AOSM publisher resource creation |
| 42 | +*/ |
| 43 | +var publisherNameWithLocation = concat(publisherName, uniqueString(resourceGroup().id)) |
| 44 | +resource publisher 'Microsoft.HybridNetwork/publishers@2023-09-01' = { |
| 45 | + name: publisherNameWithLocation |
| 46 | + location: location |
| 47 | +identity: { |
| 48 | + type: 'SystemAssigned' |
| 49 | + } |
| 50 | + properties: { |
| 51 | + scope: 'Private' |
| 52 | + } |
| 53 | +} |
| 54 | +
|
| 55 | +/* AOSM artifact store resource creation |
| 56 | +*/ |
| 57 | +resource acrArtifactStore 'Microsoft.HybridNetwork/publishers/artifactStores@2024-04-15' = { |
| 58 | + parent: publisher |
| 59 | + name: acrArtifactStoreName |
| 60 | + location: location |
| 61 | + properties: { |
| 62 | + storeType: 'AzureContainerRegistry' |
| 63 | + backingResourcePublicNetworkAccess: 'Disabled' |
| 64 | + } |
| 65 | + |
| 66 | +} |
| 67 | +``` |
| 68 | + |
| 69 | +### Manual endpoint operations |
| 70 | +The APIs below allow the user to upload the images to artifact store using a private link. In the upload workflow, the vnet is managed by the customer. When the user creates the private endpoint to connect the ACR managed by Artifact Store to the vnet, the private endpoint will be in the pending state as the user doesn’t have permissions to the ACR. The APIs below expose a way by which the user can approve/reject and list these |
| 71 | +connections. |
| 72 | + |
| 73 | +``` |
| 74 | +Sample JSON body: |
| 75 | +{ |
| 76 | + "manualPrivateEndPointConnections": [ |
| 77 | + { |
| 78 | + "id":"/subscriptions/<subscriptionId>/resourceGroups/<ResourceGroup>/providers/Microsoft.Network/privateEndpoints/peName" |
| 79 | + } |
| 80 | + ] |
| 81 | + } |
| 82 | +``` |
| 83 | + |
| 84 | +Sample command using az rest: |
| 85 | + |
| 86 | +``` |
| 87 | +# approve private endpoints |
| 88 | +az rest --method post --url https://management.azure.com/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<Publisher>/artifactStores/<ArtifactStore>/approveprivateendpoints?api-version=2024-04-15 --body '{ \"manualPrivateEndPointConnections\" : [ { \"id\" : \"/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.Network/privateEndpoints/peName\" } ] }' |
| 89 | +
|
| 90 | +# remove private endpoints |
| 91 | +az rest --method post --url https://management.azure.com/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<Publisher>/artifactStores/<ArtifactStore>/removeprivateendpoints?api-version=2024-04-15 --body '{ \"manualPrivateEndPointConnections\" : [ { \"id\" : \"/subscriptions/<Subscription>/resourceGroups/<ReourceGroup>/providers/Microsoft.Network/privateEndpoints/peName\" } ] }' |
| 92 | +
|
| 93 | +# list private endpoints |
| 94 | +az rest --method post --url https://management.azure.com/subscriptions/<Subscription>resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<Publisher>/artifactStores/<artifactStore>/listPrivateEndPoints?api-version=2024-04-15 --body '{}' |
| 95 | +``` |
| 96 | + |
| 97 | +### Add Private Link to NFC |
| 98 | +The APIs below allow the user to create/remove/list the private endpoint to ACR to the appropriate Nexus managed vnets. Depending on the NC version (provided offline at the subscription scope), the API will perform the actions on the correct Nexus vnet. |
| 99 | + |
| 100 | +``` |
| 101 | +# add nfc private endpoints |
| 102 | +az rest --method post --url https://management.azure.com/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<Publisher>/artifactStores/<artifactStore>/addnetworkfabriccontrollerendpoints?api�version=2024-04-15 --body '{ \"networkFabricControllerIds\":[{\"id\": \"/subscriptions/<Subscription>/resourceGroups/op2lab-nfc-use�op1/providers/Microsoft.ManagedNetworkFabric/networkFabricControllers/op2labnfc01\"}] }' |
| 103 | +
|
| 104 | +# list nfc private endpoints |
| 105 | +az rest --method post --url https://management.azure.com/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<Publisher>/artifactStores/<artifactStore>/listnetworkfabriccontrollerprivateendpoints?api�version=2024-04-15 --body '{}' |
| 106 | +
|
| 107 | +# delete nfc private endpoints |
| 108 | +az rest --method post --url https://management.azure.com/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<publisher>/artifactStores/<artifactStore>/deletenetworkfabriccontrollerendpoints?api-version=2024-04-15 --body '{ \"networkFabricControllerIds\":[{\"id\": \"/subscriptions/<Subscription>/resourceGroups/op2lab-nfc-use�op1/providers/Microsoft.ManagedNetworkFabric/networkFabricControllers/op2labnfc01\"}] }' |
| 109 | +``` |
0 commit comments