|
| 1 | +# Deploying Cube Cloud BYOC on Azure |
| 2 | + |
| 3 | +With Bring Your Own Cloud (BYOC) on Azure, all the components interacting with private data are deployed on |
| 4 | +the customer infrastructure on Azure and managed by the Cube Cloud Control Plane via the Cube Cloud Operator. |
| 5 | +This document provides step-by-step instructions for deploying Cube Cloud BYOC on Azure. |
| 6 | + |
| 7 | +## Overall Design |
| 8 | +Cube Cloud will gain access to your Azure account via the Cube Cloud Provisioner Enterprise App. |
| 9 | + |
| 10 | +It will leverage a dedicated subscription where it will create a new Resource |
| 11 | +Group and bootstrap all the necessary infrastructure. At the center of the BYOC |
| 12 | +infrastructure are two AKS clusters that provide compute resources for the Cube |
| 13 | +Store and all Cube deployments you configure in the Cube Cloud UI. These AKS |
| 14 | +clusters will have a Cube Cloud operator installed in them that is connected to |
| 15 | +the Cube Cloud Control Plane. The Cube Cloud Operator receives instructions |
| 16 | +from the Control Plane and dynamically creates or destroys all the necessary |
| 17 | +Kubernetes resources required to support your Cube deployments. |
| 18 | + |
| 19 | +<div style={{ textAlign: "center" }}> |
| 20 | + <img |
| 21 | + alt="High-level diagram of Cube Cloud resources deployed on Azure" |
| 22 | + src="https://ucarecdn.com/6d0f12db-086c-4274-b165-da68ccc381a9/" |
| 23 | + style={{ border: "none" }} |
| 24 | + width="100%" |
| 25 | + /> |
| 26 | +</div> |
| 27 | + |
| 28 | +## Prerequisites |
| 29 | + |
| 30 | +The bulk of provisioning work will be done remotely by Cube Cloud automation. |
| 31 | +However, to get started, you'll need to provide Cube with the necessary access |
| 32 | +along with some additional information that includes: |
| 33 | + |
| 34 | +- **Azure Tenant ID** - the Entra ID of your Azure account |
| 35 | +- **Azure Subscription ID** - The target subscription where Cube Cloud will be granted admin permissions to provision the BYOC infrastructure |
| 36 | +- **Region** - The target Azure region where Cube Cloud BYOC will be installed |
| 37 | + |
| 38 | +## Provisioning access |
| 39 | + |
| 40 | +### Add Cube tenant to your organization |
| 41 | + |
| 42 | +First you should add the Cube Cloud tenant to your organization. To do this, |
| 43 | +open the [Azure Portal][azure-console] and go to <Btn>Azure Active |
| 44 | +Directory</Btn> → <Btn>External Identities</Btn> → <Btn>Cross-tenant |
| 45 | +access settings</Btn> → <Btn>Organizational Settings</Btn> |
| 46 | +→ <Btn>Add Organization</Btn>. |
| 47 | + |
| 48 | +For Tenant ID, enter `197e5263-87f4-4ce1-96c4-351b0c0c714a`. |
| 49 | + |
| 50 | +Make sure that <Btn>B2B Collaboration</Btn> → <Btn>Inbound Access</Btn> |
| 51 | +→ <Btn>Applications</Btn> is set to <Btn>Allows access</Btn>. |
| 52 | + |
| 53 | +### Register Cube Cloud service principal at your organization |
| 54 | + |
| 55 | +To register the Cube Cloud service principal for your organization, follow these |
| 56 | +steps: |
| 57 | + |
| 58 | +1. Log in with an account that has permissions to register Enterprise |
| 59 | + applications. |
| 60 | +2. Open a browser tab and go to the following URL, replacing `<TENANT_ID>` with |
| 61 | + your tenant ID: |
| 62 | + `https://login.microsoftonline.com/<TENANT_ID>/oauth2/authorize?client_id=0c5d0d4b-6cee-402e-9a08-e5b79f199481&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F` |
| 63 | +3. The Cube Cloud service principal has specific credentials. Check that the |
| 64 | + following details match exactly what you see on the dialog box that pops up: |
| 65 | + |
| 66 | +- Client ID: `d1c59948-4d4a-43dc-8d04-c0df8795ae19` |
| 67 | +- Name: `cube-cloud-byoc-provisioner` |
| 68 | + |
| 69 | +Once you have confirmed that all the information is correct, |
| 70 | +select <Btn>Consent on behalf of your organization</Btn> and |
| 71 | +click <Btn>Accept</Btn>. |
| 72 | + |
| 73 | +### Grant admin permissions on your BYOC Azure Subscription to the cube-cloud-byoc-provisioner |
| 74 | + |
| 75 | +On the [Azure Portal][azure-console], go to <Btn>Subscriptions</Btn> |
| 76 | +→ _Your BYOC Subscription_ → <Btn>IAM</Btn>→ <Btn>Role Assignment</Btn> |
| 77 | + and assing `Contributor` and `Role Based Access Control Administrator` to the `cube-cloud-byoc-provisioner` |
| 78 | + Service Principal. |
| 79 | + |
| 80 | +<Screenshot src="https://ucarecdn.com/e1e917cd-6992-4864-b20e-0fbf7688a7e5/"/> |
| 81 | + |
| 82 | +## Deployment |
| 83 | + |
| 84 | +The actual deployment will be done by Cube Cloud automation. All that's left to |
| 85 | +do is notify your Cube contact point that access has been granted, and pass |
| 86 | +along your Region/AWS Account ID information. |
| 87 | + |
| 88 | +[azure-console]: https://portal.azure.com |
0 commit comments