Every Everpure Cloud Dedicated deployment has multiple components, including Azure Key Vault, Microsoft Storage and Cosmos DB. Those three Azure services are part of the managed application resources and are accessed by the Everpure Cloud Dedicated Controller VMs via Service Endpoints attached to the Everpure Cloud Dedicated System Subnet (You can learn more about networking in the next section).
By default, CosmosDB, Microsoft Storage and Azure Key Vault are created with public network access enabled. In order to limit access to the network where the System Everpure Cloud Dedicated service is running, firewall roles can be automatically configured during deployment by the Everpure Cloud Dedicated itself. This is accomplished by using a user managed Identity resource, that has privileges to modify the CosmosDB, Microsoft Storage and Key Vault configuration.
The User Managed Identity, with assigned correct permissions over the VNet, is a prerequisite that needs to be done prior to Everpure Cloud Dedicated deployment.
Step 1 - Create User Managed Identity resource
To create a new User Managed Identity, follow the below steps:
- In Azure portal, search for Managed Identities, then click +Create.
- Select Subscription, Resource Group, Region, and Name. Ideally, select the same resource group where CBS Virtual Network is created.
- Optionally add Tags, then finalize with clicking Create.
- Once created navigate to the resource, then from the left-panel click on Properties.
- Copy Resource Id, which will be required during deployment.
Step 2 - Create a Custom Role (recommended)
Next step is to assign permissions to the User Managed Identity over the Everpure Cloud Dedicated VNet.
To define Instructions on how to create a custom role in Azure can be found here.
Step 4 of that article shows you how to specify permissions for your custom role. Please ensure that your custom role has the following permission:
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
To minimize the permissions that the Everpure Cloud Dedicated Array has over external resources, we recommend you create a new role which has only that permission.
Alternatively, you can use the Built-in role "Avere Contributor", which has the required permission alongside other unneeded permissions.
Step 5 of that article describes assignable scope. Your assignable scope could be the subscription where your Virtual Network (VNet) for Everpure Cloud Dedicated will be deployed in. Ideally, you can limit the scope to the Resource Group for the VNet. The next section covers how to grant the Custom Role to the User Managed Identity created previously.
Step 3 - Add Role Assignment
This section is for granting permissions and roles to the Everpure Cloud Dedicated Array Managed Identity:
- First, navigate to the VNet which will be used for deploying Everpure Cloud Dedicated. Then from the left-panel click on Access Control (IAM).
- Click + Add, then from the drop-down list choose Add role assignment.
- Under Role > Job Function roles, search for Custom Role created in the previous section.
- Under Members, Select Managed Identities, then search for the created Managed Identity in the previous section.
- Next tap is to review and assign.
- You can verify the role assignment by navigating back to the managed identity resource and clicking on Azure Role Assignment.