Document toolboxDocument toolbox

Prerequisites for the Azure Public Cloud Deployment

Owned by Jyothi KP
Last updated: Jul 03, 2024
3 min read

Before you deploy the vNIOS for Azure public cloud appliance, ensure that your setup meets the requirements described in this topic.

  • Set up a Microsoft Azure account and create a resource manager in Azure public cloud.

  • Install and set up an Azure command line interface (CLI) as described in the Installing the Azure CLI section. This is required to deploy the vNIOS appliance from the Azure CLI.

  • Configure an on-prem Infoblox Grid or Grid Master. This is required only if you want to join the vNIOS for Azure instance to the on-prem Grid. For more information, refer to the Infoblox NIOS Documentation.

  • Create an Azure managed disk from the Azure CLI as described in the Creating an Azure Managed Disk section.
    Azure virtual appliances can be deployed with managed disks from NIOS 8.5.3 onwards. From NIOS 9.0.1 onwards, they can be deployed only with managed disks.

  • To deploy vNIOS for Azure instances in an HA (high availability) setup, a capability introduced in NIOS 9.0.4:

    • In the Microsoft Azure portal, create a user-assigned managed identity with a custom role that is assigned with permissions listed in the Creating an User-Assigned Managed Identity section below.

    • When configuring HA, you must create three network interfaces for MGMT, LAN1, and HA on each node of the HA pair. Additionally, assign a secondary IP address to the HA interface on one of the nodes, and ensure that the LAN1 and HA interfaces of both nodes and the secondary IP address are assigned to the same subnetwork. For more information, see Deploying the vNIOS Instance with HA.

    • In NIOS, configure a DNS resolver in the Grid Properties Editor. For more information about DNS resolvers, refer to the Enabling DNS Resolution topic in the Infoblox NIOS Documentation.

Installing the Azure CLI

To deploy a vNIOS appliance from the Azure CLI, you must install and set up the Azure CLI. To install, complete the following steps:

  1. Install the Azure CLI. For instructions, see Install the Azure CLI on Linux manually.

  2. Verify whether the installation was successful by running the following command:
    az --version

  3. Run the az login command to generate an authentication code required to access the Azure public cloud environment.

  4. In a browser window, log in to https://microsoft.com/devicelogin using the authentication code that is generated by running the az login command.



Creating an Azure Managed Disk

To create a managed disk, run the following command in the Azure CLI by specifying the mentioned parameters:

az disk create --name <managed_disk_name> --resource-group <resource_group_name> --size 250 --sku Premium_LRS --source "https://<resource_group_name>.blob.core.windows.net/<storage_container_blob_name>/<vhd_image_name>" --source-storage-account-id "/subscriptions/<subscription_name>/resourceGroups/<resource_group_name>/providers/Microsoft.Storage/storageAccounts/<storage_account_name>" --os-type Linux

Note: For better performance, specify Premium_LRSas thesku.

Example:
az disk create --name nios-managed-disk --resource-group rg-east-01 --size 250 --sku Premium_LRS --source "https://rgeastcloudautomation.blob.core.windows.net/images/nios-image.vhd" --source-storage-account-id "/subscriptions/1abcd012-2abc-123a-4abc-12a345678ab1/resourceGroups/rg-east-01/providers/Microsoft.Storage/storageAccounts/rgeastcloudautomation" --os-type Linux

Creating an User-Assigned Managed Identity

To form an HA pair with vNIOS instances, the permissions outlined in this section are a minimum requirement. The permissions allow the instances to manage resources in the Azure cloud.

In Azure, perform the following:

  1. Create a custom role that is assigned with permissions listed in this section.

  2. Create a user-assigned managed identity with its Azure role assignment Scope as Subscription and assign the custom role that you created.
    Defining Subscription as the scope allows the managed identity to access all resources and/or resources groups in the subscription.
    Note that the scope that you select displays under Resource Type after the role assignment is saved.

  3. Attach the managed identity to the vNIOS instance.

For more information about managed identities and custom roles, refer to Managed identities for Azure resources and Role-based access control respectively.

A sample JSON script is as follows:

{

   "id": "/subscriptions/3b9ac093-9baa-421e-8ee2-62f682759ca4/providers/Microsoft.Authorization/roleDefinitions/3fe1ef8a-86f3-452a-99ba-7be482b33e34",

   "properties": {

       "roleName": "Custom Network Role",

       "description": "Custom role for network operations",

       "assignableScopes": [

           "/subscriptions/3b9ac093-9baa-421e-8ee2-62f682759ca4"

       ],

       "permissions": [

           {

               "actions": [

                   "Microsoft.Network/networkInterfaces/read",

                   "Microsoft.Network/networkInterfaces/write",

                   "Microsoft.Network/virtualNetworks/read",

                   "Microsoft.Network/virtualNetworks/write",

                   "Microsoft.Network/virtualNetworks/delete",

                   "Microsoft.Network/networkInterfaces/delete",

                   "Microsoft.Network/networkSecurityGroups/join/action",

                   "Microsoft.Network/virtualNetworks/subnets/join/action",

                   "Microsoft.Authorization/roleDefinitions/read",

                   "Microsoft.ManagedIdentity/userAssignedIdentities/read",

                   "Microsoft.Authorization/roleAssignments/read",

                   "Microsoft.Compute/virtualMachines/read",

                   "Microsoft.Network/publicIPAddresses/write",

                   "Microsoft.Network/publicIPAddresses/read",

                   "Microsoft.Network/publicIPAddresses/delete",

                   "Microsoft.Network/publicIPAddresses/join/action"

               ],

               "notActions": [],

               "dataActions": [],

               "notDataActions": []

           }

       ]

   }

}

  • NIOS uses the roles with read permissions to run a check and validate the configuration on the host every five minutes.

  • NIOS uses the roles with write permissions to unassign and assign private and public IP addresses during an HA failover. The following permissions provide write access:

    • Microsoft.Network/networkSecurityGroups/join/action: This permission is required to associate the network security group configured on the host with the secondary IP address assigned to the HA interface.

    • Microsoft.Network/virtualNetworks/subnets/join/action: This permission is required to associate the configured subnet with the secondary IP address assigned to the HA interface.

    • Microsoft.Network.virtualNetworks.delete and Microsoft.Network.virtualNetworks.write: These are parent level permissions required to manage the underlying network resources such as virtual networks and subnets.

    • Microsoft.Network.networkInterfaces.delete: This permission is required to unassign private IP addresses from network interfaces during an HA failover.

    • Microsoft.Network.networkInterfaces.write: This permission is required to assign private IP addresses to network interfaces during an HA failover.

    • Microsoft.Network/publicIPAddresses/write: This permission is required only if you have configured a public IP address to access the Grid from outside of your private virtual network. The permission associates the configured public IP address with the private IP address.

    • Microsoft.Network/publicIPAddresses/delete: This permission is required only if you have configured a public IP address to access the Grid from outside of your private virtual network. The permission disassociates the configured public IP address from the private IP address.

Â