Microsoft Azure

This document describes the process for creating and managing a customer private cloud at Microsoft Azure.

Create the IAM Role

Telestream Cloud uses an Azure Identity and Access Management (IAM) role to manage the customer private cloud.

Using the Azure console, command line interface (CLI) or Terraform the customer creates a custom IAM role in their subscription that delegates specific permissions to Telestream Cloud.

Command Line

az role definition create --role-definition tcs-role-definition.json

Using the following role definition for the tcs-role-definition.json file. Replace CUSTOMER-SUBSCRIPTION-ID with the actual customer subscription identifier.

{
  "properties": {
    "roleName": "tcs-autoscaling",
    "description": "",
    "assignableScopes": [
      "/subscriptions/CUSTOMER-SUBSCRIPTION-ID"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Compute/disks/delete",
          "Microsoft.Compute/disks/read",
          "Microsoft.Compute/disks/write",
          "Microsoft.Compute/images/read",
          "Microsoft.Compute/images/write",
          "Microsoft.Compute/virtualMachines/capture/action",
          "Microsoft.Compute/virtualMachines/deallocate/action",
          "Microsoft.Compute/virtualMachines/delete",
          "Microsoft.Compute/virtualMachines/generalize/action",
          "Microsoft.Compute/virtualMachines/read",
          "Microsoft.Compute/virtualMachines/write",
          "Microsoft.Network/networkInterfaces/delete",
          "Microsoft.Network/networkInterfaces/join/action",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Network/networkInterfaces/write",
          "Microsoft.Network/networkSecurityGroups/join/action",
          "Microsoft.Network/publicIPAddresses/delete",
          "Microsoft.Network/publicIPAddresses/join/action",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/publicIPAddresses/write",
          "Microsoft.Network/virtualNetworkTaps/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/virtualNetworks/subnets/join/action",
          "Microsoft.Network/virtualNetworks/write",
          "Microsoft.Resources/deployments/cancel/action",
          "Microsoft.Resources/deployments/delete",
          "Microsoft.Resources/deployments/operationStatuses/read",
          "Microsoft.Resources/deployments/operationstatuses/read",
          "Microsoft.Resources/deployments/read",
          "Microsoft.Resources/deployments/validate/action",
          "Microsoft.Resources/deployments/write",
          "Microsoft.Resources/subscriptions/resourceGroups/delete",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/resourceGroups/write",
          null
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

Terraform

data "azurerm_subscription" "primary" {
}

resource "azurerm_role_definition" "tcs-external" {
  name = "tcs-autoscaling"
  scope = data.azurerm_subscription.primary.id
  description = "This is a custom role for Telestream Cloud Services"

  assignable_scopes = [
    data.azurerm_subscription.primary.id,
  ]

  permissions {
    actions = [
      "Microsoft.Compute/disks/delete",
      "Microsoft.Compute/disks/read",
      "Microsoft.Compute/disks/write",
      "Microsoft.Compute/images/read",
      "Microsoft.Compute/images/write",
      "Microsoft.Compute/virtualMachines/capture/action",
      "Microsoft.Compute/virtualMachines/deallocate/action",
      "Microsoft.Compute/virtualMachines/delete",
      "Microsoft.Compute/virtualMachines/generalize/action",
      "Microsoft.Compute/virtualMachines/read",
      "Microsoft.Compute/virtualMachines/write",
      "Microsoft.Network/networkInterfaces/delete",
      "Microsoft.Network/networkInterfaces/join/action",
      "Microsoft.Network/networkInterfaces/read",
      "Microsoft.Network/networkInterfaces/write",
      "Microsoft.Network/networkSecurityGroups/join/action",
      "Microsoft.Network/publicIPAddresses/delete",
      "Microsoft.Network/publicIPAddresses/join/action",
      "Microsoft.Network/publicIPAddresses/read",
      "Microsoft.Network/publicIPAddresses/write",
      "Microsoft.Network/virtualNetworkTaps/read",
      "Microsoft.Network/virtualNetworks/read",
      "Microsoft.Network/virtualNetworks/subnets/join/action",
      "Microsoft.Network/virtualNetworks/write",
      "Microsoft.Resources/deployments/cancel/action",
      "Microsoft.Resources/deployments/delete",
      "Microsoft.Resources/deployments/operationstatuses/read",
      "Microsoft.Resources/deployments/read",
      "Microsoft.Resources/deployments/validate/action",
      "Microsoft.Resources/deployments/write",
      "Microsoft.Resources/subscriptions/resourceGroups/delete",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Resources/subscriptions/resourceGroups/write",
    ]
  }
}

Create a Private Cloud

Command Line

  1. Create a resource group.
az group create --name tcs-eastus -l eastus
  1. Start a deployment.
az deployment create --resource-group tcs-eastus --template-file tcs-deployment-template.json --parameters virtualNetworkName=tcs-virtualnetwork networkSecurityGroupName=tcs-securitygroup location=eastus

Use the following deployment template for the tcs-deployment-template.json file.

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "virtualNetworkName": {
      "type": "string"
    },
    "networkSecurityGroupName": {
      "type": "string"
    },
    "location": {
      "type": "string"
    }
  },
  "resources": [
    {
      "apiVersion": "2015-06-15",
      "type": "Microsoft.Network/networkSecurityGroups",
      "name": "[parameters('networkSecurityGroupName')]",
      "location": "[parameters('location')]",
      "properties": {}
    },
    {
      "apiVersion": "2018-08-01",
      "name": "[parameters('virtualNetworkName')]",
      "type": "Microsoft.Network/virtualNetworks",
      "location": "[parameters('location')]",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "10.0.0.0/16"
          ]
        },
        "subnets": [
          {
            "name": "default",
            "properties": {
              "addressPrefix": "10.0.0.0/17"
            }
          }
        ],
        "enableDdosProtection": "false"
      }
    }
  ]
}

Note that the size of the CIDR (Classless Inter-Domain Routing) block of IP addresses determines the maximum number of worker instances.

Teraform

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "~>2.0"
    }
  }
}

provider "azurerm" {
  features {}
}

variable "location" {
  type = string
  description = "Name of region to initialize e.g. westeurope"
}

resource "azurerm_resource_group" "tcs-external" {
  name = format("tcs-%s-external", var.location)
  location = var.location
}

resource "azurerm_virtual_network" "tcs-external" {
  name = "tcs-external"
  location = azurerm_resource_group.tcs-external.location
  resource_group_name = azurerm_resource_group.tcs-external.name
  address_space = ["10.0.0.0/16"]

  subnet {
    name = "default"
    address_prefix = "10.0.0.0/17"
  }

  subnet {
    name ="ApplicationGatewaySubnet"
    address_prefix = "10.0.252.0/22"
  }
}


resource "azurerm_network_security_group" "tcs-securitygroup" {
  name = "tcs-securitygroup"
  location = azurerm_resource_group.tcs-external.location
  resource_group_name = azurerm_resource_group.tcs-external.name

  security_rule {
    name = "gRPC"
    priority = 100
    direction = "Outbound"
    access = "Allow"
    protocol = "Tcp"
    source_port_range = "*"
    destination_port_range     = "8496"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }

  security_rule {
    name = "HTTPS"
    priority = 101
    direction = "Outbound"
    access = "Allow"
    protocol = "Tcp"
    source_port_range = "*"
    destination_port_range     = "443"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

Create the Service Principal

Telestream Cloud uses an Azure Service Principal to login to the customer subscription and assume the ics-autoscaling role.

az ad sp create-for-rbac --name tcs-principal --role tcs-autoscaling

Provide the appId, password and tenant information from command output.

{
  "appId": "615e0be8-fbd6-4aa2-802d-5a0077d5f6e2",
  "displayName": "tsc-service-principal",
  "name": "http://tsc-service-principal",
  "password": "...",
  "tenant": "01234567-89ab-cdef-0123-456789abcdef"
}

Did this page help you?