Microsoft Azure
This document describes the process for creating and managing a customer private cloud at Microsoft Azure.
Create the IAM Role
Telestream Cloud uses an Azure Identity and Access Management (IAM) role to manage the customer private cloud.
Using the Azure console, command line interface (CLI) or Terraform the customer creates a custom IAM role in their subscription that delegates specific permissions to Telestream Cloud.
Command Line
az role definition create --role-definition tcs-role-definition.json
Using the following role definition for the tcs-role-definition.json file. Replace CUSTOMER-SUBSCRIPTION-ID with the actual customer subscription identifier.
{
"properties": {
"roleName": "tcs-autoscaling",
"description": "",
"assignableScopes": [
"/subscriptions/CUSTOMER-SUBSCRIPTION-ID"
],
"permissions": [
{
"actions": [
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/write",
"Microsoft.Compute/virtualMachines/capture/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/generalize/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/virtualNetworkTaps/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/operationStatuses/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
null
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Terraform
data "azurerm_subscription" "primary" {
}
resource "azurerm_role_definition" "tcs-external" {
name = "tcs-autoscaling"
scope = data.azurerm_subscription.primary.id
description = "This is a custom role for Telestream Cloud Services"
assignable_scopes = [
data.azurerm_subscription.primary.id,
]
permissions {
actions = [
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/write",
"Microsoft.Compute/virtualMachines/capture/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/generalize/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/virtualNetworkTaps/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
]
}
}
Create a Private Cloud
Command Line
- Create a resource group.
az group create --name tcs-eastus -l eastus
- Start a deployment.
az deployment create --resource-group tcs-eastus --template-file tcs-deployment-template.json --parameters virtualNetworkName=tcs-virtualnetwork networkSecurityGroupName=tcs-securitygroup location=eastus
Use the following deployment template for the tcs-deployment-template.json file.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualNetworkName": {
"type": "string"
},
"networkSecurityGroupName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2015-06-15",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[parameters('networkSecurityGroupName')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"apiVersion": "2018-08-01",
"name": "[parameters('virtualNetworkName')]",
"type": "Microsoft.Network/virtualNetworks",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "default",
"properties": {
"addressPrefix": "10.0.0.0/17"
}
}
],
"enableDdosProtection": "false"
}
}
]
}
Note that the size of the CIDR (Classless Inter-Domain Routing) block of IP addresses determines the maximum number of worker instances.
Teraform
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>2.0"
}
}
}
provider "azurerm" {
features {}
}
variable "location" {
type = string
description = "Name of region to initialize e.g. westeurope"
}
resource "azurerm_resource_group" "tcs-external" {
name = format("tcs-%s-external", var.location)
location = var.location
}
resource "azurerm_virtual_network" "tcs-external" {
name = "tcs-external"
location = azurerm_resource_group.tcs-external.location
resource_group_name = azurerm_resource_group.tcs-external.name
address_space = ["10.0.0.0/16"]
subnet {
name = "default"
address_prefix = "10.0.0.0/17"
}
subnet {
name ="ApplicationGatewaySubnet"
address_prefix = "10.0.252.0/22"
}
}
resource "azurerm_network_security_group" "tcs-securitygroup" {
name = "tcs-securitygroup"
location = azurerm_resource_group.tcs-external.location
resource_group_name = azurerm_resource_group.tcs-external.name
security_rule {
name = "gRPC"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "8496"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "HTTPS"
priority = 101
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
Create the Service Principal
Telestream Cloud uses an Azure Service Principal to login to the customer subscription and assume the ics-autoscaling role.
az ad sp create-for-rbac --name tcs-principal --role tcs-autoscaling
Provide the appId, password and tenant information from command output.
{
"appId": "615e0be8-fbd6-4aa2-802d-5a0077d5f6e2",
"displayName": "tsc-service-principal",
"name": "http://tsc-service-principal",
"password": "...",
"tenant": "01234567-89ab-cdef-0123-456789abcdef"
}
Updated about 2 years ago