Prerequisites
Before you deploy Unity Virtual Private Cloud to Microsoft Azure
Read time 5 minutesLast updated 4 days ago
To deploy Unity Cloud Services to Microsoft Azure, you must have an Azure account and a role with sufficient permissions to create and manage resources. Before you start deploying Virtual Private Cloud, complete the following steps.
1. Prepare deployment on Unity's side
Perform these steps on Unity's side:- Collect the username and the password for the central Azure Container Registry (ACR) that is managed by Unity.
-
Collect the .xml files that contain the Unity Asset Transformer SDK licenses.
These licenses are required for all users who are to perform asset transformations:
- A valid Unity Asset Transformer license.
- A floating license server. To set up the license server, refer to these instructions.
- Request the Unity team to add the target customer subscription to the allowlist in the relevant private plan properties. The reason is that the solution is currently available only through a private plan in Azure Marketplace.
2. Prepare deployment on the client's side
Perform these steps on the client's side:2.1 Prepare the project name prefix
Prepare the project name prefix with these characteristics:- The prefix is a string.
- The prefix contains at most six characters.
- The prefix contains only lowercase alphanumeric characters, but no underscores or dashes.
2.2 Collect an IP range for the virtual network
For the full deployment mode
If you chose the full deployment mode, collect an IP range for the virtual network (VNet) that hosts the solution. The recommended size of the VNet is /21. From that range, a subnet of /22 in size is dedicated to the Azure Kubernetes Service (AKS) cluster, to provide enough address space for the pods. If the solution VNet is to be connected to the corporate network, then this range must not overlap with any other ranges of the customer environment where clients will reside. Subsequently, you can peer this VNet with the hub and route it to or from the corporate network.For the BYO VNet mode
If you chose the BYO VNet mode, collect the IP range of the precreated VNet that is to host the solution. The IP size of the VNet must be /21. If the solution VNet is to be connected to the corporate network, then this range must not overlap with any other ranges of the customer environment where clients reside. This VNet must contain these subnets:Subnet | IP range size | Description |
---|---|---|
aks-snet | /22 | Enable the service endpoints for these resource types:
|
postgres-snet | /24 | Delegate this subnet to this resource type: Microsoft.DBforPostgreSQL/flexibleServers.
Enable the service endpoints for this resource type: Microsoft.Storage. |
private-endpoints-snet | /24 | If required for network security groups (NSGs) and route tables, enable the network policy for private endpoints. |
cont-ins-snet | /24 | Delegate this subnet to this resource type: Microsoft.ContainerInstance/containerGroups.
Enable service endpoints for this resource type: Microsoft.Storage. |
Managed Applications On Behalf Application
- Network Contributor
- User Access Administrator, with the option Allow user to assign all roles except privileged administrator roles
2.3 Collect the IP ranges for the pods and services
Collect the IP ranges for the pods and services, in Classless Inter-Domain Routing ranges (CIDR) notation. The offer UI requests only the network addresses. The network masks are hard-coded:- /16 for pods
- /22 for services
- 172.29.0.0/16 for pods
- 172.28.0.0/22 for services
2.4 Collect the fully qualified domain name
Collect the fully qualified domain name (FQDN) of the domain to be used to access Virtual Private Cloud. After deployment, the relevant DNS record is created in the internal DNS. Read more about postdeployment.2.5 Prepare the TLS certificate and the private key
Collect the following information in .pem format:- A TLS certificate for the selected domain name, and issued by a certification authority (CA) that is trusted by the clients who access Virtual Private Cloud
- The corresponding private key
2.6 Prepare the MongoDB instance
Prepare a MongoDB instance that can host Virtual Private Cloud databases and that is managed by one of these entities:- A cloud provider that is, for example, hosted in MongoDB Atlas
- The customer, in which case the instance can run in their Azure environment
-
Use a MongoDB Atlas cluster, or a publicly available cluster, that meets one of these requirements:
- The cluster is initially accessible from any IP. The reason is that the outbound IPs of the Virtual Private Cloud solution are unknown until deployment. After you have deployed the solution, configure more specific access to the network.
- The cluster is initially restricted to the administrators' IPs. In this case, you can deploy the solution, but it won't be operational until it can access the MongoDB cluster. Configure the MongoDB cluster so that the solution AKS cluster can access it after deployment.
- Use an internally deployed MongoDB cluster, for example, one that is deployed in another Azure VNet, and connect it to the solution VNet after deployment, for example, by directly peering VNets. This option is similar to the previous option in terms of enabling access to MongoDB after deployment. This approach also applies when utilizing MongoDB Atlas with network peering. Read more about network peering in the Mongo DB documentation.
- If you use an internally deployed MongoDB, it is accessible through its internal DNS name rather than by its private IP address. This name must be resolvable from the solution VNet. This requirement might require additional configuration.
2.7 Prepare the Azure subscription
Prepare your Azure subscription for deployment:- Adjust the resource quotas. Read more about deployment size in the deployment procedure.
-
Register the following resource providers for the subscription if they haven't yet been automatically registered during subscription provisioning:
- Microsoft.Network
- Microsoft.Storage
- Microsoft.KeyVault
- Microsoft.ManagedIdentity
- Microsoft.Cache
- Microsoft.ContainerService
- Microsoft.KubernetesConfiguration
- Microsoft.DBforPostgreSQL
- Microsoft.EventGrid
- Microsoft.EventHub
- Microsoft.Insights
- Microsoft.OperationalInsights
- Microsoft.ServiceBus
- The Azure Kubernetes Service RBAC Cluster Admin role, which is required to manage the AKS cluster
- The Key Vault Administrator role, which is required to manage the secrets in the key vault